Just when you thought it was safe…
Earlier this year, a German regional court fined a website operator for transferring a site visitor’s IP address to Google through the use of Google Fonts without the visitor’s explicit consent.
Following the news of the above ruling, WordPress theme authors were urged to bundle theme fonts with their themes so they would be served locally and thus bypass the need to link to the Google CDN to load theme fonts in the browser.
How did this happen?
When a site is loaded in a visitor’s web browser, it loads not only the text and images you’ve added to your site, but also the theme and any external resources, such as web fonts. Typically those external resources are being loaded from a CDN (Content Delivery Network).
How can I tell if my site is using Google Fonts?
The quickest way to find the fonts being used on your site is through your browser’s Web Inspector. Depending on which browser you use, after opening the inspector, look for the Fonts or Styles tab. If you see either fonts.googleapis.com or fonts.gstatic.com as the source of the font, it’s Google Fonts.
Alternatively, you can install a browser extension such as “What Font,” which is available for all the major browsers.
You’ll want to check your WordPress.com website when you are logged out, as the notifications in the black WordPress.com Admin Bar that you see at the top of your site when logged in may use Google Fonts as well.
What does this mean for WordPress.com site owners?
In an earlier post here, I talked about the far reaching effects that GDPR has on all sites with visitors from the EU, not just those sites based in the EU. After the above ruling, several concerned WordPress.com site owners subsequently posted to our Community Forums asking about the use of Google Fonts on WordPress.com sites. In that thread, Staff said the following:
We are aware of this ruling but are unable to give you advice about whether or not it applies to you and your own use of Google Fonts on your site. If you have concerns about your own GDPR compliance you should consult an attorney.
It is not currently possible to disable Google Fonts that are loaded via the Google CDN for your site. If it is important to you that your site does not provide Google Fonts from the CDN, there are two options:
1. Use one of the following block themes, which bundle the fonts locally, instead of sourcing them from Google directly:
– Blank Canvas
– Geologist Blue/Cream/Slate/Yellow
– Mayland (Blocks)
– Quadrat Black/Green/Red/White/Yellow
– Seedlet (Blocks)
2. Upgrade to the WordPress.com Business plan, which allows more control over fonts on your site.
All the above-mentioned themes use the Site Editor, i.e. are full site editing themes. The Geologist and Quadrat themes mentioned after their parent theme in this list are the same theme with different styling.
Mayland (Blocks) and Seedlet (Blocks) were available when Full Site Editing was first released (and were only available via the WP Admin>Themes dashboard), in order to differentiate it from the Mayland and Seedlet themes, which are currently available in our Theme Showcase. They are both child themes of Varia, and it is not clear if they are the same as the (Blocks) variant.
Varese is a brand new Premium theme.
This new Theme Showcase tag takes the guesswork out of finding WordPress.com themes that have locally served fonts and currently is the same as the list above, with the odd exception of “Varese.”
If your theme doesn’t appear in the above list or in the Bundled Fonts Theme Showcase tag, and you determine that you must discontinue using Google Fonts or any web-based font repository, you might have the option of changing your theme fonts to display “System Fonts.” (Not to be confused with a theme’s default fonts!)
What are System Fonts? Every website has a fallback selection of fonts should the preferred font be unavailable, especially in situations like slow internet connections, and generally the last option is to use fonts already available on the visitor’s own system/device. They include:
- Trebuchet MS
- Times New Roman
- Courier New
- Brush Script MT
If you’ve been a netizen for more than a decade, you might find these font names familiar as these were the fonts in use on websites prior to the availability of web-based font repositories. Welcome back Web 1.0!
According to the Privacy section of the Google Developer FAQ on Google Fonts, it specifically states that:
The Google Fonts API logs the details of the HTTP request, which includes the timestamp, requested URL, and all HTTP headers (including referrer and user agent string) provided in connection with the use of our CSS API.
IP addresses are not logged. (My emphasis.)
If that is the case, then why all the churn on this topic? Is a single ruling in a German regional court enough to drive this change? Yes, apparently. Since that case, another visitor to a German website threatened a site owner with legal action for use of the Google Fonts API and cited the earlier court ruling.
You can see where this is heading and why web site owners, especially those in Germany and Austria, have a real interest in minimizing their risk.
In that same, on-going forum thread I asked will WordPress.com be changing its other themes to load Google Fonts locally as well. So far, I’ve not received a reply. I’ll update here if I get one.
Updated prior to publishing: Another WordPress.com site owner posted in that same forum thread with a real Catch-22 concerning the Cookies & Consent banner widget, which displays by default on all free WordPress.com sites regardless of theme. On sites on the Personal or Premium plan using full site editing themes, the banner widget does not display by default and cannot be added as there is no widget area to add it to. Hopefully WordPress.com will address this
snafu issue very soon. (See additional update below.)
Additionally, this user came to the same conclusion as I did regarding System Fonts, which are only available on Full Site Editing or Global Styles themes.
For now it seems that the only way to display the Cookie banner and use System fonts is by using a theme that has Global Styles and widgets.
Update 20221022-I just want to add some information about the consent banner on Premium plans who have opted in to running WordAds. When a visitor under GDPR jurisdiction visits such a website, they are automatically shown a different consent banner that can’t be edited or turned off and, again, the banner displays regardless of theme in use on the website. You can learn more about this in the WordAds support guide.
Only sites on the Premium plan have the option to turn on advertising as a part of the WordAds program. There is no such option currently on sites with a Personal plan; ads are off by default as a part of the upgrade plan. Also to the best of my understanding, the Cookies & Consent banner is required for allowing cookies of any kind, like those used for analytics (which is built-in to the WordPress.com platform), and not just for allowing advertising.
As always, the information in this post is correct as of publication date. Changes are inevitable.