If you are using Google Fonts embedded on your site, the Google server needs to collect the IP addresses of your website users to send them the Google Font file. The General Data Protection Regulation (GDPR) is the first and also toughest electronic privacy law in the world. According to GDPR, IP addresses are considered personally identifiable information (PII). The Google server records and may track user behavior on your website, which would breach the GDPR law. In January 2022 the German Court has declared that Google Fonts is not GDPR/DSGVO compliant.
Read more about when Google Fonts violate GDPR and how to be GDPR compliant.
What is Google Fonts?
Google Fonts is a web font service owned by Google LLC or by Google Ireland Limited, that provides an interactive web directory and APIs for using the fonts via CSS and Android. The Google Fonts API requests and downloads font files and CSS code to provide the correct fonts when visiting a website. The fonts are stored in the browser’s cache and updated when needed, so the developers can add fonts to the websites or Android apps simply by referencing a stylesheet. As Google says: “The font files themselves are cached for one year, which cumulatively has the effect of making the entire web faster: When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites.”
Google Fonts optimize your website performance while making it more beautiful at the same time. It also helps avoid licensing problems since Google Fonts service is free to use.
The most popular fonts in the Google Fonts library include Roboto, Open Sans, Lato, Oswald, Montserrat, Source Sans Pro, etc.
Does Using Google Fonts Violate GDPR?
To send you the font, the Google server has to know where to send it, so it needs to collect website users' IP addresses. When the website user opens the website, it automatically requests the Google Fonts files from Google’s servers. The Google Fonts API requests and downloads font files and CSS code to provide the required fonts, which will be stored in your browser cache.
Google’s Privacy Statement surrounding Google Fonts is vague. It says: “The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.” Even if the website users' personal data collection and storage are limited, Google servers still record users' personal data and may track users' behavior on the websites.
According to the GDPR, IP addresses are considered personally identifiable data (PII). The main question for the website owners is: do you need to ask for and receive consent from the website users to collect their personal data before downloading Google Fonts from the Google server?
If Google servers collect personal data such as IP addresses, users' consent is required. This means the website should get consent first and then load Google Fonts from the Google servers. If the user is not informed about Google Fonts and does not consent to collect his device IP address, the usage of Google Fonts would violate GDPR!
In January 2022 the regional court in the German city of Munich has declared that Google Fonts is not GDPR/DSGVO-compliant. It has ordered a website owner to pay €100 in damages for users due to the transferring of users' personal data (IP addresses) to Google servers without the users' consent. As of January 2022, the Google Fonts library contained 1358 font families and was used by over 50.1 million websites.
Besides ordering the website to stop collecting the IP addresses by embedding the Google Font library, the court also ordered the website owner to share with the affected party personal data that it stores and processes.
This means that any European citizen who visits your website and requests Google Fonts from Google’s servers has the right to sue you for violating their personal data, independently of where your website-operating business is registered. Even if you’re from the USA or any other country in the world, if a user from the European Union visits your website, which uses Google Fonts from Google servers, you will be violating the GDPR. These infringements could result in being fined up to €10 million, or 2% of the annual global turnover for lower-level violations, or up to €20 million or 4% of your annual global turnover for severe violations.
The court also informed that "Google Fonts can also be used by the defendant without a connection to a Google server is established and the IP address of the website user is transmitted to Google," basically meaning websites can host the fonts locally without violating GDPR.
Solutions To Use Google Fonts and Be GDPR Compliant
Until you do not have consent to collect IP addresses and other personal data, you should block the Google Fonts API. Your web pages will be presented with the correct fonts only if the website user has given consent prior, or if the cache of the website user already contains the required Font Files and CSS code requested by the stylesheet of the web page.
If your browser cache is empty and consent was not given yet or the browser refuses consent by default, your web page Google fonts should not be loaded.
If you do not ask for consent for Google Fonts and still load them, you will violate the GDPR.
Alternatively, there are several options to avoid being fined or sued for violating the GDPR with Google Fonts.
Host Google Fonts locally
Saving locally the Google Fonts to your website server eliminates sending personal data to Google’s servers, and thus eliminates violating the GDPR.
You can download the Google Fonts files and upload them to your website host. Then you’ll have to provide rules to your CSS files on how to use Google Fonts for your web pages. To host Google Fonts locally, you should perform the following steps:
- Download Google Fonts to your server.
- Generate a stylesheet for your Google Fonts.
- Disable Google Fonts.
Self-hosting of Google Fonts is the most popular solution to use Google Fonts and be compliant with the GDPR.
Use the OMGF WordPress plugin
If you are using WordPress, the best plugin to use Google Fonts is OMGF (Optimize my Google Fonts). OMGF automatically downloads the Google Fonts your WordPress site needs and generates a stylesheet for it. Then it integrates the stylesheet into your site’s header. As a result, your Google Fonts are hosted and loaded locally which is GDPR compliant.
There are also other WordPress plugins for disabling or removing Google Fonts from your website and using them locally. The following WordPress plugins could be used to disable Google Fonts:
- Beaver Builder
- Revolution Slider
Use WordPress default fonts
The simplest solution for WordPress users is to use the default system fonts. These default fonts are already stored locally at your WordPress servers, so your website users do not have to connect with Google servers and send them their personal data. However, WordPress has just a limited number of default fonts.
Get user consent
Lastly, if you want your website to use Google Fonts directly from Google servers, you must request and get user consent to use their personal data. You should inform website users that their IP addresses will be sent to Google servers to provide your website with Google Fonts. Using this option, your website loading speed will be the highest.
The user should be prompted for consent BEFORE a website requests the Google servers for Google Fonts and Google Fonts API takes place.
Google Fonts code is a code provided by a third party, in this case- Google, which needs users' IP addresses to provide a code. IP addresses and other users' personal data are collected with the help of cookies. To use Third-Party Cookies, you need to get user consent. So, change the initial Google Fonts code to get user consent with CookieScript.
For example, change the default Roboto code from:
<link data-href="http://fonts.googleapis.com/css?family=Roboto:100" rel="stylesheet" type="text/css">
Change the code to modified Google Fonts Roboto code:
Other Fonts and GDPR Compliance
Besides Google, there are also other providers of fonts, such as Adobe Fonts, fonts.com, FontFont, FontShop, FontAwesome, and others. The working principle of them is similar: fonts providers need to get website users' IP addresses to provide a required font for your website. If you want to be GDPR-compliant and host the font locally on your server, check if font providers have a local integration.
If the font could be used locally from your server, download the latest version of the font, upload the files to your own server and integrate the CSS.
Do not forget to disable accessing fonts directly from fonts providers' servers, such as Google Fonts or Adobe Fonts, if you are using other services of these providers.
Frequently Asked Questions
Do I need a Cookie Banner if I use Google Fonts?
Are Google Fonts free to use?
Yes, all Google Fonts are open source and are free to use. If you want to be GDPR compliant while using Google Fonts from Google servers, you are required to inform users and get consent to manage their private data (IP addresses).
Are Google Fonts GDPR compliant?
If you are using Google Fonts from Google servers, some website users' data, such as IP addresses, are collected, stored, and may be processed for analytical purposes. So you are required to inform users and get consent to use their private data to be GDPR compliant. If you host Google Fonts locally on your servers, your website will be GDPR compliant even without user consent.
Is it good to use Google Fonts?
Google Fonts can optimize your website performance and make it more beautiful. It also helps avoid licensing problems since Google Fonts are free to use. However, some users' data, such as IP addresses, are collected, stored, and may be processed, so you are required to inform users and get consent to use their private data to be GDPR compliant or host Google Fonts locally on your servers.