The German court has ruled last month that Google Fonts is not in compliance with GDPR.
The integration of dynamic web content such as Google Fonts from US web services is illegal without the consent of the visitor.
A website operator received a fine of 100€. The Munich court clearly wanted to set an example. They even mentioned the next fine will be 250.000€ for the website operator if they don’t comply.
Data protection authorities (DPA) in other EU countries became all ears. It’s likely to see more rulings and enforcements of this in the name of GDPR.
In this post, I want to show why you should care, even if you’re not from Germany.
How Google Fonts collects personal data
When a user wants to load a font via Google Fonts, it uses 2 types of requests:
- Dynamic request:
fonts.googleapis.com/css2?family={font} - Asset request(s):
fonts.gstatic.com/s/{font}/...
The dynamic request is the reason for the German court’s ruling: The user’s IP address is shared with Google Fonts. This is personally identifiable information (PII).
From the Google Fonts FAQ we get a fuzzy idea of what is going on:
Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.
- Are they logging user’s IP addresses along other fingerprinting PIIs?
- Are they using these records to fill the gaps of a user’s internet journey?
What we know is that they collect and store end-user data to be able to—what they state as needed to “serve fonts efficiently”.
“I’m running Google Fonts, what are my options?”
From a GDPR point of view you have 2 options:
- Host the fonts locally: You can already download them from the Google Fonts website directly.
- Ask your users for consent: Implement a Consent Banner where Google Fonts is stated as one of the Data Processing Services (DPS). On top, you need to await your user’s consent before requesting the Google Font service. Postponing font files is inherently not ideal.
Why you should care
When tech companies get enough data points to connect the dots they get a pretty good picture of what you do on the internet. This data is usually used for personalised advertisement. I could live with this if it was the user’s only drawback of personal data collection.
Google Fonts is one of these data points that helps connecting further puzzle pieces together.
Besides the advertisement aspect, it’s problematic because of:
- the lack of control over your personal data
- leaving a profile on tech companies' servers that can be accessed under certain requirements by the US authorities
- being on the internet where data leaks and hacks happen very often
Currently, it’s up to us developers to protect the end-user. This is why you should care.
Closing words
I hope I could shed some light on why Google Fonts is a data privacy concern.
Also: I am not a lawyer.