How to Use Google Fonts without Breaking GDPR Rules

Avatar
Yuli Stremovsky
Privacybunker.IO Founder

An open-source developer that helps companies and startups to solve data security and privacy challenges.

Summary

Earlier this month, a German court fined a corporate website for leaking visitors' IP addresses via Google Fonts.

The city courthouse of Munich decided that the website using Google Fonts had passed the user’s IP address to Google. It happened without authorization and without a legitimate reason for doing so. As a result, it violated Europe’s General Data Protection Regulation (GDPR).

Improper use of Google Fonts can ruin your business.

According to § 823 Para. 1 BGB, this case violates the right of the individual to disclose and determine the use of their personal data.

This rule suggests that the website needs to stop providing IP addresses to Google.

The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover of any established company for infringements, whichever is greater.

One of the best ways to prevent GDPR fines is to use a service that checks websites for GDPR violations and provides a professional team that knows how to fix these issues. A company I co-founded provides such services. We are a group of privacy practitioners and software professionals that knows how to fix GDPR violations.

Technical details

diagram

GDPR violation happens in the following case:

  1. The user opens the target website in his Internet browser
  2. The browser downloads the website HTML page from the target web server and starts the rendering process
  3. The browser finds an HTML tag to use Google fonts and creates a new request to download files from the Google Fonts website

The violation is in step 3. Internet browsers disclose users' IP addresses to the US Internet giant. This kind of hot-linking is normal with Google Fonts. The issue here is that the visitor is not giving his explicit permission to share the IP address.

The decision states that Google can theoretically identify the person associated with the IP address. As a result, IP addresses represent personal data. It’s irrelevant whether Google has actually done so.

Knowing that Google Fonts are widely deployed and Google Fonts API is used by about 50 million websites it is important to comply with the best privacy practices. GDPR has extraterritorial scope. Basically, any website can face GDPR violation problems. That means, if you are running a business in New York and your visitors are from Europe, you can break GDPR laws. This GDPR violation exists when using different services and not only Google Fonts.

How to fix

Instead of relying on fonts hosted by Google Fonts, you will need to host the font files on your website.

You can use the Google Fonts website to download the required fonts files and upload the files to the ‘/fonts’ directory of your website. After that, you will need to modify your website’s HTML files to use the correct font URLs. To do this, you need to know a little HTML kung-fu.

Our team can fix your website’s HTML code and provide world-class service. You can reach them at hello@privacybunker.io.

Ever wondered how many GDPR violations do you have on your website?

https://privacybunker.io/ provides the service that scans websites for GDPR violations. The company monitors changes in GDPR rules and GDPR infringement cases on a daily basis. We do not share your report with any 3rt parties or authorities.

Privacybunker offers a daily check that includes:

  • The list of cloud tools that have access to user IP addresses without explicit consent.
  • The list of cookies that violate GDPR regulations.

It allows your business to always stay compliant.

During the promotional period website GDPR reports are provided for free.

Report example:

Example of GDPR report

What’s next

Once your website report is ready and if no violations are found, you can display a special GDPR compliance badge on your website. This badge will improve your website conversion rate. You will get a simple code to display a badge on demand.

If the scanner detects any GDPR violation, you are welcome to contact Privacybunker’s support team. They will gladly help you to fix your website. You can reach them at hello@privacybunker.io.

Examples of the GDPR badges you can use:

The service provides an API that generates a GDPR badge with the date of the last successful check.

Urgent questions?

For urgent questions, you are welcome to schedule a call with me:

https://calendly.com/stremovsky/30min

Let's Chat!