We have seen with Google ReCaptcha that handling Google’s API for GDPR and other privacy laws is a tricky one, and for most not yet handled the right way.
Google Fonts. How it works.
The Google Fonts API will request and download font files and CSS assets to provide the correct fonts when visiting a webpage. These assets will be stored in the browser’s cache and updated when needed. Different domains might share the same assets, when browser’s cache assets match. In Google’s own words:
The font files themselves are cached for one year, which cumulatively has the effect of making the entire web faster: When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. We do sometimes update font files to reduce their file size, increase coverage of languages, and improve the quality of their design. The result is that website visitors send very few requests to Google: We only see 1 CSS request per font family, per day, per browser.
For WordPress users this is the easiest way to add any Google Font they prefer.
A Google API request
When the visitor of, for example fonts.com, has not yet cached the required fonts to display the page correctly a request to Google’s server will be made to acquire the correct assets and files to store in the browser and load the Google Fonts required.
And this is where it get’s tricky; does the API request send anything that relates to personal data, according to the GDPR? What questions should we ask to see if we need to take action?
The personal data that is stored is at least an IP-address from the website visitor. And yes, this is personal data according to the GDPR, as it is an unique personal identifier.
As the website owner who implemented the Google API: Do you need to ask permission or consent from the website visitor before the request to the Google server is made?
This is Google’s Privacy Statement surrounding Google Fonts:
The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.
This vague statement suggests storage of personal data (IP Address) after the request has been made, whether it is limited or not. So consent is required! This means the website cannot load Google Fonts from the Google servers without getting consent first: the website needs to block Google Fonts, then request consent, and finally, after consent is given, load the fonts.
Implications of blocking Google Fonts before consent
Blocking the Google Fonts API before consent is given, means the webpage only shows correctly (with the correct fonts) if any of the following are correct:
The cache of the website visitor already contains the exact Font Files and CSS assets requested by the stylesheet of the webpage.
The website visitor has given consent prior and the request is made.
It won’t show correctly if the cache is empty and:
Consent is not given yet.
Privacy settings of the browser refuse consent by default.
The third possibility, you do not ask consent for Google Fonts, and still load them, means you’re not fully GDPR compliant.
This means that your site may render without the fonts you carefully selected. But there’s always a way to be GDPR Proof & serving your webpage correctly.
Solutions which serves both you and GDPR
We will give the obvious answer: self-hosting your Google Fonts.