Is a font service from Google. The font files are obtained from the Google server.
- Headquarters: Mountain View, California, United States
- Category: Fonts
- Legal basis: Subject to consent via Consent Management Platform (CMP)
What is Google Fonts?
Is Google Fonts compliant with the GDPR? Can I use Google Fonts as a website operator without hesitation?
With Google Fonts, it is possible to use a wide variety of fonts within your own website without having to upload them to your own server. When the page is called up, only the fonts are reloaded via the Google server.
However, there is a legitimate question: Is Google Fonts GDPR-compliant? Can I use Google Fonts as a website operator without hesitation?
As soon as this tool comes into focus, website operators disagree. We shed light on this and show how you can use Google Fonts without hesitation and how other fonts can also be used in a GDPR-compliant manner. In principle, there is nothing to be said against using Google Fonts, as long as the webmasters adhere to one thing:
The integration of Google Fonts is subject to the GDPR. And that means: in order to use Google Fonts in a GDPR-compliant manner, a legal basis is required.
The following problem: If a Google Font is requested by the browser of the website visitor, Google always records the IP address of the user and uses this for analysis purposes. Google points this out in its terms and conditions for the Google Fonts API. At the same time, it explains how the collected data is specifically analyzed.
For your information: The aggregated user numbers are used, for example, to measure the popularity of a particular font. The result is then published in the form of statistics on the Google analysis page.
In addition, Google also uses the data from the Google web crawler. In this way, Google finds out which websites use the fonts from GoogleFonts. This data can then be found in the Google BigQuery database of Google Fonts.
In terms of the GDPR, Google sees itself as the “controller” or “responsible party” for Google Fonts in this context.
Google Fonts - GDPR compliant: Cookiebox shows how it's done!
But Google Fonts can be used in a GDPR-compliant way despite data collection by Google. We show how.
First, however, one thing must be clarified: the legal basis. Here, either a legitimate interest or consent can be used as a legal basis.
Legitimate interest as legal basis for Google Fonts
Google Fonts collects and processes the IP address of the website visitor – the collection of such personal data requires explicit consent from the user.
We advise against relying on legitimate interest. Some people argue with page speeds, because the fonts are loaded faster via the server. However, the difference is negligible. In any case, an objection option in the form of an opt-out would be important. It would have to be ensured that in the absence of an opt-in or opt-out, no connection to the Google server is established by Google Fonts to prevent the exchange of data. This is difficult insofar as this already happens when the page is called up. In addition, the possibility must be created that in the case of an objection, a substitute font can be used. The technical implementation is unnecessarily complicated – at least more complicated than the privacy-compliant alternative we would like to propose below.
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
Why is Google Fonts subject to consent?
- If data would be processed on a server in a secure third country, consent according to Art. 6 (1) lit. a GDPR must nevertheless be obtained for the use of Google Fonts in any case, as data is stored by the service.
- Accordingly, the service of Google Fonts may only be loaded after consent, otherwise a connection to one of the servers would already be established.
- Fulfilling the obligation to provide information according to Art. 13 GDPR in the privacy statement is another hurdle, since the information of the third country is missing and thus no transparent information can be provided.
This means that there are violations of points 2, 3, 7 and 8 above. Freedom from consent cannot be established.
What are the GDPR-compliant alternatives to Google Fonts?
We present you the three most popular fonts:
1. Fontawesome
With the popular Web Icon Library, the IP address is also transmitted when you want to view and load the icons. Thus, FontAwesome also collects personal data in the sense of the General Data Protection Regulation.
Consequence: you need a legal basis for the use of FontAwesome according to
Art. 6 GDPR.
2. Adobe Fonts (Typekit)
This Adobe service gives you access to a font library. Typekit is a pure hosting service.
This means: hosting on own servers or downloading the catalog is not possible.
3. Fonts.com
This is Monotype’s own web font service. It includes in-house fonts as well as fonts from external vendors, such as Adobe.
fonts.com is hosted on Monotype servers. Download for layout purposes or self-hosting is possible depending on the tariff.
Conclusion
Best Practice: Local Hosting of Google Fonts
As we now know, we cannot rely on legitimate interest as a legal basis for using Google Fonts, nor is consent via the cookie banner sufficient for 100% GDPR compliance. However, there is a way to use Google Fonts without sharing user data with Google in the process.
To avoid the default connection to the Google server and comply with the standards of the GDPR, we advise the local integration of Google Fonts, which is the best and safest way to handle the fonts in terms of data protection.
In the case of local integration of Google Fonts, the fonts are loaded from your own server and not from Google servers. In this case, you can also rely on a legitimate interest, since no data is sent to third-party providers.
Note: Here is the assessment of the Bavarian State Commissioner for Data Protection on integration of fonts – consent – fonts – Google Fonts – IP address – fonts, fonts – self-hosting of fonts – web fonts from March 2022.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:
