The GDPR strikes again!
While Austria and Norway are taking on Google Analytics, on January 20th, 2022, the regional court of Munich, Germany ordered a € 100,- fine to a website owner. Why? Because using Google Fonts violates GDPR.
Why using Google Fonts is in breach of GDPR
To some this may come as no surprise — for me it wasn’t. Due to the way the internet works it was a matter of time before the GDPR would catch up and start handing out fines.
But it’s important you — and all website owners — are brought up to speed.
If you’re curious about the technical details, I suggest you read this post I wrote two years ago about why Google Fonts violate the GDPR — it’s hilarious I might add. For now, I’ll give you the short and sweet version:
Every page you view on the internet consists of files: images, scripts, stylesheets and [drumroll please!] fonts! Whenever a file is requested, the IP address of your computer is shared with the server hosting that file. I.e. whenever a Google Fonts file is requested, the IP address of your computer is shared with Google’s server.
An IP address is considered personal data, because it can literally trace you back to your home.
Before, GDPR was all about asking a user’s explicit permission or, prior consent. But due to the recent ruling in Austria, never transferring (any) personal data to the US (due to their government’s CLOUD act) has become a point of interest for European privacy watchdogs.
This is the whole reason why Google (and I’m sure others are soon to follow) is under fire.
Can you keep using Google Fonts?
Website owners have put in a lot of effort, time and money building and designing their site.
Fonts being part of a site’s design, asking for prior consent is not an option.
I think we can all agree that “temporarily” breaking your site’s design until the user accepted loading the fonts is a bit ridiculous.
So, if prior consent is not an option, what are your options to make your site GDPR compliant? Fortunately, there are some.
Switch back to System Fonts
Warning! Using this option can significantly change the look and feel of your site and might scare off some (returning) users. Proceed with caution.
Some WordPress themes (like GeneratePress or Astra) support this natively. They offer an option to change the font-family for any element to a system font. If your theme supports it, this could be an option.
Whatever you do, please don’t remove any mentions of Google Fonts from your stylesheets and/or themes. If you do, the browser will choose a “matching” system font. Trust me, it’ll be a guaranteed shit show.
Now, before you switch back to Times New Roman and give it that “nice” 90’s look. There are a few things you can do to keep your precious fonts.
Host Google Fonts locally
If you want to keep using the same fonts as you always have, while keeping your site GDPR compliant, you can choose to host the Google Fonts your website is currently using locally.
There’s several way to achieve this. Some approaches are more universal applicable than others, but will include some more manual labor.
Spoiler alert! If you’re a WordPress user. Just download and install OMGF. It’s free, it’s fast, it’s easy and it does exactly what you’re looking for.
Using the Google Webfonts Helper (universal)
To host your Google Fonts locally you can use this helper application, called Google Webfonts Helper. The interface works intuitive and it makes it easy for you to generate a stylesheet for your (locally hosted) Google Fonts.
However, if you’re not familiar with PHP coding and CSS stylesheets, this approach might be a bit overwhelming. This tutorial might help you out, but if you want a quick and easy solution; keep reading.
Using your theme’s built-in option (WordPress only)
Some themes (like Avada and Astra) have a built-in option to serve Google Fonts from your server — which is great! If your theme supports it, you can choose to check that box and be done with it all. However, I don’t recommend this for a very simple reason: human error.
Imagine what would happen when you check that box and change themes in a year — or maybe two? It’s very likely you’ve forgotten about that Google Fonts option you checked and after switching to a new theme, all your Google Fonts are pulled from Google’s servers again. A few months later: you find a GDPR fine on your doorstep. Ouch!
My suggestion? Use a plugin.
Using a Plugin (WordPress only)
WordPress users can breathe easy; OMGF does what the Google Webfonts Helper enables you to do (and more), but without the manual labor.
- It scans your WordPress site for Google Fonts,
- Downloads them,
- Generates a stylesheet, and
- Loads it in your site’s frontend.
Effectively eliminating any requests to fonts.googleapis.com
or fonts.gstatic.com
.
Disclaimer: OMGF is able to detect Google Fonts in most situations. However, some themes use unusual methods to add Google Fonts. If this is your case, OMGF will throw a notice and ask you to contact support. Please do, I’ll get you sorted. 🙂
Conclusion
I hope this post has brought you some relief.
Being a website owner is complicated to begin with and the GDPR hasn’t made it any easier.
Now a court in Germany has ruled that using Google Fonts is in breach of GDPR, it’s time to start hosting Google Fonts locally. There is no alternative. Today you’ve learned a few approaches on how to make your Google Fonts GDPR compliant.
Basicly, this also means gstatic is in breach of the GDPR
Yup, anything Google, basically. Any kind of 3rd party tracking tool located in the US (i.e. Facebook)
Does it mean, that also if you have a link to a YouTube video?
Or if you have pictures with Alt-Text? (what about pictures without description?)
As it is also, then, if you have your address in Google maps.
But if this is like this, then we can´t be found in Google!! isn´t it?
This is all definitively ridiculous
A link to a YouTube video doesn’t share any data with Youtube, until the user clicks on that link and actually visits Youtube. But clicking on a link is a form of consent, essentially the user is saying: I want to see this Youtube video. So, you’re in the clear when it comes to linking. Embedding, however, is a different story. Embedded Youtube videos (or Google Maps widgets, for that matter) always need to be blocked behind a cookie banner (like Complianz), and users have to give prior consent, before loading the embedded content.
Also, there’s nothing wrong with having your business registered on Google Maps. Like I said, it’s sharing personal data on YOUR website with OTHER 3rd party services. When a user visits Google Maps or Youtube, that’s consent. But when a user visits your website, and your website passes on the user’s data without their consent (How are they supposed to know that you’re loading a Google Maps widget and/or Youtube video on your site?), then you’re in breach of GDPR.
Mind you that I’m not a lawyer, but this seems to be the current consensus.
How to check that my site is breaking rule or not as I didn’t developed it by myself
Hi! This is a pretty thorough Google Fonts checker: https://sicher3.de/google-fonts-checker/