What the Fries does a Burger have to do with GDPR and Google Fonts? Well, you’re about to find out!
I can’t believe I missed this, but since the introduction of GDPR, using Google Fonts has become a bit tricky. Let’s see what we can do about this.
First off, I hope this blogpost finds you in good health. The corona virus is spreading like wildfire and is affecting everyone and everything: people, relationships, businesses. I sincerely hope that you, and everyone around you, will recover fully. In health, mentally and physically, as well as financially.
Now, back to the subject.
Uh-oh, what did Google do?!
No worries. It’s not that bad. It’s just how the internet works and the fact that Google isn’t going to reassure you in any way.
See, no biggie.
How the Internet Works
When you visit a website, you’re in reality requesting a document, which is served to you by the server. This request is done through a URL, which looks like this:
[protocol] :// [pretty-name-pointing-to-a-server-IP-address] . [tld] / [path] / [to] / [document]
I’m sure a real world example will seem more familiar to you:
https :// myawesomewebsite . com / hobbies / my-awesome-hamsters
Basically, by requesting the above address, you’re telling the server: Hi server! I just requested files from myawesomewebsite.com using a secure connection (https). I would like to view the document named ‘my-awesome-hamsters‘ in a folder named ‘hobbies‘.
Burgers & Fries
Let’s compare the internet to a restaurant. A very modern, and ultra cool restaurant where orders are placed directly on your table, without any intervention of a waiter/waitress.
Your friend orders a burger with a side of fries, but you’re counting calories, so you’ll only take a salad and a XXL Banana/Oreo Milkshake.
For the waiter to know where to serve your food, it is required to provide your table number with each order. Makes sense, right?
Now, to complete this puzzle:
- Table number = Computer’s IP address,
- Waiters = Servers (because well, they serve. Duh…),
- Order = Request,
- Food = Document,
- And your friend — well, I hope she’s still your friend.
Now let’s rewrite that last sentence:
For the server to know where to serve your document, it is required to provide your IP address with each request. Makes sense, right?
Now, let’s circle back to Google Fonts.
GDPR and Google Fonts
Essentially, there’s nothing wrong with this way of working, until external requests come in to play.
A document can, in itself, request other resources, e.g. images and — drumroll, please! — Google Fonts, which are located on another server.
Let’s imagine that your friend’s fries come with complementary packets of mayonaise and ketchup handmade by another ultra modern restaurant across the street — conveniently named ‘Le Góog’.
In order for the waiter across the street to know where to serve the packets, your table number is sent to Le Góog directly after placing your order.
If you weren’t paying attention: this means that your IP address is (instantly) shared with Google’s servers, while you thought you were just sharing it with a — very trustworthy and passionate — hamster hobbyist.
To clarify, GDPR states that all personally identifiable information is forbidden to be shared without a user’s explicit permission, i.e. a cookie notice. An IP address is just that: personally identifiable information.
What Google’s doing About it
“Luckily” Google has put “a lot” of time and “effort” in “reassuring” us that they’re not planning to do anything with our data.
This is what their FAQ has to say about it:
The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently. […] Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.
A beautiful statement containing some difficult, yet comforting words, leaving you somewhat reassured and — totally paranoid.
In other words: they’re not doing anything about it.
To be fair, they can’t not receive the IP address, because that’s how the internet works. But the least they could do is offer some reassurance that they’re not using it for anything else. Instead they say they do log it, but in a very very very safe place.
AAARGH! — Help me fix this, please?
Essentially, the only way to prevent your IP address from being sent to Google, is by not requesting fonts — from the Google Fonts API — at all.
But that doesn’t mean you can’t use Google Fonts anymore.
The solution to make Google Fonts comply with GDPR lies in hosting Google Fonts locally.
If you’re a WordPress user, you can achieve this with my plugin: OMGF. It’s usage is fairly straight forward, but my friends at Complianz have done a great write up of how to use it.
Pro-tip: use the Auto Detect feature combined with the Auto Remove option.
Automatically download Google Fonts and Remove Requests to Google’s API
Assuming you know how to install a WordPress plugin, go to OMGF’s settings in Settings > Optimize Webfonts after installing and activating it.
In most cases OMGF will automatically detect the fonts your theme and plugins are using. If not, it’s either using Web Font Loader or an unconventional method to load Google Fonts. Upgrade to OMGF Pro to detect and replace (or remove) them.
Tailor the list of detected fonts to suit your needs, but do not remove anything! You might want to preload the font styles used in your theme above the fold to raise your Pagespeed Score by a few points. Click Download Fonts and wait for the loader to disappear. Click Generate Stylesheet. After a few seconds you’ll receive a success notice. Don’t forget to leave a review 😉 Then proceed to the plugin’s Advanced Settings, check ‘Remove Google Fonts?‘ in the next screen and save your changes.
You’re all set. From now on, OMGF will remove any requests to Google Fonts’ API and replace it with a locally hosted copy of the same font file.
To Summarize; making Google Fonts GDPR compliant
Today we’ve taken a look at the Google Fonts API and the reason why essentially it’s in breach with GDPR laws.
A proposed solution is to host your Google Fonts locally.
For WordPress users OMGF offers a simple solution to making Google Fonts GDPR compliant with Auto Detect. Users of different platforms can do it manually, by removing the requests to Google’s Fonts API and replacing them with a locally hosted copy of the CSS and font file.
Thanks for sharing this very important process. I will implement this on my sites.
Best Regards
Katia
I was searching for this type of article for my new project and land on your website. I must say this is great work,
Would definitely use this process step by step when setting up my new project. Thanks : )
Basically Google is undermining GDPR. Once they have your IP (be it from fonts, analytics, CDN, logged-in services, etc.) there is nothing stopping them from collating this information across all services, and effectively tracking your online activity. It boggles my mind why they are not being fined for this.
Great Article. Thanks For sharing this with us. I will implement this on my sites.