How do I use Google Fonts as well as other fonts in a GDPR compliant manner?

Google Fonts is embedded on numerous websites. What website providers often forget is that the integration of Google Fonts is subject to GDPR regulations and therefore requires a legal basis. Specifically, user consent is required. 

Where does Google Fonts collect personal data as defined by GDPR regulations?

Google Fonts does not set cookies. However, if a font is requested by the visitor’s browser, the visitor’s IP address is captured by Google and used for analytical purposes. 

Google Fonts does not set cookies. However, if a font is requested by the visitor’s browser, the visitor’s IP address is recorded by Google and used for analytical purposes.

This is also reflected in a transparent manner in the Google Terms and Conditions for the Google Fonts API. You can also find the information in regards as to how the collected data is analysed specifically by Google, in the terms and conditions.

On the one hand, the aggregated usage figures are recorded, showing the popularity of each font. These statistics are then published on the Google  analysis site. 

On the other hand, Google also uses data from the Google Webcrawler in order to determine which websites use Google fonts. This data is then published and available in Google Fonts’ Google BigQuery database. 

In this context, Google sees itself as a “Controller” or “Responsible party” in regards to GDPR regulations.

Implement Google Fonts in accordance with data protection regulations

Seeing as Google Fonts collects and processes the IP address and thus personal data in regards to GDPR, a legal basis is required for this process. The website operator must also be able to reproach this legal basis. 

In the case of anonymous website visitors, only the legitimate interest in accordance with Art. 6 Para. 1 lit. GDPR or consent in accordance with Art. 6 Para. 1 lit. a GDPR can be considered. Whether the legitimate interest is sufficient for Google Fonts or not, is a matter of discretion for the website operator. 

In order to be able to rely on a legitimate interest, a strict three-step examination must be carried out.

This reasoning behind why the balance of interests is in favour of the website operator should be transparently stated in the privacy statement. 

DSK’s remarks on legitimate interests can serve as a guide to those interested. Here, is where, for example, the range measurement based on strictly statistical data is considered to be legitimate. However, in the case of Google Fonts, this may not be sufficient because the IP address is sent to the USA. Therefore, the legal situation here is by no means clear.

Even if the website operator bases his or her decision on a legitimate interest, the website visitor must be given an opportunity to appeal. The website operator must therefore ensure that the website visitor can object to the use of Google Fonts – and set up a corresponding opt-out button for this purpose.

A strong legal framework for Google Fonts is consent. As the data is sent to a third country (USA) by Google (an American provider), consent may be mandatory in order to use Google Fonts in Europe in accordance with data protection regulations. 

It is within this context that the website operator must fulfil the criteria for legally valid consent within the GDPR framework. Reminder: Key is that that the user is prompted for his or her consent before a URL call from Google Fonts to the Google Fonts API takes place.

If Google Fonts is integrated by default via the Google server, a connection to Google is established each time the page is called up. From a legal point of view, the consent of the website user would be required here in order to operate under proper GDPR regulations.

Those who do not want to venture into legally insecure territory have the option of integrating Google Fonts locally. This way, the fonts are loaded from your own server and not from the Google servers. The legal framework here could be construed as a “legitimate interest”, as no data is sent to third parties. 

However, hosting the fonts yourself can also have disadvantage, such as longer loading times or that the texts are first displayed with a Fallback-Font until the Google Font is loaded.

If you, as a website provider, decide to use Consent as the legal basis for Google Fonts, we can help.  Because, the best way to control this is through a Consent Tool or a Consent Management Platform (CMP) such as Usercentrics.

To steps are required to play Google Fonts in order to make sure that it is only played out after the user has given his or her consent:

1. Set “Google Fonts” as a data processing service in your Usercentrics Admin Interface
2. Customize the script to be included

Navigate to the menu item “Service Settings” in your Usercentrics Admin Interface and add a new service from our service database.

Search for “Google Fonts” and select the appropriate category. We recommend the “Functional” category.

Save the changes.

In most cases, Google Fonts is embedded directly into the website to ensure that it loads as quickly as possible. In this situation, you will have to adapt the script. Please look at the following for an  example of the Roboto font:

<script type="text/plain" data-usercentrics="Google Fonts">

 var head  = document.getElementsByTagName('head')[0];
 var link  = document.createElement('link');
 link.rel  = 'stylesheet';
 link.type = 'text/css';
 link.href = 'https://fonts.googleapis.com/css?family=Roboto';
 head.appendChild(link);

</script>

Simply insert the link to the corresponding font in line 6. The Usercentrics CMP will now check the consent status and will only load Google Fonts if consent has been given.

However, if you have implemented Google Fonts using the Google Tag Manager, please read our Google Tag Manager Implementation Guide and do not run the corresponding tag until you have obtained consent.

Please note: As long as the website visitor does not give his or her consent, the font integrated via Google Fonts will not be loaded. This can lead to a distorted perception of the website if no Fall-Back font has been configured in the CSS. The Fall-Back should definitely be a system font that supports fonts that work on all operating systems.

Please inform your developers that Google Fonts will no longer be loaded for each and every website visitor and that a similar font should be implemented as a Fall-Back option.

You should also be made aware that a FOUT (Flash Of Unstyled Text) will occur for the visitor as soon as he/she gives his/her consent. Once consent has been given, Google Fonts will be loaded and the complete text of the web page will be switched from the browser to the newly loaded font.

In addition to Google Fonts, there are also other companies who provide web fonts. However, not all of them offer the possibility of selfhosting. But we have compiled a list of  the three most popular ones:

FontAwesome is a popular Web Icon Library. In order to display and load the icons, FontAwesome also transfers the IP address when it is run. This means that personal data is collected in accordance with GDPR and you need a legal basis in order to use FontAwesome in accordance with Art. 6 GDPR.

Adobe bietet mit Adobe Fonts ebenfalls einen Dienst, über den man auf eine Schriftenbibliothek zugreifen kann. Allerdings ist Typekit ein reiner Hosting-Dienst. Hosting auf dem eigenen Server oder ein Download des Katalogs sind also nicht möglich.  

Die allgemeine Datenschutzrichtlinie von Adobe und weitere Datenschutzrelevante Infos spezielle zu Adobe Fonts finden Sie hier.

Adobe also provides a service called Adobe Fonts, which allows you to access a font library. However, Typekit is a pure Hosting service. Hosting on your own server or a download of the catalogue is therefore not possible.  

Adobe’s privacy policy and other privacy related information specific to Adobe Fonts can be found here.

Monotype also offers its own web font service with their own fonts, but also provides fonts from other manufacturers, such as Adobe. Hosting is usually done on the Monotype servers and depending on the plan a download for layout purposes and self-hosting is available. For more information about privacy matters in regards to fonts.com, please click here.

Please take a look at the following for other external web font providers with similar conditions: FontShop, WebInk, Fontspring, Webtype, Typotheque oder FontSquirrel.

• Start with an assessment: Do you use Google Fonts or other fonts like FontAwesome at all, and if so, how?
• Make a decision: Legitimate Interest or Consent?
• If legitimate interest or consent is chosen as the legal basis, but there is no local integration, a consent tool should be integrated

If the font is to be run locally, download the latest version of the font (e.g. here for Google Fonts or Font Awesome here), upload the files (via (S)FTP / SSH) to your own server and integrate the CSS.