Google Fonts and GDPR

Just when you thought it was safe…

Earlier this year, a German regional court fined a website operator for transferring a site visitor’s IP address to Google through the use of Google Fonts without the visitor’s explicit consent.

Following the news of the above ruling, WordPress theme authors were urged to bundle theme fonts with their themes so they would be served locally and thus bypass the need to link to the Google CDN to load theme fonts in the browser.

How did this happen?

When a site is loaded in a visitor’s web browser, it loads not only the text and images you’ve added to your site, but also the theme and any external resources, such as web fonts. Typically those external resources are being loaded from a CDN (Content Delivery Network).

How can I tell if my site is using Google Fonts?

The quickest way to find the fonts being used on your site is through your browser’s Web Inspector. Depending on which browser you use, after opening the inspector, look for the Fonts or Styles tab. If you see either fonts.googleapis.com or fonts.gstatic.com as the source of the font, it’s Google Fonts.

Alternatively, you can install a browser extension such as “What Font,” which is available for all the major browsers.

You’ll want to check your WordPress.com website when you are logged out, as the notifications in the black WordPress.com Admin Bar that you see at the top of your site when logged in may use Google Fonts as well.

What does this mean for WordPress.com site owners?

In an earlier post here, I talked about the far reaching effects that GDPR has on all sites with visitors from the EU, not just those sites based in the EU. After the above ruling, several concerned WordPress.com site owners subsequently posted to our Community Forums asking about the use of Google Fonts on WordPress.com sites. In that thread, Staff said the following:

We are aware of this ruling but are unable to give you advice about whether or not it applies to you and your own use of Google Fonts on your site. If you have concerns about your own GDPR compliance you should consult an attorney.

It is not currently possible to disable Google Fonts that are loaded via the Google CDN for your site. If it is important to you that your site does not provide Google Fonts from the CDN, there are two options:

1. Use one of the following block themes, which bundle the fonts locally, instead of sourcing them from Google directly:

Ames
Antonia
Appleton
Arbutus
Attar
Barnett
Bennett
Blank Canvas
Blockbase
Calvin
Dorna
Farrow
Geologist
– Geologist Blue/Cream/Slate/Yellow
Hari
Heiwa
Jackson
Kingsley
Marl
– Mayland (Blocks)
Meraki
Quadrat
– Quadrat Black/Green/Red/White/Yellow
Russell
– Seedlet (Blocks)
Varese
Winkel
Zoologist

2. Upgrade to the WordPress.com Business plan, which allows more control over fonts on your site.

The Themes

All the above-mentioned themes use the Site Editor, i.e. are full site editing themes. The Geologist and Quadrat themes mentioned after their parent theme in this list are the same theme with different styling.

Mayland (Blocks) and Seedlet (Blocks) were available when Full Site Editing was first released (and were only available via the WP Admin>Themes dashboard), in order to differentiate it from the Mayland and Seedlet themes, which are currently available in our Theme Showcase. They are both child themes of Varia, and it is not clear if they are the same as the (Blocks) variant.

Varese is a brand new Premium theme.

Bundled Fonts

This new Theme Showcase tag takes the guesswork out of finding WordPress.com themes that have locally served fonts and currently is the same as the list above, with the odd exception of “Varese.”

System Fonts

If your theme doesn’t appear in the above list or in the Bundled Fonts Theme Showcase tag, and you determine that you must discontinue using Google Fonts or any web-based font repository, you might have the option of changing your theme fonts to display “System Fonts.” (Not to be confused with a theme’s default fonts!)

Where to find System Fonts in themes with Global Styles

What are System Fonts? Every website has a fallback selection of fonts should the preferred font be unavailable, especially in situations like slow internet connections, and generally the last option is to use fonts already available on the visitor’s own system/device. They include:

  • Arial
  • Verdana
  • Tahoma
  • Trebuchet MS
  • Times New Roman
  • Georgia
  • Courier New
  • Brush Script MT
  • Impact

Currently System Fonts are available on themes that use Global Styles or the Site Editor to manage fonts.

If you’ve been a netizen for more than a decade, you might find these font names familiar as these were the fonts in use on websites prior to the availability of web-based font repositories. Welcome back Web 1.0!

Conflicting information?

According to the Privacy section of the Google Developer FAQ on Google Fonts, it specifically states that:

The Google Fonts API logs the details of the HTTP request, which includes the timestamp, requested URL, and all HTTP headers (including referrer and user agent string) provided in connection with the use of our CSS API.

IP addresses are not logged. (My emphasis.)

If that is the case, then why all the churn on this topic? Is a single ruling in a German regional court enough to drive this change? Yes, apparently. Since that case, another visitor to a German website threatened a site owner with legal action for use of the Google Fonts API and cited the earlier court ruling.

You can see where this is heading and why web site owners, especially those in Germany and Austria, have a real interest in minimizing their risk.

So tranquil, but what’s hiding beneath the surface?

In that same, on-going forum thread I asked will WordPress.com be changing its other themes to load Google Fonts locally as well. So far, I’ve not received a reply. I’ll update here if I get one.

*Updated prior to publishing: Another WordPress.com site owner posted in that same forum thread with a real Catch-22 concerning the Cookies & Consent banner widget, which displays by default on all free WordPress.com sites regardless of theme. On sites on the Personal or Premium plan using full site editing themes, the banner widget does not display by default and cannot be added as there is no widget area to add it to. Hopefully WordPress.com will address this snafu issue very soon.

Additionally, this user came to the same conclusion as I did regarding System Fonts, which are only available on Full Site Editing or Global Styles themes.

For now it seems that the only way to display the Cookie banner and use System fonts is by using a theme that has Global Styles and widgets.

As always, the information in this post is correct as of publication date. Changes are inevitable.

Published by JenT

WordPress.com forum volunteer and former moderator (2016-2021) assisting WordPress.com site owners since 2006, one answer at a time. Find me at wpcommaven.com.

9 thoughts on “Google Fonts and GDPR

  1. I’m using Google Fonts, but I don’t know if they are bundled, and I’m having trouble finding out.

    I really don’t want to switch themes again because all the new themes are crap, and my foray into building my own still leaves me deeply unsatisfied. Given that Hive itself was a compromise, I’m not optimistic I can find something to my liking.

    Plus, while I appreciate the list you provide, I can’t be sure those won’t change or be retired soon, not to mention they are difficult to check out (and, again, the ones I did look at I found severely lacking).

    One of the annoying things with customizing themes is that the interface to choosing themes does not give the option to list them in alphabetical order, which means I have to search for each one as opposed to casually scrolling and see if they’re even close to what I might like.

    Finally, per my reading of the ruling, it’s unclear if I’m the “website operator” or a “website user” (treating .com domains differently than .org domains).

    My take would be that WPcom is the Website Operator, but I’m not a lawyer, and I don’t doubt that WP would throw users under the bus as opposed to taking responsibility.

    (209 words not counting this sentence — hope that’s OK)

    1. My understanding of that staff reply is that the themes they listed (and copied here) are the only ones so far that have bundled fonts. The new Theme Showcase tag seems to confirm that thought. TBH, I have no idea if TPTB have any intention of adding classic themes like Hive to that list. My gut feeling says no.

      Personally, when I look to test or view themes, I head to the WP Admin>Appearance dashboard and list them by “Newest”. Unfortunately, you can’t use the showcase tags in that view.

      Not being a lawyer and so not dispensing anything other than my own opinion, WordPress.com is a web hosting provider like any other. Whether the theme you choose for your own site complies with the ruling or not, or whether your website practices comply with the ruling or not (a theme is only part of the equation), is up to the website owner regardless of their web host. WordPress.com belatedly provided its users with a guide to GDPR, which itself is not legal advice, but good practice.

      People are still poking around the edges with GDPR and as long as there are rulings like this one about Google Fonts, IMO this won’t pass soon.

      (And sorry for my late response on your comment, I was joyfully offline since posting this in celebration of another swing around the sun. Now I’m heading offline to get ready for several days of holidays. There will be food!)

      1. Happy belated completed solar orbit.

        The answer I got from WP is that they don’t give legal advice.

        The annoying thing (for me, and I assume others) is that they allow embedding fonts if I upgrade to a Business plan. Meaning, I could keep my Hive theme and just embed the fonts (I specifically asked about that).

        To me, it seems the easiest solution is to include the feature in the Premium plan.

        As for who is liable, my argument is that while I have some control over what I do, I’m constrained by arbitrary limits imposed by WP. Given that at the time I picked Hive, there was no legal reason not to, and given that I’ve had no official (or unofficial) communication from WP about this issue (and possibly the related issue with Google Analytics from the ruling in South America), I’d sue WP for putting me in legal jeopardy.

        . . . of course, the lawyers would cost me a lot more than the $100 fine I would have to pay . . .

      2. Unfortunately, the goal posts keep moving because of GDPR and we’re not done with people poking around its edges. As annoying as it may be, WPcom can’t give legal advice about anyone’s site hosted with them and I believe they themselves are covered under their own Terms of Service and possibly CDA Section 230. Again, I’m not a lawyer. FWIW- they did publish a post (quite belatedly IMO) back in May 2018 on the News Blog about providing its users with new privacy features vis-a-vis GDPR. Not that they could have foreseen the Google Fonts issue, which only arose after someone took a site owner to court (in Germany, which is particularly draconian).

        Thanks for your good wishes. That swing around the sun seems to get shorter every year!

  2. Thank you for the article and the tips. I tend to use GeneratePress theme for self-hosted sites, and they have documentation on adding local fonts. The video ‘may’ apply across many themes

    1. You’re welcome! Hope you found them helpful.

      Once you get to uploading custom themes, like GeneratePress, you’re in Staff’s reply #2 territory. The real conundrum here is what’s available for those who can’t, don’t or won’t upgrade. Right now there’s not a lot of choice and I’m hoping that it gets some real attention.

      1. I thought about this a bit more. I wonder who the claimant was in that German case. I mean, what kind of person goes to court over something like this? There must be more to it.

      2. what kind of person goes to court over something like this

        An opportunist, especially if it involves products from Google, Meta or other big tech companies? The phrase “right to informational self-determination” in that ruling sort of jumped out at me. (FWIW-The other instance of this ruling in German that I found also doesn’t mention the parties involved.)

        I also wondered if the Google Fonts FAQ was updated to include “IP addresses are not logged” following that ruling, but it’s not possible to tell directly from that document since it only mentions the last updated date of 2022 06 21, but there’s no change log.

Kvetch or kvell, it's all good, but be a mensch.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.