The German court has ruled last month that Google Fonts is not in compliance with GDPR.
The integration of dynamic web content such as Google Fonts from US web services is illegal without the consent of the visitor.
A website operator received a fine of 100€. The Munich court clearly wanted to set an example. They even mentioned the next fine will be 250.000€ for the website operator if they don’t comply.
Data protection authorities (DPA) in other EU countries became all ears. It’s likely to see more rulings and enforcements of this in the name of GDPR.
In this post, I want to show why you should care, even if you’re not from Germany.
When a user wants to load a font via Google Fonts, it uses 2 types of requests:
fonts.googleapis.com/css2?family={font}
fonts.gstatic.com/s/{font}/...
The dynamic request is the reason for the German court’s ruling: The user’s IP address is shared with Google Fonts. This is personally identifiable information (PII).
From the Google Fonts FAQ we get a fuzzy idea of what is going on:
Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.
What we know is that they collect and store end-user data to be able to—what they state as needed to “serve fonts efficiently”.
From a GDPR point of view you have 2 options:
When tech companies get enough data points to connect the dots they get a pretty good picture of what you do on the internet. This data is usually used for personalised advertisement. I could live with this if it was the user’s only drawback of personal data collection.
Google Fonts is one of these data points that helps connecting further puzzle pieces together.
Besides the advertisement aspect, it’s problematic because of:
Currently, it’s up to us developers to protect the end-user. This is why you should care.
I hope I could shed some light on why Google Fonts is a data privacy concern.
Also: I am not a lawyer.