~4 min (798 words)

Using Google Fonts in a GDPR compatible way

All the Google Fonts usage found when scanning a project's source code

Recently there was a court ruling in Germany making Google Fonts an issue with GDPR. I wrote a script to detect and replace its usage in a compliant way.

GDPR and Google Fonts

The General Data Protection Regulation, also known as GDPR, DSGVO (Datenschutzgrundverordnung - you gotta love German...) is a double-edged sword. On the one hand it brought more power to the users of web applications and pages, on the other hand, in many cases made life unnecessarily complicated for many small website or webapp operators.
You probably had your fair share with those infamous Cookie Banners. Not a cookie banner - but delicious cookies - yummy Ok, well, not the cookies I was talking about... Sorry, I have been a bit distracted. So... Yummy...

Anyway, where was I?

So it should be no surprise now, that a German court ruled against using Google Fonts at the beginning of 2022:

The unauthorized disclosure of the plaintiff's dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to ยง 823 Para. 1 BGB

While this is definitely true, the implications the ruling might have in the future, in my opinion, are going too far.

I'm not a lawyer, so take this with a grain of salt, but:
As a user and provider of external resources you might face some serious issues if you think about it further. Like using a CDN, images and whatnot via 3rd party.

It's probably aimed more to be an issue for the bigger players here. Although, this is essentially how the web works nowadays. You load 3rd party resources all the time. While using 3rd party resources without checking can have security implications as well, many websites and apps use services like this, especially no-code tools.

I can already see the Cookie Banner becoming an even larger Consent Banner (which it sometimes already is) for all the services, essential or not.

That being said: I'm not inherently against GDPR. I think it brings a good set of features to get people more privacy aware and at the same time put some restrictions in place against companies like Facebook (well, Meta now) or Google. Although, those big companies seemed to be able to avoid most of the restrictions for quite some time because they had the power to force the users into consent. It seems to me this has changed at least a bit lately so that's a good thing. Also, as a web-developer you can now have GDPR compliance as a unique selling point. To the more privacy-savvy people at least.

So why replacing Google Fonts for GDPR now?

Recently some law firms in Germany started sending notices, again. Especially to real estate companies. I happen to have a customer like this, so I had to clean up the page before they were in trouble.

Which after some adjustments for their codebase lead me into creating a more elaborated script doing the job.

The Google Font replacement script

The replacement script is written in PHP and scanning PHP, CSS and JS files in default mode, while you can extend the filters via parameters.

The current features are:

Future Plans

Based on the code scanning heuristic and some additional logic I have plans to extend this tool into a GDPR compatibility scanner. I had this plans for about a year now in my head, and it might be a fun project. The idea is to scan the webpage for possible GDPR issues like using Google Fonts as well as providing an executable for scanning the code to uncover possibly hidden GDPR issues as well as providing a solution, i.e. by replacing the used fonts.

Image Attribution

The article image used at top of the article: Image by Mohamed Hassan from Pixabay The cookie image: Photo by Eiliv Aceron on Unsplash