Make the font-picker GDPR compliant

[errotu]

First of all: Thanks for the great framework! I really appreciate your work!

As you probably know, the new GDPR enforced in the European Union since May 25th. I used the chance and took a deep look into the websites I currently administer and the personal data collected by them. While it is controversial if the use of Google Fonts without explicit consent by the user of a website is GDPR compliant or not, I am on the opinion that personal data (which IP addresses are) should not be collected in any case, if not necessary.

In consequence, I implemented all the fonts I use locally (for which you provide a very helpful tutorial, thanks for that!). Nevertheless, I was wondering if it wouldn't be possible to combine the excellent user experience of the font-picker with a local stored font-solution.

This could be implemented as follows:

1. The administrator of a website chooses a font via the font picker, accessing the Google Fonts directory.
2. The font is copied by Gantry to the server of the website.
3. When a user accesses the website, only the local copy of the font is accessed. No connection to Google servers is established, no IP addresses are submitted to any third party.

What are your thoughts on that?

[N8Solutions]

@errotu I Understand what you mean by controversial. I have seen this discussed in many chat rooms. From what I have seen, it is mostly some lawyers in Germany that are making a big fuss about Google Fonts. I like your idea, however, you need to keep in mind that you are not actually collecting the IP Addresses, Google is, and Google has said they are GDPR compliant. If you include in your TOS/Privacy Agreement the fact that your site uses Google Fonts and the customer's IP Address may be captured by Google then you have given sufficient notice. The important thing to remember here is that you are not the one collecting the data therefore you are not responsible for it. It all boils down to what you prefer to do. I hope this helps!

[Hg347]

Well, I think that is not true N8Solutions. The operator / publisher of the website is responsible for the user data - in my opinion. I am not a lawyer, but i am pretty sure, since I read a lot about the subject, if that operator embeds remote google fonts he has to have an agreement with google for data processing and a data protection agreement. The operator has to certify on request, that he did all necessary to protect his customers / visitors privacy.

I informed myself on a german lawyer website: e-recht24.de https://www.e-recht24.de/news/datenschutz/10933-achtung-die-ersten-dsgvo-abmahnungen-sind-da.html

[N8Solutions]

@Hg347 I understand your concern. It was discussed at great length here on GitHub. If you'd like to read the whole conversation here it is, https://github.com/google/fonts/issues/1495 The original question was "edited" to contain the official notice from Google which precedes the original posters question.

If you'd like the gist of the conversation you can check out this article which references the GitHub discussion on it.

In a nutshell, Google has said they are a "Data Controller".

Google's Dave Crossland, who works on the Fonts project, provided this update:

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs.

You, as the website developer/owner, have no control over how Google Fonts uses the information they collect therefore you are not considered to be the responsible party.

As I mentioned in my response above you can address this in your TOS & Privacy Policy thus providing sufficient notice to the visitors that your site utilizes Google Fonts.

If you want to really get particular with things, because this has to do with IP Addresses, a visitor to your site is having their IP Address logged, it has already been processed by requesting the page before the site visitor gets the opportunity to consent, or even see the contents of the page.

I am of the opinion that a company like Google would not leave anything to chance when it comes to GDPR and that their use of any data they collect is in fact GDPR compliant. If it is not the company would be opening themselves up to a huge lawsuit which is something I'm sure they want to avoid.

This is just my opinion on the issue but one that I firmly stand by. I hope this helps.

[errotu]

I really don't want to open this big "How to interpret the GDPR"-discussion.

Besides the legal issues (which definitely exist as the current situation is and will stay unclear until the ECJ decides on this issue) it is in my opinion also about respect for the privacy of our website visitors. When people don't want to be tracked by Google, it's their choice and the tracking shouldn't start on my website.

Therefore, I'd love to hear from the Gantry5-Team what they think about a more privacy focused implementation of the font picker?

[N8Solutions]

@errotu The "Breyer" case you referenced is about a German citizen bringing charges against Federal German Institutions to prevent websites run by those institutions from registering and storing his IP Addresses. The ruling of the CJEU was in reference to that particular case against "Federal German Institutions" and therefore does NOT mean that an IP Address will always be considered "Personal Data". I have come to this opinion based on the following information. (emphasis throughout is added by me)

The decision of the CJEU states:

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, IF that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.

At the very bottom it also states the following:

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Which means it will be up to the National courts of the Member States to decide based on the CJEU's decision.

From this article on the twobirds website it states:

The court ruled that dynamic IP addresses MAY constitute ‘personal data’ even where only a third party (in this case an internet service provider) has the additional data necessary to identify the individual – but only under certain circumstances: The possibility to combine the data with this additional data must constitute a “means likely reasonably to be used to identify” the individual (the court assumed such means for Germany).

It's important to note the following, the court assumed such means for Germany, because the case was against Federal German Institutions and those institutions would have at their disposal the legal means to obtain the information from the Internet Service Provider necessary to identify the individual to whom the IP Address was assigned.

In this article by the law firm of Havel & Partners they came to the following conclusion:

what the court unfortunately did not, and indeed could not, specify more precisely, are the legal remedies on the basis of which it is possible to identify a particular person – these legal remedies may differ from one state to another and, therefore, to a large extent they will very much depend on the legislation and interpretation of national supervisory authorities and courts.

So they are saying it is up to the Member States to decide how they want to interpret the decision in relation to what "legal remedies" means.

Even the definition of "personal data" in Article 4(1) of the General Data Protection Regulation ("GDPR") does NOT clearly specify that an IP Address, whether Static or Dynamic, constitutes "Personal Data".

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Based on everything I have found, read, and understood, to me, and this is NOT legal advice it means that when a company, business, or a website operator ONLY collects an IP Address, whether Static or Dynamic, it is considered to be "Personal Data" but ONLY under certain circumstances where the company, business, or website operator has the legal means to obtain the additional data necessary to identify the individual.

Therefore, in my opinion, which again is NOT legal advice, while Google is a large company with deep pockets, it does not have any legal means, i.e. legal grounds, to obtain the necessary information from an Internet Service Provider in order to identify an individual from their IP Address when it comes to Google Fonts so an IP Address in this situation can NOT be considered "Personal Data". I have come to this conclusion because I can not think of a situation where a court would grant Google the additional data necessary to identify the individual owner of the IP Address when that IP Address is simply passed to them from a website operator.

@Hg347 I'm tagging you as well so you can look over what I have wrote.

@errotu with all that said, I think your idea has merit but I think it is unnecessary. Google fonts was created to speed up the serving of websites. If a website visitors device has cached a Google font, and they visit another website which uses the same font, their device will realize this and will not have the need to download it again. This allows the cached resources to help speed up the loading of websites. Your idea of copying those fonts to the website and then serving them is contrary to this as the cached device won't recognize the fonts as being the same and even though a different website used the same font the visitors device will download the font again.

[N8Solutions]

Also, if you care to see further information regarding the use of Google Fonts and how it pertains to whether or not an individual site visitor is logged in to a Google service you can read my thoughts on that here with links to Google's Privacy Policy and FAQ.

[rhukster]

Good discussions here. At this point in time we are not going to be doing anything preemptively for you regarding GDPR.

• If you are concerned about GDPR and Google Fonts, don't use them.
• If you want to use Google Fonts but want to ensure GDPR compatibility, check the Google Privacy Policy FAQ (as noted by @N8Solutions), and ensure you provide information regarding this on your site via an acknowledgement agreement.

Ultimately, the onus is on you, the site owner/developer, to ensure your site is compliant with the region you host/serve.

As things evolve, we may revisit all of this, but right now this is very new and there are still a lot of unknowns.