Google Fonts and the GDPR ruling
In a recent court ruling in Germany, a website owner was found guilty of contravening EU GDPR (General Data Protection Regulation) legislation by using the ‘hosted’ version of Google Fonts, which is the standard way of embedding a Google Font on a website and the method used on many websites. In light of this, we have been researching measures that can be taken to ensure the legal use of Google Fonts so that website owners can mitigate any risk.
What’s the issue?
As always with Google, it’s about privacy. So, for example, if you have the hosted version of Google Fonts, and a visitor comes to your site, a call is made back to Google to request the font – and the call includes the visitor’s IP (Internet Protocol) address. An IP address enables data to be sent to your specific location on the internet. As an IP address is deemed to be ‘personally identifiable information’, if it is shared without the visitor’s consent, it’s in contravention of GDPR.
While this is EU GDPR, the post-Brexit UK version of GDPR is very similar and the same risk may apply.
Can we ask a visitor for consent to use Google Fonts to comply with GDPR?
You likely already have a consent management system like Complianz in place on your site, asking visitors if they consent to the use of cookies. It is possible to use such a system to require consent for use of Google Fonts too; the problem is that if a site visitor doesn’t give consent, or before they have made the choice, your site will load using a different font.
The solution: host Google Fonts locally
As the court case noted, there is an alternative to using Google’s hosted font service: the fonts can be downloaded and installed locally on your website. Complianz also recommends this as the GDPR-compliant solution. There’s an added benefit too: connecting to external services can slow down your website, so removing the need to do so (by hosting the font yourself) can bring speed improvements.
Converting a website from using hosted Google Fonts to a local solution, including updates to the existing website stylesheet, is a 30-minute job.
How can I find out if our website uses Google Fonts in compliance with GDPR?
You can ask us to review your site and check what, if any, connection your website has to Google Fonts. You may be using a Google Font to display all your text, or you maybe be using it in combination with another font library like Adobe Typekit. Even if Google Fonts is unused, any connection should be removed.
Next steps
If you would like us to convert your website to use local Google Fonts, or would like assistance with anything else, email us at [email protected]. To learn more about GDPR and PECR compliance check out our related article on Privacy and Cookie Policy Best Practice.