GDPR compliance

[asadkn]

Notice: Official Statement by Google Fonts made April 17, 2018

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

End Of Notice. Original question by @asadkn follows

---

There's a lot of misinformation being spread around the EU GDPR compliance when using Google Fonts. It would be great to start this discussions here to get an official response.

I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)

• you may need to ask for a consent from a visitor if Google is logging personal data
• you're sending personal data to the processor who's not in the EU
• Google as a processor might be performing profiling

My knowledge of GDPR law is limited and I haven't personally evaluated the concerns thrown around. However, we definitely need to address it before the rumors get out of hand.

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

[PhoenixUK]

@clickwork-git

An incorrect assumption for various reasons on your part there;

If you re-read my post above, I stated that I would be seeking such information "to determine once and for all, if they are partially anonymising MY IP address or not, in my current use of any website that utilises Google Fonts API". i.e. not a business seeking this information, an individual which I and you are when not undertaking work hours, are we not?

• Individuals have the right to access their personal data and supplementary information.

• The right of access allows individuals to be aware of and verify the lawfulness of the processing.

(as in bold text on the line just above)

So, with an individual hat on - I and others will have the right to proceed with a subject access request to Google, to seek verification on 'what legal basis they would be processing my data via X website, that utilise Google Fonts API, therefore capturing my IP address and whether it is indeed partially anonymised or not'.

For e.g. we know that there is no need to get explicit opt-in from users of Google Analytics, as it's often a standard implementation of Google Analytics, regarding a visitor’s IP address (which is now recognised as personal data by GDPR) being used to determine their physical location but the IP address itself is not data that can be accessed through Google Analytics. All data in Google Analytics is aggregated and anonymised.

At the end of the day, they're being overly coy about the IP element of a service that they make available around the world's websites, yes chosen by the website owner but regardless of this fact - they HAVE to divulge as they have done for e.g. Analytics, regarding in this case Google Fonts API FULL GDPR compliance ahead of time and don't wish to do that, which at the very least is what legal basis they are collecting site users IP addresses, how they are processing these and whether their use of collected IP addresses via their Google Fonts API, is GDPR compliant or not.

It's actually quite simple but being made incredibly difficult by both Google themselves and other 3rd parties.

Therefore, I will as an individual find a website that I use, that utilises Google Fonts API and submit a SAR to Google, as submitting one to the website owner is counter-productive as they won't have any answers, due to the owner of the API service not wishing to divulge the correct level of GDPR compliance information.

P.S. Google cannot try to hide behind "Security" or "Business Interest Protection" in any form, as to why they are withholding this key bit of information about their use of IP addresses with Google Fonts API.

Have a good day. ;)

[julia-r]

If you want to be rather safe, here is an app that helps you self host fonts from google web fonts: http://google-webfonts-helper.herokuapp.com/fonts

[davelab6]

Personal opinion only:

All data in Google Analytics is aggregated and anonymised

Where, in the documents and statements that GF links to and provides in this thread, do you have the impression GF is different to GA?

'what legal basis they would be processing my data ...

Please see

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

[horninc]

I am both an EU law student and a developer, so I feel quite reasonably qualified to contribute to this discussion.

What I see here both from the perspective of reading Google Privacy Policy and documents attached to their FAQ page regarding Google Fonts is that they are not compliant (too vague statements, too broad and overreaching policy). I think the statement that they are purely a Data Controller is vague and strictly incorrect since they are also operating as a Processor at the same time and nothing in their statements leads me to believe them as to the necessary level of anonymization required by the GDPR in order for it not to be applicable.

I do believe that in terms of legalese, they have covered the service part of Google Fonts enough to "pass" the minimum standard necessary for them not to aggravate DPA's in EU for some time, but I also see a heavy reliance on the fact that some aspects of GDPR are still not fully clear, and will not be either until a CJEU decision somewhere in the future, or a specific DPA decision in a case against Google (which will come earliest 3-4 months after 25th of May).

The stance of Google in terms of all of their services, actually, is that it is our job to guarantee compliance, which means it is our decision and our balancing test in order to decide if the use of their service is in compliance with our own legal obligations. This is not a good position to be in for most of the developers since we are not always in the position to make this decision single-handedly.

My personal opinion and my personal advice would be not to use the Google Fonts service until the point where they are both transparent and coherent regarding what data they collect, for what purpose, and for how long. Since they are unlikely to disclose that until forced, I am waiting for one of the DPA's in EU to force them. Until then, I also do not find it respectful towards my own clients to give their personal data to Google in exchange for a simple font CDN.

[davelab6]

I think the statement that they are purely a Data Controller is vague and strictly incorrect since they are also operating as a Processor at the same time

Why do you think Google is also operating as a Processor?

[horninc]

Why do you think Google is also operating as a Processor?

I think the way you phrased your question answers itself.

Where is the content for Google Fonts stored? I presume Google Cloud.. where is the Analytics and Metrics for it accrued/stored/analyzed? I presume with the help of another product of Google, albeit in somewhat semi-internal capacity...

The undertaking of hosting and delivering fonts is fundamentally separate from running a Cloud or Analytics products, both of which Google has claimed are not controllers but processors. So if the entity Google runs all these undertakings in unison to deliver a service, why would "Google" be just a Controller?

I have not seen "Google Fonts" as a separate entity so far.

[donohoe]

I see continued use of Google Fonts as low to zero risk, assuming the terms of their Privacy Policy are unchanged:

https://developers.google.com/fonts/faq (edited)

"The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com, so that your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail."

[aristath]

GDPR is not about how securely data is stored or transferred. It doesn't matter what cookies they store. What matters is that no user personal data should be collected (such as IP address, UA etc) without the user's unambiguous consent. Users should know

• What data gets collected
• For how long their data remains stored
• For what purpose

The only exception is when data is collected to ensure the network's secure infrastructure - such as logging IP addresses in an access log for a limited time so that DDoS attacks can be identified & prevented and other things like that.

We can't just assume that there is no risk from google fonts until someone tells us with certainty that google collects data A, B & C, it is stored for a period of X months, and it is used to secure the google-fonts API infrastructure and no processing other than that is done.

So since G. is unwilling to share any of that info, we had to resort to other measures such as implementing a mechanism that will download selected google-fonts to the user's server and serve from there instead of using google's CDN.

[davelab6]

Personal opinion follows

Why do you think Google is also operating as a Processor?

I think the way you phrased your question answers itself.

I'll try to be more precise: Why do you think Google LLC is also operating as a Processor for Fonts API data?

Where is the content for Google Fonts [API] stored? I presume Google Cloud..

where is the Analytics and Metrics for it accrued/stored/analyzed? I presume with the help of another product of Google, albeit in somewhat semi-internal capacity...

One has to distinguish between the Fonts Directory (which uses GA for analytics and thus you'll have to refer to the GA team for their GDPR info) and the Fonts API (which we are focusing the discussion here on.)

The undertaking of hosting and delivering fonts is fundamentally separate from running a Cloud or Analytics products, both of which Google has claimed are not controllers but processors. So if the entity Google runs all these undertakings in unison to deliver a service, why would "Google" be just a Controller?

I have not seen "Google Fonts" as a separate entity so far.

Kindly, I think you are mistaken, and the way you phrased this answers itself - different products collect different data and have different policies.

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs.

We can't just assume that there is no risk from google fonts until someone tells us with certainty that google collects data A, B & C, it is stored for a period of X months, and it is used to secure the google-fonts API infrastructure and no processing other than that is done.

What does it mean to be solely a data controller and not a data processor?

[aristath]

A good explanation of controller vs processor is here https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/ and has also been posted above a couple of times if I'm not mistaken.

Most of us here just want a clean, unambiguous response. Plain and simple, in humanese and not legalese. Yes, we've all asked lawyers, researched, have GDPR meetings with our legal departments and so on. But is it really so hard to be transparent and give a plain, simple answer that we can all just take and go home?

Q: Does Google collect data from anonymous users when they visit a site that uses google-fonts? A: Yes. Q: What data does Google collect from visitors of my website? A: ..................................................... Q: For how long is that data stored? A: ..................................................... Q: For what reason is that data collected? A: .....................................................

And most importantly, just a yes/no: Can you guarantee that Google does not collect and store ANY personal or user-identifiable data from anonymous users when they are visitors on a website that uses google-fonts without their consent? Not how securely the collected data is stored, not about the privacy shield, not about how secure everything is, but what, how, for how long, and why.

[clickwork-git]

The only exception is when data is collected to ensure the network's secure infrastructure - such as logging IP addresses in an access log for a limited time so that DDoS attacks can be identified & prevented and other things like that.

Please do not spread false informations. The GDPR knows several exceptions. Also the GDPR knows the legitimate interest. And this is given using the Google Fonts API. Also for example using Google Maps.

So since G. is unwilling to share any of that info, we had to resort to other measures such as implementing a mechanism that will download selected google-fonts to the user's server and serve from there instead of using google's CDN.

Nobody has to use any Google service. Therefore it makes no sense to blame Google in any way.

And: Be very careful with downloading Google Fonts and hosting them on your on server. Most of the people forget to follow the licence of the fonts. And as you know there are different licences for different fonts. It makes no sense to pretend to follow the GDPR but not follow other laws.

[aristath]

Yes, there are several exceptions to the GDPR. Should I list them all in all my responses just to appear accurate and to the letter? Or should we stick to the spirit of this thread which is to finally get some information and answers?

I did not "blame" gfonts. It was a statement of a fact (G. is unwilling to share any of that info) and the solution we implemented in order to solve that problem. There IS an unwillingness to share information in a humanly-readable and understandable way (which by the way is also part of the GDPR). It concerns me both as a developer and as a user.

So my questions above still stand.

As for the legality of downloading and hosting fonts on our own server, only fonts available in the google-fonts API are used. We read the JSON, pick the font the webadmin has selected, download it on their server, and from that point on all visitors get locally-hosted fonts. The API only lists opensource fonts.

[typeoneerror]

@davelab6, is the Google Fonts and GStatic Services not governed by Google Cloud? Is there a DPA for Google Cloud if this is the case? It seems to me that these questions above are super valid. Is there a contact at Google legal-wise we can bring in to the discussion quickly?

I was thinking of just using Google Fonts without a DPA, but after reading this, I'm going to self-host from https://github.com/adobe-fonts and push to my own CDN. It's fair and valid business decision that Google isn't providing a DPA for the Fonts service itself, but a github comment from an employee is not a contract, so I don't see how any of us can continue to use fonts.google.com, unfortunately until an agreement exists that outlines what they're doing with those IP addresses. My feeling is that it could be something similar to how Facebook Buttons work. Perhaps there's cross-site tracking by IP. Who knows...since it's not clear, gotta go the safe route since there's only a week left.

[ceejayoz]

It makes no sense to pretend to follow the GDPR but not follow other laws.

@clickwork-git, I'd note that most of these other laws don't have a €20 million (for smaller corps) or 4% of global revenue penalty (which for large orgs could be in the billions) attached. It's not surprising or shocking that folks are more worried about GDPR than other laws.

[dgoosens]

If Google is the processor, all you have to do is indicate in your policies that you are using these fonts and eventually offer a way for the users to live without them... Just like you already have to do with the COOKIES...
Google is responsible... you are not the one that is collecting or handling the data.

BUT this does not really deal with the problem...
Take a look at the Cloud Act (Clarifying Lawful Overseas Use of Data Act)... This act basically invalidates every US based service regarding the GDPR.
Pretty sure this is going to be a lot of legal fun between EU and US regulations

[heathcliffe2000]

This thread continues to go around in circles. With all due respect to @davelab6 (and he does state his personal views only), he simply does not know enough about GDPR. If he did, he would be able to answer YES or NO to the simple questions being asked. @dgoosens - The Coud Act has nothing to do with GDPR nor does it affect GDPR.

[dgoosens]

@heathcliffe2000 oh yes it does as a US company is no longer able to guarantee the data's integrity

The Cloud Act goes against article 44 and following of the GDPR...
Especially art 48 that requires an international treaty if data is transferred to an authority And we all know there is no such treaty between the US and the EU

Source: https://www.journaldunet.com/solutions/expert/69017/le-congres-americain-vote-le-cloud-act-a-deux-mois-de-l-entree-en-application-du-rgpd.shtml

[heathcliffe2000]

@dgoosens - The Cloud Act is about government intervention/law enforcement which is exempt from GDPR isn't is? You don't need any treaty between countries, this is about you passing data outside of the EU. If the organisation receiving data outside the EU has the relevant US equivalent certifications this is allowed.

[dgoosens]

@heathcliffe2000 nope...

The GDPR requires an international agreement for countries outside of the EU. There's a whitelist for companies from foreign countries, amongst them US companies...
If these companies are GDPR compliant, is is ok to work with them.
BUT this is only for companies, not governments... There article 48 applies (https://gdpr-info.eu/art-48-gdpr/)

There used to be the the Safe Harbor agreement between US and EU but that has been invalidated in 2015 after the Snowden leaks

[dgoosens]

... So the cloud act really is a major problem for US companies as, because of it, none of them will be GDPR compliant

[nathan-charrois]

It's clear from reading this thread that @davelab6 does not want to give a concrete answer because he simply doesn't know the answer and does not want to be held responsible for the consequences of providing an incorrect answer.

I think our best bet is to move forward without making changes to how we use Google Fonts. If something does arise, shedding light on this thread should be enough evidence to get your company out of any legal bind as it has been IMPLIED in this thread, by @davelab6, that we can continue to use Google Fonts as we have in the past.

[miclf]

@dgoosens Thanks for the information, didn’t know about ‘CLOUD Act’. As I understand it, we indeed have two legislations colliding with each other (the GDPR, trying to guarantee that data protection levels won’t be compromised in any way, and the CLOUD Act, which basically pretends that laws from the whole world (except the USA) simply don’t exist…).

Are you aware of any other legal opinion (except the one you referenced, from journaldunet.com) about this issue? Because if it gets confirmed that, because of this US law, not any US-based companies could technically be GDPR compliant, the hosting of fonts would immediately become the least important of our problems…

[CodeBrauer]

I already have read the posts made here, but I don't really get a clear answer.

• Can I use Google Fonts on my clients website?
• If I use them, what do I have todo, to be GDPR (or in Germany: DSGVO)-compliant?

All websites affected websites are used and hosted in Germany.

[simonfranzen]

@CodeBrauer This how we deal in general with content from external services:

Note: This affects youtube, vimeo videos, maps, iframes as well as fonts or any other external resources, NOT LOADED from the same domain.

1. We do not load any resources from external services, until the visitor accepts the privacy policy.
2. User can deny the privacy policy: Some clients prefer a clean page with a notice, that their services can only run with that cookies&external resources. Others allow using the page without that services.

This is the notice in english we show:

We use cookies to personalize content and ads, to offer features for social media and to analyze the access to our website. We also share information about your use of our website with our social media, weaving and analytics partners. Our partners may combine this information with other information that you have provided to them or that they have collected as part of your use of the Services. You accept our cookies when you click "Allow cookies" and continue to use this website.

In our Privacy Policy we mention Google Fonts (or any other service you are using)

Google Web Fonts

For uniform representation of fonts, this page uses web fonts provided by Google. When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. When you call up a page of our website that contains a social plugin, your browser makes a direct connection with Google servers. Google thus becomes aware that our web page was accessed via your IP address. The use of Google Web fonts is done in the interest of a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to Art. 6 (1) (f) DSGVO. If your browser does not support web fonts, a standard font is used by your computer. Further information about handling user data, can be found at https://developers.google.com/... and in Google's privacy policy at https://www.google.com/policie....

[davelab6]

My personal opinion only:

@CodeBrauer and @aristath thank you for the direct questions. That is helpful, and I will endeavor to get another official statement made that can answer them directly. It seems clear to me that the Google Fonts FAQ should have a question regarding GDPR, so that it is easy for users to find the answer to such a common question, and not wade through this extremely long and closed Github issue :)

[CodeBrauer]

@simonfranzen - Well that's a great solution, but just impossible to archive for us, because in many pages we just can't prevent the loading of e.g. fonts.googleapis.com, because in many cases it comes from a plugin which prints this directly and our older server don't have an option that we could manipulate this source in any way.

@davelab Thanks for your response! I hope this will be in the next few days, because currently, there is a lot of work going on removing google fonts from pages (not because of me/because clients want to be safe). If this turns out to be unnecessary, we could save a lot of time.

[heathcliffe2000]

are the regulators really interested in fining simon or dave or aristath because their website uses web industry standard techniques and expect your average developer / small business to completely rewrite their website accordingly? This is not the intention of GDPR. The intention is to go to Google and say, if you continue to capture IP addresses from serving Google fonts without giving users the option to opt out, we will fine you! It makes no difference what a Google Fonts Page FAQ says. GDPR is about going after the big companies that continuously flaunt the law, capture users data without warrant or the knowledge of the users. The regulators are there to help people implement GDPR not persecute them because they tried and don't completely comply.

[aristath]

It's not about sites getting fined... I seriously doubt anyone is going to fine a website for using gfonts, youtube, vimeo, soundcloud or something like that. It's about respecting the visitors of our sites enough to not share their data with any 3rd-party service without their consent. And that's what makes this important...

[dgoosens]

It's about respecting the visitors of our sites enough to not share their data with any 3rd-party service without their consent. And that's what makes this important...

If that's really what matters, then you should avoid all these so called "free" services in the first place...
Exploiting your visitors' data is their business model

[clickwork-git]

If that's really what matters, then you should avoid all these so called "free" services in the first place... Exploiting your visitors' data is their business model

I fully agree, and this was pointed out before: Nobody has to use any service of Google. But there are same that like to abuse this thread for another Google bashing.

Furthermore they seem not to understand the GDPR, and instead of asking their lawyer they want also free advice. And yes, the GDPR costs a lot of money (without a reasonable result).

[u-l-y]

I'm with you @aristath, and by the way @dgoosens a web developer can be interested in using free services from companies as Google, Facebook, etc but the user don't, therefore is responsibility of the web developer to add opt-ins on the site and the right of the user to block them, right? But we are speaking about multiples services as recaptcha, maps, like button, analytics, etc. All this services will break most of the sites so its time to find alternatives and to think in a different way when we build sites.

[dgoosens]

@clickwork-git I know you got the message, but just wanted to make perfectly clear I'm not Google bashing...
The only problem I have with this is that Google, and the others, do pretend their services are free and, clearly, they are not... You just don't pay with your money, you pay with your user's data.

All this services will break most of the sites so its time to find alternatives and to think in a different way when we build sites.

They exist... People just never bother to check them out... Basically because these "not-so-free-in-the-end" services are just so dominant...

Plenty of OpenType fonts you can use for free (like really free), search engines, map alternatives, captcha scripts... GitHub is full of good (sometimes even better) alternatives.

And yes, the GDPR costs a lot of money

This depends...
You can also choose to spend some of your own time investigating the matter yourself instead of relying on so-called expert-consultants (and quite a lot of them don't know what they are talking about).
And, if you had an ethical approach before the GDPR, in most cases a slight adjustment in your processes and websites should deal with this.

[simonfranzen]

What I can see is that all CMS+Plugins we have right know do not implement the Privacy By Design - approach. They all load what they want and you don't have the control, what to opt-in or out.

That is something we have to improve and thats not google's or spotify's or Adobe Typekit's fault. They just provide a SaaS, and we have to implement it the right way. Or do you want to annoy the user for every external resources with a popup saying "Please accept, I just make money with your personal data" ?

[kevingrabher]

@clickwork-git Not trying to get personal but you literally contributed nothing to this thread besides claiming that there are are no GDPR issues and accusing people of not understanding the GDPR without backing your statements with any facts or competence, neither technically nor legally.

The GDPR has to be respected by any company no matter the size. Ignoring the GDPR under the argument that it is only meant for the big companies is like performing tax fraud under the justification that you probably won't get caught if you're a small fish.

Nobody is trying to get free legal advice. In fact, most here already have that legal advice, which in most cases states that if you want to be thorough you should check any of the services you use to make sure that you are not treating your consumers data without proper caution.

While it cannot be said for sure if we are breaking the laws by using CDNs, etc. (sure there's that clause about legitimate interest, but there's yet to be cases and decisions made wether something like gFonts, CDNs, etc. are legitimate interest) the only properly way to be sure that we are within legal boundaries is google officially stating which data is collected and wether is properly anonymised.

[clickwork-git]

I contributed several things, but deleted them because some trolls got very personal. There are some that are not interested in solutions. Therefore it makes no sense to discuss matters of law here.

The GDPR allows to use the Google Fonts API. And there can be found a lot of explanations by lawyers (for example with Google Search...). And it's ridicolous: In relation to Google Analytics a lot of people who say it's no longer allowed to use the Google Fonts API, say there is no problem with the anonymization (not understanding, that the tracking is not anonymized, and the IP-adresses will be anonymized after the transmission to Google).

Again: If somrone has any doubts there are a lot of other options.

[clickwork-git]

Also here are some misunderstandings:

The GDPR has to be respected by any company no matter the size.

If you are in the EU. If you are for example in Switzerland the Federal Act on Data Protection (FADP) has to be respected, and in addition to this in some cases the GDPR.

In fact, most here already have that legal advice, which in most cases states that if you want to be thorough you should check any of the services you use to make sure that you are not treating your consumers data without proper caution.

This is a problem of interpretation (and translation). In English speaking countries it's the consumer, but the GDPR knows the "natural person". And especially collecting "consumer data" for business purposes is no problem:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Recital 47, Overriding legitimate interest, 7.

[hubertlepicki]

@CodeBrauer to respond to your note here:

@simonfranzen - Well that's a great solution, but just impossible to archive for us, because in many pages we just can't prevent the loading of e.g. fonts.googleapis.com, because in many cases it comes from a plugin which prints this directly and our older server don't have an option that we could manipulate this source in any way.

The obvious solution is do what many pages do. If your web site cannot look good/work/load without third party services being involved, create an intermediate page with full page consent and a privacy policy should be accessible from there. See http://forbes.com for example. On this page you do not use any third parties, and allow use ro see other pages only after they accepted your terms.

[davelab6]

@asadkn heads up, I've edited your first post on this issue to clearly state the official statements up front, for anyone coming across this issue, but I didn't change your text at all :)

[IonicaBizau]

Until this will be cleared up, I hope my small utility app will help those developers to download the Google Fonts locally (and eventually, not only because of GDPR but also for offline use): https://github.com/IonicaBizau/google-font-downloader

Example

npm i -g google-font-downloader
google-font-downloader https://fonts.googleapis.com/css?family=Open+Sans:400,400i,700,700i

[mxmtsk]

In Germany the first adhortatory letters were sent out by law firms to people using Google Fonts so if you're still using the font CDN I would advise you stop using it as long as the whole situation is still unclear

[pipdig]

Hi @davelab6, has there been any progress towards creating a specific answer about GDPR in the Google Fonts FAQ? I keep forwarding customers to the information you have provided so far and nearly everyone replies with "That doesn't answer my question. Is Google Fonts compatible with GDPR?".

So I'm guessing the answer to that question is "no" and that we should only self host fonts going forward. It's ok if that is the case, I just want to make sure that is true before we invest a lot of time into building that into our themes. Is there a timeline for Google confirming any information about GDPR and Google Fonts?

[clickwork-git]

In Germany the first adhortatory letters were sent out by law firms to people using Google Fonts so if you're still using the font CDN I would advise you stop using it as long as the whole situation is still unclear.

By you? Didn't read anything about it till now.

And: What do you mean with "adhortatory letters" by law firms? "Abmahnungen" in Germany has nothing to to with the GDPR. This is a misunderstanding. "Abgemahnt werden" can in Germany everything by everyone. If a website is not compliant with the GDPR it's a matter of the government not law firms.

[timwhitlock]

I'm late to this party, but will stop using Google Fonts (at least for now) and self-host whenever font licenses permit. Thank you @IonicaBizau - that is just what I was about to start looking for.

*If* the definition of Data Processor applies, we are effectively forwarding our site visitors' personal data to Google (never mind without their consent) but critically without a legally binding contract with Google. (See Article 28.3)

It seems to me that the definition should apply, but that's my amateur opinion and one for the lawyers to argue. Ideally Google should just mask end user IPs like Google Analytics does can, or just redact them completely. Then presumably no personal data is actually being processed. (opinion, not fact). It's just safest to assume it does apply for the time being.

One thing we can all agree on is that Google need to provide the little people with some better guidance on how to use their APIs without breaking the law. We know we're ultimately responsible, but you know .. they're Google.

[mxmtsk]

@clickwork-git No, by SP Wiedinger & Partner from Düsseldorf. That "Abmahnungen" can be send by everyone just adds to the problem. I have no fear of the government in that regard, my clients and me fear cash hungry firms that will use the unclear situation to make money more. And I do not have to tell you that they have been doing it before for more critical stuff like Analytics and now they're coming for fonts aswell. I have nothing more to add, I hope it will be clear in the near future, whether it be by Google itself opening up their information policy or court decisions but until then I'll simply stop using the CDN unfortunately

[clickwork-git]

@mxmtsk Thank you for the information. The GDPR makes sense. But what some German "lawyers" do has nothing to do with data protection and privacy. It's a political issue that Germany always wants to explain how the world has to be ruled. No sense to discuss about it.

[Ezyweb-uk]

@mxmtsk only a few months ago I was atonished to learn about Abmahnungen. I was interested to read your comments, are there any news or blog articles yet about Abmahnungen and GDPR in Germany and in particular with respect to Google Fonts?

[clickwork-git]

The website of SP Wiedinger & Partner:

http://www.kanzlei-heilberufe.de

Very, very serious.

[mxmtsk]

@Ezyweb-uk Obviously in german. The most recent ones I could find: https://www.heise.de/newsticker/meldung/DSGVO-Die-Abmahn-Maschinerie-ist-angelaufen-4061044.html https://www.datenschutz-guru.de/die-ersten-dsgvo-abmahnungen-sind-da/

@clickwork-git Of course it's not serious. I think we're on the same terms, but I don't know what point you want to bring across here? I'm not fighting the GDPR, me and a lot of people here in the thread just try to make our websites compliant.

[Ezyweb-uk]

Thanks mxmtsk. I asked Google to translate into English, links here and here.

[clickwork-git]

@mxmtsk My point is that the GDPR has nothing to do with the understanding of a EU law in Germany. Again: In my opinion there is no problem to use the Google Fonts API to be compliant with the GDPR.

As long as there are no court decisions the situation will be unclear. And it will take four to five years to have some court decisions.

@Ezyweb-uk Yes, the German law is very nice. As you see the problem is not the GDPR, but if there is something wrong with the privacy policy. But this was the case also before there was the GDPR.