At the beginning of 2022, Germany ruled the use of Google Fonts as a violation of the GDPR.
The GDPR is Europe’s newest law on privacy and security. Despite applying only to citizens from European Union, websites with visitors from the EU are also affected by the new law. This means websites that offer information or products that EU visitors may intentionally or unintentionally visit. More on that below.
In this article, we’ll go over what this means for your website, how Google Fonts exactly violates the GDPR, and what you can do to fix this issue.
You don’t have to say goodbye to Google Fonts, just following the guide below.
Disclaimer: This article doesn’t provide any legal advice.
How Google Fonts Work
Google Fonts generally seems harmless. It’s a collection of fonts that beautify your site, optimize its performance, and even help avoid licensing hassles for you later on.
The problem starts when your computer, or your reader’s computer, opens your website and automatically requests the Google Fonts files from Google’s servers. For Google to send you the font, it has to know where to send it first and that means collecting your IP address. That specific action is what violates GDPR but before we elaborate on the problem, let’s cover what GDPR actually is.
What is GDPR?
The GDPR, or General Data Protection Regulation, is the official regulation set to effect back in May of 2018 with the sole purpose of protecting the data and privacy of EU citizens. Since the law focuses on protecting the individual, all websites one visits are obligated to honour GDPR, which means that every website that accepts visitors from European Union needs to be GDPR compliant.
But why after all these years are we hearing about the GDPR again?
Why GDPR Matters — You Have To Care
On January 20, 2022, a court in Munich, Germany, ruled that a website owner must pay €100 in damages to an undisclosed website visitor. The damages involved sending the visitor’s IP address to Google through the server request for Google Fonts.
This means that any European citizens who visit your website and request Google Fonts from Google’s servers are visitors who have the right to sue you for violating their data.
To drive the point home, the GDPR applies outside of Europe. The whole point of the GDPR is to safeguard the personal information of European citizens. So even if you’re from the USA or any other country in the world, if someone from the European Union visits your site, you’re still accountable for any infringements made against the GDPR and your EU visitors.
These infringements could result in getting sued and being fined up to €20 million or 4% of your global market share. Whichever is higher.
Why Using Google Fonts Violates GDPR
It can be confusing to understand why using Google Fonts, which should just be a way to style your site, breaches the GDPR privacy law. To help boil it down to something simple, we’ll go through the step-by-step process of how Google Fonts violates the GDPR.
Here’s what happens when someone opens your website:
- A visitor lands on your website
- In order to display the content visitor wants to see, he has to download the website
- Google Fonts is part of your website but you don’t have the font file hosted locally
- So, the visitor has to request the Google Fonts file from Google’s servers.
- In order for Google to know where to deliver the desired font, it uses visitor’s IP address
- The Google server records the IP address of your visitor and sends them the Google Font file.
- Your website loads with the provided Google Fonts file. But, Google doesn’t delete your visitor’s IP address.
If someone from the European Union is a website visitor, then Google storing the European citizen’s IP address breaches the GDPR privacy act.
To rephrase: Whenever a visitor opens a page on your website, the visitor’s IP address is also sent to Google. Why? Because Google needs the visitor’s IP address to send the Google Fonts files to your visitor.
So, can you just keep a copy of Google Fonts files on your website host to avoid Google connecting to your visitors? Well, yes you can.
Alternative Solutions To Using Fonts While Being GDPR Compliant
As long as Google doesn’t get the IP address of your visitors through Google Fonts, your website is in the green zone.
Here’s what you can do to avoid getting fined or sued for violating the GDPR with Google Fonts.
Host Google Fonts Locally
Locally saving the Google Fonts resources to your website server eliminates the need to get the resources from Google’s servers.
You can do this by downloading the Google Fonts files and uploading it to your web host. After that, you’ll have to add some rules to your CSS files regarding the font-face of your pages.
This can be a bit technical, especially if you don’t have any CSS or coding experience in general.
Use The OMGF WordPress Plugin
For those of you who are using WordPress, the best plugin for this purpose is OMGF.
OMGF automatically downloads the Google Fonts your WordPress site uses and generates a stylesheet for it. The sheet is integrated into your site’s header and loads locally together with everything else hosted on your web server.
Keep note that OMGF will work for most sites, but there are some themes and plugins that make it difficult to retrieve Google Font data. If you have difficulty with this on your site, you can try the OMGF Pro version or skip to the next two plugins on this list.
You can search for other similar plugins, but we chose OMGF because it was developed by a reputable source that spotted this issue years ago.
Use System Default Fonts
Finally, the simplest solution you can revert to is to simply use the default system fonts. These fonts are already stored locally in your WordPress servers, so your visitors will no longer have to connect with Google.
Granted, the obvious downside to this is the lack of creative freedom with fonts and limited choices.
Can you use Google Fonts and be GDPR compliant?
Yes, you can use Google Fonts and be GDPR compliant. The only time Google Fonts breaches the GDPR terms is when served via their content delivery network and no permission to send Google your website visitors’ IP addresses has been received.
If you can severe the need for your visitor to expose their IP address to Google, you can keep using Google Fonts on your website. To severe the connection between Google and your visitor, you can either locally host Google Fonts on your own website or revert to using WordPress’ system default fonts
Conclusion
The GDPR is a European law that protects the information of EU citizens. The law applies to websites all around the world, as long as it involves the private data of European citizens. Google Fonts breaches the GDPR because EU visitors have to send Google their IP address to ask for Google Fonts files when loading your website.
By locally hosting Google Fonts on your website, you’ll eliminate the need for your visitors to give Google their IP address. Meaning that yes, it is still possible to use Google Fonts and not directly violate GDPR.