Does Google Fonts set cookies?
We get a lot of questions regarding the use of fonts on websites and how to deal with it in terms of the GDPR and specifically cookies. Although the service itself isn’t setting any cookies it still infringes the GDPR when using it on your website without consent. The reasoning behind this is that by simply embedding these fonts directly from Google it will still send API / network requests to Google’s servers where for example your IP address might be transmitted and processed.
Do I need to ask consent before loading Google Fonts?
You could indeed solve the problem like this, but what about the User Experience? It would mean you have a fallback font on your website which displays before consent and after consent it will load the Google Font of your choosing. This would obviously lead to issues with User Experience on your site and looks quite odd to be honest. So I would not recommend it. But fortunately there are other ways to use your favourite fonts on your website without infringing the GDPR.
What is Google Fonts?
Google Fonts is a service from Google LLC or Google Ireland that provides access to over 1400 open source fonts and icon types that can be freely used on any website. You can either embed them through Google or self-host these fonts on your webserver.
Is the use of Google Fonts GDPR compliant?
If you use Google Fonts by loading them from Google servers it is not GDPR compliant. The reason being that once a website visitor loads the font in their browser it will still send data to Google’s servers to process. According to Google, by using the Fonts API the following information is sent to Google servers:
- Timestamp of the request
- Requested url
- All HTTP headers including:
- Referrer
- User Agent String
- Browser type
Google specifically mentions not to store IP addresses. Although that might be true the question remains, if Google would combine the data with other sources are they able to construct a profile of the visitor requesting the fonts while visiting the website?
If you decide to download the Google font of your choice and then host it on your own webserver, then it can be fully GDPR compliant!
How to make Google Fonts GDPR compliant?
If you want to use a font in your website or application make sure to download and host the font yourself. So how do we do that?
In short, go to fonts.google.com and find the font you’re looking to use.
- Click the Download button to download the entire font package.
- To make an easy to use css file by using @font-face you can use a service like transfonter.org where you can upload your the fonts you need to use, set which type of formats to use (i’d recommend WOFF and WOFF2) and hit the “Convert” convert button.
- Then download the package and upload it to your server.
- Make sure to reference the css file in the head of your website and you can use the fonts in your css to style the site.
In this case you don’t need to add Google Fonts to your privacy policy, you do not need to ask consent for the use of the fonts. Easy-peasy!
Is there no alternative provider hosting these fonts?
Yes there is. Our friends from Bunny CDN have created a small application running on their infrastructure where they host the majority of fonts from Google. You can use this as an alternative to loading them from Google’s servers. You can visit their website here: https://fonts.bunny.net/
But you have to be aware that you’re now still using Bunny.net as a subprocessor because in this case as well, your visitors data might still be shared with them. Do not forget to add them to your privacy policy under the subprocessors.
