GDPR compliance

[asadkn]

Notice: Official Statement by Google Fonts made April 17, 2018

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

End Of Notice. Original question by @asadkn follows

---

There's a lot of misinformation being spread around the EU GDPR compliance when using Google Fonts. It would be great to start this discussions here to get an official response.

I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)

• you may need to ask for a consent from a visitor if Google is logging personal data
• you're sending personal data to the processor who's not in the EU
• Google as a processor might be performing profiling

My knowledge of GDPR law is limited and I haven't personally evaluated the concerns thrown around. However, we definitely need to address it before the rumors get out of hand.

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

[aristath]

This is also a huge concern for us... We'd definitely be interested to know how google-fonts is planning to comply. What kind of data is currently collected & stored? What are the plans to make the service GDPR-compliant? Surely asking for user-consent before rendering the fonts is not a viable solution, nor is downloading the fonts locally to then embed on a site using other methods.

[maximus80]

The main issue seems to be, that a direct connection between a Google Inc. server and the client (browser of a website visitor) is established, which means the user's IP address is sent to Google. This obviously happens on page load, which means there is no time for the user to explicitly consent with it before the page loads. Does this have to be considered a privacy issue with regards to the new GDPR? If so, any integration of Google fonts directly via Google would render websites pretty hard to use and ugly on first load. Any insight on this, is highly appreciated.

[davelab6]

Please be reassured that the Google Fonts team is working on GDPR compliance.

I can also point out an older FAQ entry, https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

[maximus80]

Thanks for the reply @davelab6! I've seen the FAQ entry, unfortunately it doesn't really provide a full answer to the main questions above. From your reply I take that the team is still working on GDPR compliance, so that the details are not fully hashed out. Once they are, it would be awesome if you could let us know here, so that we can implement needed adjustments on our part. Thanks!

[dontcallmemark]

I'm currently investigating this for our company. I've found this (the section on international data transfers near the bottom) which suggests full compliance to me. Is that not the case?

https://privacy.google.com/businesses/compliance/#?modal_active=none

[aristath]

@limegreenmatt all it says there is that data transfers are secure. However it still doesn't say what kind of data is collected... For example collecting and processing the user's IP without the user's consent is against the GDPR. If the user does not consent then it doesn't matter how the data is collected/processed/transferred, it's still against the law. Plus, that page is for businesses so I'm not even sure it even applies to google-fonts. There's just not enough info anywhere about what happens.

[asadkn]

Technically speaking, logging of IP address is allowed for lawful basis without consent (note consent is only one of the lawful basis). But this is best left to Google lawyers if there's a "lawful basis" on how they're processing this data but I am guessing it will be point f.

In Recital 49 for Article 6, Point [f]:

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

This is what we need from Google. We need them to tell us they're using the data they log in a lawful basis - we need to know how they're using the data they log. Google's general privacy policy isn't enough in this case as it isn't specific to Google fonts.

[aristath]

@asadkn I agree 100% with that... though lawful basis in the context of that excerpt basically means things like logging the IP address in an access log for a limited period of time in order to prevent and diagnose attacks, or as part of an authorization to enter my account. However in the context of google fonts, the accumulation of IPs which are then processed for statistical purposes can only be considered legal if the IPs are partially anonymized. If the IPs are not anonymized (usually by replacing their last part with a 0 digit) then there is no legal basis for collecting them.

[dontcallmemark]

@davelab6 can you give us any kind of timeline as to when we can expect an update and/or resolution of this? As we provide our customers with access to Google Fonts as part of our WordPress themes, it's important for us to understand whether our customers are going to be impacted by this, and if we need to take any remedial action. Appreciate any insight you can give.

[daemkl]

any updates yet?

[zartgesotten]

Also waiting for info on this. I don't want to self-host fonts for about 70 sites I'm managing.... PLEASE, Google, help us poor Europeans!!!

[fritzmg]

@clickwork-git those FAQ do not mention the GDPR at all. It does mention something about tracking though:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are, and are published on our analytics page. We use data from Google’s web crawler to detect which websites use Google fonts. This data is published and accessible in the Google Fonts BigQuery database. To learn more about the information Google collects and how it is used and secured, see Google's Privacy Policy.

[aristath]

@clickwork-git according to numerous court decisions in the EU, an IP is considered identifiable user-data and should not be collected without the user's consent. The only thing related to the GDPR on that page is this:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.

No matter how secure the storage of such data is, the point of the law is that no data should be collected without the user's explicit consent. Data collecting is no longer opt-out, it's opt-in. So if the IPs collected by Google are not partially anonymized for example by replacing the last part of the IP with a 0, then we can't use Google fonts. It's not panic, it's a legitimate request for information about what kind of Data Google collects from visitors to our own sites - or our client sites. Google's mantra may be "don't be evil", but at the same time it is a company that has based its whole business on data collecting. We need to know what happens so that we know how to proceed. And we need to know now so that we can take the appropriate measures and implement whatever we need to implement. If a response comes from Google 2 days before the GDPR goes officially in effect, then we don't have time to do what needs to be done. The alternative for us would of course be to start implementing everything: opt-in for fonts, automate locally downloading fonts on client sites to use them from there without pinging google's servers and so on. But that's just a huge waste of resources for hundreds of companies like ours, that can be avoided if we just have an answer of what happens now and what will happen after May.

[asadkn]

the point of the law is that no data should be collected without the user's explicit consent

IMHO, we should refrain from issuing this statement - there's enough FUD over the internet already. This statement is only partially true as I referred earlier to the other lawful basis. It gives the impression to novices that there won't be any basis of compliance at all, creating further panic. And since none of us are lawyers here, it'd best to not discuss it anyways. All we know is we need is an official reply from Google.

I agree with the urgency here. There are only 2 months left before this goes into effect. The least we need is an assurance there will be GDPR compliance.

To re-iterate, Google hasn't specified their privacy policy for Google Fonts on how they're using the data they log or if there's a lawful basis for it. We need this moving forward. Frankly, it doesn't really matter to us what legal basis their lawyers come up with, as long as they confirm GDPR compliance.

[kevingrabher]

The FAQs do state

"The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently."

While that does leave a lot of room for speculation it does suggest compliance since it states that no data is recorded that is not needed for delivering the font (and I wouldn't see a reason for the IP being recorded to deliver the font..)

[maximus80]

The problem is, you have to be very certain about this, so speculation or the assumption of something doesn't really help here. As the fines are high, and statements like "I assumed our customers have their privacy ensured" won't be a viable excuse. That is where I see the biggest problem. Explicit and dedicated information is needed here.

[githubhero]

I have a basic Wordpress website where the font is loaded this way:

<link rel='stylesheet' id='options_typography_Abel-css' href='https://fonts.googleapis.com/css?family=Abel' type='text/css' media='all' />

By doing so, I'm communicating to Google the IP of the user.

What if I substitute this direct call with a call done using PHP+curl (or other APIs to get data from a server) from the website server? This way Google would only get the IP of my server, not the users'.

Something like this:

<link rel='stylesheet' id='options_typography_Abel-css' href='proxy.php' type='text/css' media='all' />

From proxy.php, I call Google server and I return the CSS to the client.

[psinger]

Host the fonts locally, and the problem is gone.

[aristath]

Host the fonts locally, and the problem is gone.

Not practical if what you're building is a WordPress theme for example - in which case users on their sites use whatever font they wish

[githubhero]

@psinger You loose the benefits of the CDN (mainly performance), but of course another option is storing fonts locally (this is ok for the fonts, but non every single resource a website can link, anyway)

[psinger]

I agree, it's certainly not as convenient, but it is an option. If you develop a wordpress theme, just add an option to disable google fonts for the user of the theme. I am actually struggling currently with disabling google fonts in several wordpress themes / plugins, mostly it is not even possible.

[maximus80]

Well, the main purpose of Google fonts is, that they actually get used on websites. So, it is in the best interest of Google to do everything to make sure it will be possible in the future. Disabling them on a site or in a theme, or adding them locally, is only a work around, which might be ok for a single site, but not for WP themes with a larger user base. And it kinda also defeats the purpose of what Google offers.

[githubhero]

Maybe we're going a little bit OT:

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

[mikka23]

@clickwork-git what an insightful post, thank you for sharing. It is much appreciated.

[dontcallmemark]

@davelab6 @m4rc1e when are we going to get an official response on this?

[davelab6]

Here's an official statement:

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

[aristath]

@davelab6 we appreciate you taking the time to respond. However, please try to understand how this whole situation appears to everyone who doesn't work at Google, doesn't have any knowledge of how the company operates or what is going on behind a veil of complete silence.

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR

From our point of view it doesn't seem that Google is doing anything. There is no official announcement, no update, nothing. GDPR goes in effect in 37 days, which leaves 28 work days for all companies to implement whatever needs to be implemented. Google-Fonts is an amazing service and none of us want to believe that something like not being 100% compliant with GDPR can even happen to it. But we can't be 100% certain, and without an official announcement from Google, we have been forced to start implementing all kinds of crazy stuff - just in case Google doesn't say anything before the deadline and we have to be covered.

Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

The problem we have is that no, there is not enough info on the FAQ page. If there was enough info on that page nobody would be asking for more info. Here's what that page is telling us:

• Requests are cookie-less
• Fonts get cached
• Google Fonts logs records of the CSS and the font file requests.

What that page is not telling us and is of concern for GDPR is this:

• What data is contained in the font-file requests that get logged?
• For how long is that data kept?
• For what purpose is that data collected?

Without specific information we can't know if we need to ask for user consent, download the fonts server-side and not use the Google CDN, or just ignore everything and assume it's going to be alright. Which of course can't happen... we can't just assume that Google will be compliant in time.

I am sorry if this whole discussion seems a bit like over-reacting... We all have better things to do than post in this repository asking for info and discussing. But we've all come to depend on Google Fonts one way or the other and we don't have a lot of time left to do what needs to be done.

[steveindzine]

Just like to throw this in the mix: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

They way I have interpreted GDPR is that if you can link an IP address with an individual then yes, its personal data. So if you are an ISP you can see which user was assigned an IP address and know who it was. If the you can't, or the likely hood of you submitting a request to the ISP to get that data is very low, then logging an IP address is ok.

Every single webserver and firewall on the net logs IP addresses, but these are ok, and can't really be linked to a real person without a court getting involved. The same probably goes for Google Fonts and all the other services it offers.

[davelab6]

Another official statement:

I update the above comment with a link to https://www.blog.google/topics/google-europe/gdpr-europe-data-protection-rules/ which explains in more detail the company's commitment.

Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

[davelab6]

Another official statement:

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

[psinger]

@davelab6 That would still mean that website operators would need to actively get opt-in consent by visitors to utilize google font APIs. As written by @aristath, it is still not fully clear what data Google is processing within that scope.

[clickwork-git]

@mikka23 You have never contributed any word to the discussion, but get personal... Well done!

GDPR at his best: There is no more a "insightful post" now. All are deleted.

It makes no sense to discuss a topic, that has become another Google bashing.

[aristath]

Privacy Shield compliance ensures that data is processed legally and securely. And it's nice to have for a company the size of Google... but as mentioned above, it still leaves out our main point of interest. It no longer is enough to have the data securely processed. Explicit user consent is needed to get the data in the first place.

On the Privacy shield list from the link above it's mentioned:

Data is processed for various purposes depending on the particular product or service being provided, including: sales and marketing to consumers and businesses; supplying services and products to consumers and businesses; operating, developing and improving Google services and products; personalizing Google services and products; financial processing and management; supplier, vendor and partner relationship management; fraud prevention, security, and protection of Google and our users; compliance with governmental, legislative and regulatory bodies; and customer support and relationship management. Data is disclosed to third parties as detailed in our Privacy Policy, including: in situations in which we have consent, for external processing, with domain administrators, and for legal reasons

So it looks to me like Google collects data, that data is processed, and may be shared with 3rd parties.

Excerpt from the provisions of GDPR

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.

I'm not a lawyer and I might be wrong, but as far as I can tell by reading the law it looks to me that any data that can be used to identify a person (such as their IP) can't be gathered without the user's explicit consent. If Google gets user IPs when someone visits a website and stores these IPs without first sufficiently anonymizing them, then I need to ask for consent from my website's visitors before serving fonts from Google's CDN. It doesn't matter what kind of processing is done, how securely the data is handled or how securely it is transmitted (these are the parts that the Privacy shield covers). If personal data is stored/logged then I need consent (and yes, IPs are personal data as mentioned above).

Our requests for information about what kind of data is collected when a site visitor gets a font from Google's CDN is not unreasonable... Understanding what happens is essential if we have to we decide whether we'll continue to ship Google Fonts integration in our products or not.

@clickwork-git

It makes no sense to discuss a topic, that has become another Google bashing.

Nobody is forcing you to discuss anything. If you don't want to discuss then just don't reply. If the notifications annoy you, just unsubscribe from the thread. Nobody is bashing Google. We just need information so that we can make informed decisions.

[githubhero]

A question: what if we send this header ('no-referer' or 'same-origin') along with requests? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

[clickwork-git]

@aristath

We just need information so that we can make informed decisions.

Exactly. But bashing users has nothing to do with information, and proofes that there are no arguments in any direction.

Nobody is forced to discuss. But also nobody is forced to use the Google Fonts API. There are a lot of users that host Google Fonts locally. Or use other fonts.

[JimmyAppelt]

@clickwork-git

There are a lot of users that host Google Fonts locally

This highly depends on your project. (we, for example, can't ship a 300 MB resource in our installation package for a user to choose any font). We just expect a proper & clear answer from Google within a manageable timeframe that developers can do what needs to be done. I could go and write an article on here myself, but I could not explain it any better then aristath.

[davelab6]

I am posting this comment in a personal capacity. It's just my own person opinion.

The official statement said,

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs.

If you read this carefully and don't feel confident about what this means, please seek your own legal advice.

[dennisfrank]

Why close this issue? I have been reading quietly here so far and there seem to be a lot of unanswered questions. The deadline for complying with the GDPR regulations is approaching and developers, clients and companies (especially freelancers and smaller companies) are very unsure how the many service providers are to be assessed in terms of the GDPR. I still don’t know how and if I or my clients can use Google Fonts hosted by Google. I would have hoped that Google could give a clear answer to this and what personal data is stored when using the hosted Google Fonts service.

Why not leave this issue open? At least until the GDPR comes into force?

[aristath]

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs.

What a data controller is: https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

From that I can only assume that Google is the one that determines what the data gathered is used for. So if they choose to justify their data collecting as "ensuring network and information security" then we don't need to ask for user consent. But that is nothing but an assumption on my part...

---

EDIT: Bottom line from all that was posted above: It looks to me like nobody knows for sure. And if they do, they resort to lawyerish replies instead of a plain yes/no. We still don't know if we need to ask for consent or not. We can make educated guesses and assumptions, but at the end of the day, that's all they are. Guesses and assumptions.

[davelab6]

More personal opinion:

Why close this issue?

I am employed by Google and part of my role in the Google Fonts team is to act as the community manager, and I've closed the issue because I think it's unlikely that there will be another official statement from Google on this topic; after all, like anyone, Google isn't able to offer 3rd parties legal advice.

I didn't lock it, so you can continue the discussion here if you wish.

[kevingrabher]

The question is not legal advice but requesting information from google what data is being collected so we and/or our legal help can decide what steps need to be taken to further implement Google Fonts.

[aristath]

Like mentioned above, we don't want advice. We want to know what data Google collects from visitors of our own sites. We have every right to ask that question and it is not a matter of policy. Unless of course the policy is to not tell anyone what kind of data is collected.

[clickwork-git]

@davelab6 Thank you very much for your great patience! In my opinion the situation is as clear at it can be at the moment. Because the GDPR itself is in some points not clear. There are still a lot of open questions not only relating Google Fonts and the Google Fonts API.

Without any court decision any further discussion makes no sense. And as long there is no court decision there also is no danger in using the Goggle Fonts API. This is also the meaning of some lawyers in Europa. Everybody has to decide by him- or herself.

[davelab6]

My personal opinion:

The FAQ has told everyone what kind of data is collected for many years, and that hadn't changed. You are welcome to inspect it yourself with network traffic analysis tools to verify that the FAQ description is correct and complete.

[NinoGdprHq]

Take a look at my answer on the StackOverflow: https://stackoverflow.com/questions/49250733/google-hosted-fonts-and-gdpr/49318990#49318990

[asadkn]

I am sorry @NinoGdprHq but that answer non-concrete info, speculations, and would result in FUD. This is exactly why I had to start this discussion here.

As the official statement states, Google is the "data controller" which voids the argument.

[boxesteam]

"You are welcome to inspect it yourself with network traffic analysis tools to verify that the FAQ description is correct and complete."

I can come to the google fonts data center and inspect what data is collected?

[PhoenixUK]

I can well imagine that MANY 'Subject Access Requests' will be sent to Google on 25th May regarding fonts then, to determine once and for all if they are partially anonymising MY IP address, in my current use of any website that utilises Google Fonts API - always two ways to skin a cat! ;)

[clickwork-git]

@PhoenixUK Seems that you do not understand the GDPR.

[daemkl]

I am not a lawyer, but this doesn't seem right as I understood the current situation.

Uhm, Google may be the "Data Controller", but only if you have a written and signed contract with Google that it may, in your behalf, process data you send them. In any case, you need prior consent to collect/send that information anyway. That contract unhooks you only from liability to permanently delete user data upon user request (for which, as I understood, you only have 30 days to comply with).

There is such a thing for Google Analytics, AdWords and Tag Manager, but nothing for Google Fonts yet.

Therefore, my question from 26th March remains: Any updates yet?