Google Fonts & GDPR: How to Embed Google Fonts Locally
Time and again, many website operators from Europe receive warning letters for violations of the GDPR. It is about the use of “Google Fonts”, a service provided by Google that can be used to embed a large selection of fonts on websites for free. Millions of websites around the world use Google Fonts without knowing about the consequences in terms of data protection.
The reason for the warning is the unauthorized transfer of IP addresses of individual users to the USA. When loading the fonts, the user’s device establishes a connection to Google servers and thus transmits its own IP address. Since the USA is considered an unsafe third country according to the GDPR and IP addresses are considered personal data, the transfer is not permitted without the explicit consent of the user.
In early 2022, the Munich District Court awarded plaintiffs damages based on the use of Google Fonts without consent. In many cases, the warning letters are based on this ruling. However, whether the wave of warning letters based on this judgment is justified and the demands should be yielded to is disputed. What is clear, however, is that action should be taken on the technical side.
Checking your own website
To check whether your own website is affected, you can search for “fonts.googleapis.com” and “fonts.gstatic.com” in the source code. The source code of a web page can be viewed by “right-clicking – view page source code” or by pressing the key combination “Ctrl + U”. If either of these domains appears in the source code, there is a good chance that fonts from Google Fonts are used on the website. Alternatively, free services such as Google Fonts Checker can tell you directly whether a particular website is affected. In the event that Google Fonts are used, you should immediately block the relevant embeddings and embed Google Fonts locally.
Even if a warning has already been received, it is important to check in each case whether the accusation is justified. Given the apparently very large number of warning letters sent out, it cannot be ruled out that automated software such as so-called crawlers were used to detect potential violations.
Alternatives to Google Fonts
The easiest way to avoid the use of Google Fonts on your own website is to integrate the font locally. In this case, no connection to external servers is established and thus the user’s IP address is not transmitted.
To achieve this, the font can simply be downloaded from the Google Fonts website and then made available directly on your own web server. The fonts can now be loaded as usual via a <link> tag in the head area of the web page. All you have to do is replace the fonts.googleapis.com URL with the URL of the font on your own web server. If you use a content management system (CMS), it is recommended to research a Google Fonts Blocker plugin. For WordPress, an example includes the free plugin Borlabs Font Blocker.
Google Fonts and reCAPTCHA
Even if Google Fonts has not been directly integrated on the website, the fonts are still loaded by certain Google integrations from Google servers. Thus, when reCAPTCHA is used, fonts from Google Fonts are also loaded. reCAPTCHA is a solution from Google, which is used by website operators to combat spam attacks, bots and the like.
So if reCAPTCHA is used on a website, it also conflicts with the GDPR in the absence of explicit consent from the user. Aside from the embedding of Google Fonts by reCAPTCHA, its use is also difficult to justify from the perspective of the GDPR.
To be on the safe side in this context, the use of both Google Fonts and Google reCAPTCHA should therefore be avoided.
Alternatives to reCAPTCHA
A GDPR-compliant alternative to reCAPTCHA is Friendly Captcha. Friendly Captcha is focused on user privacy and does not collect any personal data beyond the functionality provided. It is developed by a team of developers in the EU and can run on servers of European providers within the EU. This means that no data has to be transferred to third countries.
Friendly Captcha is also a user-friendly solution to fend off spam, mass attacks and bots. Users do not have to solve a puzzle manually in any case. Verification takes place fully automatically in the background and is based on cryptographic puzzles solved by the browser. Thus, the intervention for the user is minimal and the captcha is accessible for all types of users.