The Privacy Suite for WordPress

Google Fonts and GDPR: Does it work?

Get compliant today in the European Union, United States, Canada, United Kingdom, Australia & South Africa with the only Privacy Suite for WordPress that offers a fully-featured plugin for Worldwide Compliance.

We have seen with Google ReCaptcha that handling Google’s API for GDPR and other privacy laws is a tricky one, and for most not yet handled the right way.

Google Fonts. How it works.

The Google Fonts API will request and download font files and CSS assets to provide the correct fonts when visiting a webpage. These assets will be stored in the browser’s cache and updated when needed. Different domains might share the same assets, when browser’s cache assets match. In Google’s own words:

The font files themselves are cached for one year, which cumulatively has the effect of making the entire web faster: When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. We do sometimes update font files to reduce their file size, increase coverage of languages, and improve the quality of their design. The result is that website visitors send very few requests to Google: We only see 1 CSS request per font family, per day, per browser.

For WordPress users this is the easiest way to add any Google Font they prefer.

A Google API request

When the visitor of, for example, has not yet cached the required fonts to display the page correctly a request to Google’s server will be made to acquire the correct assets and files to store in the browser and load the Google Fonts required.

And this is where it get’s tricky; does the API request send anything that relates to , according to the GDPR? What questions should we ask to see if we need to take action?

The personal data that is stored is at least an IP-address from the website visitor. And yes, this is personal data according to the GDPR, as it is an unique personal identifier.

As the website owner who implemented the Google API: Do you need to ask permission or consent from the website visitor before the request to the Google server is made?

This is Google’s surrounding Google Fonts:

The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

This vague statement suggests storage of personal data (IP Address) after the request has been made, whether it is limited or not. So consent is required! This means the website cannot load Google Fonts from the Google servers without getting consent first: the website needs to block Google Fonts, then request consent, and finally, after consent is given, load the fonts.

Google Fonts and GDPR

Implications of blocking Google Fonts before consent

Blocking the Google Fonts API before consent is given, means the webpage only shows correctly (with the correct fonts) if any of the following are correct:

  • The cache of the website visitor already contains the exact Font Files and CSS assets requested by the stylesheet of the webpage.
  • The website visitor has given consent prior and the request is made.

It won’t show correctly if the cache is empty and:

  • Consent is not given yet.
  • Privacy settings of the browser refuse consent by default.

The third possibility, you do not ask consent for Google Fonts, and still load them, means you’re not fully GDPR compliant.

This means that your site may render without the fonts you carefully selected. But there’s always a way to be GDPR Proof & serving your webpage correctly.

Solutions which serves both you and GDPR

We will give the obvious answer: self-hosting your Google Fonts.

There are many ways to self-host your Google Fonts, either by configuring it yourself, or installing a plugin to handle it correctly. Read in our article on self hosting Google Fonts how you can do this.

Recent articles

The Privacy Suite for WordPress
Get compliant today with the only Privacy Suite made for WordPress


Popular articles

LGPD Brazil and WordPress

The “Marco Civil” and the Brazilian General Data Protection Law (LGPD) In Complianz 5.4 we will add full support for the Civil Rights Framework for

Read More

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!