How to make Google Fonts GDPR compliant

What the Fries does a Burger have to do with GDPR and Google Fonts? Well, you’re about to find out!

I can’t believe I missed this, but since the introduction of GDPR, using Google Fonts has become a bit tricky. Let’s see what we can do about this.

First off, I hope this blogpost finds you in good health. The corona virus is spreading like wildfire and is affecting everyone and everything: people, relationships, businesses. I sincerely hope that you, and everyone around you, will recover fully. In health, mentally and physically, as well as financially.

Now, back to the subject.

Uh-oh, what did Google do?!

No worries. It’s not that bad. It’s just how the internet works and the fact that Google isn’t going to reassure you in any way.

See, no biggie.

How the Internet Works

When you visit a website, you’re in reality requesting a document, which is served to you by the server. This request is done through a URL, which looks like this:

[protocol] :// [pretty-name-pointing-to-a-server-IP-address] . [tld] / [path] / [to] / [document]

I’m sure a real world example will seem more familiar to you:

https :// myawesomewebsite . com / hobbies / my-awesome-hamsters

Basically, by requesting the above address, you’re telling the server: Hi server! I just requested files from myawesomewebsite.com using a secure connection (https). I would like to view the document named ‘my-awesome-hamsters‘ in a folder named ‘hobbies‘.

Burgers & Fries

Let’s compare the internet to a restaurant. A very modern, and ultra cool restaurant where orders are placed directly on your table, without any intervention of a waiter/waitress.

Your friend orders a burger with a side of fries, but you’re counting calories, so you’ll only take a salad and a XXL Banana/Oreo Milkshake.

For the waiter to know where to serve your food, it is required to provide your table number with each order. Makes sense, right?

Now, to complete this puzzle:

  • Table number = Computer’s IP address,
  • Waiters = Servers (because well, they serve. Duh…),
  • Order = Request,
  • Food = Document,
  • And your friend — well, I hope she’s still your friend.

Now let’s rewrite that last sentence:

For the server to know where to serve your document, it is required to provide your IP address with each request. Makes sense, right?

Now, let’s circle back to Google Fonts.

GDPR and Google Fonts

Essentially, there’s nothing wrong with this way of working, until external requests come in to play.

A document can, in itself, request other resources, e.g. images and — drumroll, please! — Google Fonts, which are located on another server.

Let’s imagine that your friend’s fries come with complementary packets of mayonaise and ketchup handmade by another ultra modern restaurant across the street — conveniently named ‘Le Góog’.

In order for the waiter across the street to know where to serve the packets, your table number is sent to Le Góog directly after placing your order.

If you weren’t paying attention: this means that your IP address is (instantly) shared with Google’s servers, while you thought you were just sharing it with a — very trustworthy and passionate — hamster hobbyist.

To clarify, GDPR states that all personally identifiable information is forbidden to be shared without a user’s explicit permission, i.e. a cookie notice. An IP address is just that: personally identifiable information.

What Google’s doing About it

“Luckily” Google has put “a lot” of time and “effort” in “reassuring” us that they’re not planning to do anything with our data.

This is what their FAQ has to say about it:

The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently. […] Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.

A beautiful statement containing some difficult, yet comforting words, leaving you somewhat reassured and — totally paranoid.

In other words: they’re not doing anything about it.

To be fair, they can’t not receive the IP address, because that’s how the internet works. But the least they could do is offer some reassurance that they’re not using it for anything else. Instead they say they do log it, but in a very very very safe place.

  • The Wait is Over.

    Get the Newsletter you've always wanted, now!

    Sign up to receive Biweekly, Free Optimization Tips for WordPress.

    No spam. I promise.

  • AAARGH! — Help me fix this, please?

    Essentially, the only way to prevent your IP address from being sent to Google, is by not requesting fonts — from the Google Fonts API — at all.

    But that doesn’t mean you can’t use Google Fonts anymore.

    The solution to make Google Fonts comply with GDPR lies in hosting Google Fonts locally.

    If you’re a WordPress user, you can achieve this with my plugin: OMGF. It’s usage is fairly straight forward, but my friends at Complianz have done a great write up of how to use it.

    Pro-tip: use the Auto Detect feature combined with the Auto Remove option.

    Automatically download Google Fonts and Remove Requests to Google’s API

    Assuming you know how to install a WordPress plugin, go to OMGF’s settings in Settings > Optimize Webfonts after installing and activating it.

    1. Click Auto Detect and follow the instructions appearing in the notice at the top of the screen,
    In most cases OMGF will automatically detect the fonts your theme and plugins are using. If not, it’s either using Web Font Loader or an unconventional method to load Google Fonts. Upgrade to OMGF Pro to detect and replace (or remove) them.

    Tailor the list of detected fonts to suit your needs, but do not remove anything! You might want to preload the font styles used in your theme above the fold to raise your Pagespeed Score by a few points. Click Download Fonts and wait for the loader to disappear. Click Generate Stylesheet. After a few seconds you’ll receive a success notice. Don’t forget to leave a review ;) Then proceed to the plugin’s Advanced Settings, check ‘Remove Google Fonts?‘ in the next screen and save your changes.

    You’re all set. From now on, OMGF will remove any requests to Google Fonts’ API and replace it with a locally hosted copy of the same font file.

    To Summarize; making Google Fonts GDPR compliant

    Today we’ve taken a look at the Google Fonts API and the reason why essentially it’s in breach with GDPR laws.

    A proposed solution is to host your Google Fonts locally.

    For WordPress users OMGF offers a simple solution to making Google Fonts GDPR compliant with Auto Detect. Users of different platforms can do it manually, by removing the requests to Google’s Fonts API and replacing them with a locally hosted copy of the CSS and font file.

    Daan van den Bergh

    Daan van den Bergh is a carefully seasoned web developer. His methods consist of thinly slicing your website’s beef and serve you with a platter of the best performance carpaccio on a bed of rocket — the only thing he’s more passionate about is food. Hire him at ffwp.dev.

    1 thought on “How to make Google Fonts GDPR compliant”

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.