Just when you thought it was safe…
Earlier this year, a German regional court fined a website operator for transferring a site visitor’s IP address to Google through the use of Google Fonts without the visitor’s explicit consent.
Following the news of the above ruling, WordPress theme authors were urged to bundle theme fonts with their themes so they would be served locally and thus bypass the need to link to the Google CDN to load theme fonts in the browser.
How did this happen?
When a site is loaded in a visitor’s web browser, it loads not only the text and images you’ve added to your site, but also the theme and any external resources, such as web fonts. Typically those external resources are being loaded from a CDN (Content Delivery Network).
How can I tell if my site is using Google Fonts?
The quickest way to find the fonts being used on your site is through your browser’s Web Inspector. Depending on which browser you use, after opening the inspector, look for the Fonts or Styles tab. If you see either fonts.googleapis.com or fonts.gstatic.com as the source of the font, it’s Google Fonts.
Alternatively, you can install a browser extension such as “What Font,” which is available for all the major browsers.
You’ll want to check your WordPress.com website when you are logged out, as the notifications in the black WordPress.com Admin Bar that you see at the top of your site when logged in may use Google Fonts as well.
(2022 Nov 24-Note added: You can also check for Google Fonts on your site by using this utility. HT to wptavern.)
What does this mean for WordPress.com site owners?
In an earlier post here, I talked about the far reaching effects that GDPR has on all sites with visitors from the EU, not just those sites based in the EU. After the above ruling, several concerned WordPress.com site owners subsequently posted to our Community Forums asking about the use of Google Fonts on WordPress.com sites. In that thread, Staff said the following:
We are aware of this ruling but are unable to give you advice about whether or not it applies to you and your own use of Google Fonts on your site. If you have concerns about your own GDPR compliance you should consult an attorney.
It is not currently possible to disable Google Fonts that are loaded via the Google CDN for your site. If it is important to you that your site does not provide Google Fonts from the CDN, there are two options:
1. Use one of the following block themes, which bundle the fonts locally, instead of sourcing them from Google directly:
– Ames
– Antonia
– Appleton
– Arbutus
– Attar
– Barnett
– Bennett
– Blank Canvas
– Blockbase
– Calvin
– Dorna
– Farrow
– Geologist
– Geologist Blue/Cream/Slate/Yellow
– Hari
– Heiwa
– Jackson
– Kingsley
– Marl
– Mayland (Blocks)
– Meraki
– Quadrat
– Quadrat Black/Green/Red/White/Yellow
– Russell
– Seedlet (Blocks)
– Varese
– Winkel
– Zoologist2. Upgrade to the WordPress.com Business plan, which allows more control over fonts on your site.
The Themes
All the above-mentioned themes use the Site Editor, i.e. are full site editing themes. The Geologist and Quadrat themes mentioned after their parent theme in this list are the same theme with different styling.
Mayland (Blocks) and Seedlet (Blocks) were available when Full Site Editing was first released (and were only available via the WP Admin>Themes dashboard), in order to differentiate it from the Mayland and Seedlet themes, which are currently available in our Theme Showcase. They are both child themes of Varia, and it is not clear if they are the same as the (Blocks) variant.
Varese is a brand new Premium theme.
Bundled Fonts
This new Theme Showcase tag takes the guesswork out of finding WordPress.com themes that have locally served fonts and currently is the same as the list above, with the odd exception of “Varese.”
System Fonts
If your theme doesn’t appear in the above list or in the Bundled Fonts Theme Showcase tag, and you determine that you must discontinue using Google Fonts or any web-based font repository, you might have the option of changing your theme fonts to display “System Fonts.” (Not to be confused with a theme’s default fonts!)
What are System Fonts? Every website has a fallback selection of fonts should the preferred font be unavailable, especially in situations like slow internet connections, and generally the last option is to use fonts already available on the visitor’s own system/device. They include:
- Arial
- Verdana
- Tahoma
- Trebuchet MS
- Times New Roman
- Georgia
- Courier New
- Brush Script MT
- Impact
Currently System Fonts are available on themes that use Global Styles or the Site Editor to manage fonts.
If you’ve been a netizen for more than a decade, you might find these font names familiar as these were the fonts in use on websites prior to the availability of web-based font repositories. Welcome back Web 1.0!
Conflicting information?
According to the Privacy section of the Google Developer FAQ on Google Fonts, it specifically states that:
The Google Fonts API logs the details of the HTTP request, which includes the timestamp, requested URL, and all HTTP headers (including referrer and user agent string) provided in connection with the use of our CSS API.
IP addresses are not logged. (My emphasis.)
If that is the case, then why all the churn on this topic? Is a single ruling in a German regional court enough to drive this change? Yes, apparently. Since that case, another visitor to a German website threatened a site owner with legal action for use of the Google Fonts API and cited the earlier court ruling.
You can see where this is heading and why web site owners, especially those in Germany and Austria, have a real interest in minimizing their risk.
In that same, on-going forum thread I asked will WordPress.com be changing its other themes to load Google Fonts locally as well. So far, I’ve not received a reply. I’ll update here if I get one.
Updated prior to publishing: Another WordPress.com site owner posted in that same forum thread with a real Catch-22 concerning the Cookies & Consent banner widget, which displays by default on all free WordPress.com sites regardless of theme. On sites on the Personal or Premium plan using full site editing themes, the banner widget does not display by default and cannot be added as there is no widget area to add it to. Hopefully WordPress.com will address this snafu issue very soon. (See additional update below.)
Additionally, this user came to the same conclusion as I did regarding System Fonts, which are only available on Full Site Editing or Global Styles themes.
For now it seems that the only way to display the Cookie banner and use System fonts is by using a theme that has Global Styles and widgets.
Update 20221022-I just want to add some information about the consent banner on Premium plans who have opted in to running WordAds. When a visitor under GDPR jurisdiction visits such a website, they are automatically shown a different consent banner that can’t be edited or turned off and, again, the banner displays regardless of theme in use on the website. You can learn more about this in the WordAds support guide.
Only sites on the Premium plan have the option to turn on advertising as a part of the WordAds program. There is no such option currently on sites with a Personal plan; ads are off by default as a part of the upgrade plan. Also to the best of my understanding, the Cookies & Consent banner is required for allowing cookies of any kind, like those used for analytics (which is built-in to the WordPress.com platform), and not just for allowing advertising.
As always, the information in this post is correct as of publication date. Changes are inevitable.
WPcomMaven 
I’m using Google Fonts, but I don’t know if they are bundled, and I’m having trouble finding out.
I really don’t want to switch themes again because all the new themes are crap, and my foray into building my own still leaves me deeply unsatisfied. Given that Hive itself was a compromise, I’m not optimistic I can find something to my liking.
Plus, while I appreciate the list you provide, I can’t be sure those won’t change or be retired soon, not to mention they are difficult to check out (and, again, the ones I did look at I found severely lacking).
One of the annoying things with customizing themes is that the interface to choosing themes does not give the option to list them in alphabetical order, which means I have to search for each one as opposed to casually scrolling and see if they’re even close to what I might like.
Finally, per my reading of the ruling, it’s unclear if I’m the “website operator” or a “website user” (treating .com domains differently than .org domains).
My take would be that WPcom is the Website Operator, but I’m not a lawyer, and I don’t doubt that WP would throw users under the bus as opposed to taking responsibility.
(209 words not counting this sentence — hope that’s OK)
My understanding of that staff reply is that the themes they listed (and copied here) are the only ones so far that have bundled fonts. The new Theme Showcase tag seems to confirm that thought. TBH, I have no idea if TPTB have any intention of adding classic themes like Hive to that list. My gut feeling says no.
Personally, when I look to test or view themes, I head to the WP Admin>Appearance dashboard and list them by “Newest”. Unfortunately, you can’t use the showcase tags in that view.
Not being a lawyer and so not dispensing anything other than my own opinion, WordPress.com is a web hosting provider like any other. Whether the theme you choose for your own site complies with the ruling or not, or whether your website practices comply with the ruling or not (a theme is only part of the equation), is up to the website owner regardless of their web host. WordPress.com belatedly provided its users with a guide to GDPR, which itself is not legal advice, but good practice.
People are still poking around the edges with GDPR and as long as there are rulings like this one about Google Fonts, IMO this won’t pass soon.
(And sorry for my late response on your comment, I was joyfully offline since posting this in celebration of another swing around the sun. Now I’m heading offline to get ready for several days of holidays. There will be food!)
Happy belated completed solar orbit.
The answer I got from WP is that they don’t give legal advice.
The annoying thing (for me, and I assume others) is that they allow embedding fonts if I upgrade to a Business plan. Meaning, I could keep my Hive theme and just embed the fonts (I specifically asked about that).
To me, it seems the easiest solution is to include the feature in the Premium plan.
As for who is liable, my argument is that while I have some control over what I do, I’m constrained by arbitrary limits imposed by WP. Given that at the time I picked Hive, there was no legal reason not to, and given that I’ve had no official (or unofficial) communication from WP about this issue (and possibly the related issue with Google Analytics from the ruling in South America), I’d sue WP for putting me in legal jeopardy.
. . . of course, the lawyers would cost me a lot more than the $100 fine I would have to pay . . .
Unfortunately, the goal posts keep moving because of GDPR and we’re not done with people poking around its edges. As annoying as it may be, WPcom can’t give legal advice about anyone’s site hosted with them and I believe they themselves are covered under their own Terms of Service and possibly CDA Section 230. Again, I’m not a lawyer. FWIW- they did publish a post (quite belatedly IMO) back in May 2018 on the News Blog about providing its users with new privacy features vis-a-vis GDPR. Not that they could have foreseen the Google Fonts issue, which only arose after someone took a site owner to court (in Germany, which is particularly draconian).
Thanks for your good wishes. That swing around the sun seems to get shorter every year!
Thank you for the article and the tips. I tend to use GeneratePress theme for self-hosted sites, and they have documentation on adding local fonts. The video ‘may’ apply across many themes
You’re welcome! Hope you found them helpful.
Once you get to uploading custom themes, like GeneratePress, you’re in Staff’s reply #2 territory. The real conundrum here is what’s available for those who can’t, don’t or won’t upgrade. Right now there’s not a lot of choice and I’m hoping that it gets some real attention.
I thought about this a bit more. I wonder who the claimant was in that German case. I mean, what kind of person goes to court over something like this? There must be more to it.
An opportunist, especially if it involves products from Google, Meta or other big tech companies? The phrase “right to informational self-determination” in that ruling sort of jumped out at me. (FWIW-The other instance of this ruling in German that I found also doesn’t mention the parties involved.)
I also wondered if the Google Fonts FAQ was updated to include “IP addresses are not logged” following that ruling, but it’s not possible to tell directly from that document since it only mentions the last updated date of 2022 06 21, but there’s no change log.
“I also wondered if the Google Fonts FAQ was updated…” The Internet Archive’s Wayback Machine says, “yes”. Here’s a link to how that document appeared on June 21, prior to the update. (Note: the timeline here might be a little fuzzy because of timezone differences.)
This post was updated with additional information regarding the Consent banner on WordPress.com sites on the Premium plan displaying WordAds.
Thanks for the update.
BTW, I read the decision of the court . . . it still seems flawed if viewed with common sense . . . but then, we’re talking about Germans — and Europeans in general — so I don’t know that they have much experience — or use — for common sense.
The thing is, it can’t be just fonts. Google Analytics is in use across a slew of sites around the world, and it’s not the only company that provides a metrics product. For that matter, WP own stats counter must perforce “know” the incoming IP address, and that’s also outside my control.
But, more so, the ruling is worded such that all CDN-provided content is also affected (I currently link all my graphics).
If left unchallenged, I don’t see a limit to the application of this ruling.
For instance, the polls I run for the fiction voting feed me the IP addresses of voters. I don’t know who they are, but I can get a general location for them unless they’re running a VPN. The poll itself uses IP addresses to ensure there’s no double-voting from a single user. That’s interesting because it allows different users to vote from the same IP address (for instance, in a family), so it must track other things as well; things I have no control over.
At some point, the functionality of the web becomes a problem.
But, maybe I’m misreading it. I’m old and tired, so perhaps my comprehension level has degraded to the point that I can’t read a court ruling.
Again, we’re not lawyers, but I question the law degrees of the people on the ruling court.
I’m also having trouble finding out who the defendant was. Meaning, a person or a business. I ask because there are probably millions of sites in Europe violating this ruling (easy money to be made!).
The question I have is whether the site in question was a business entity or a private individual as the requirements might not be the same (they might be, but I don’t know).