GDPR compliance

[asadkn]

Notice: Official Statement by Google Fonts made April 17, 2018

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

End Of Notice. Original question by @asadkn follows

---

There's a lot of misinformation being spread around the EU GDPR compliance when using Google Fonts. It would be great to start this discussions here to get an official response.

I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)

• you may need to ask for a consent from a visitor if Google is logging personal data
• you're sending personal data to the processor who's not in the EU
• Google as a processor might be performing profiling

My knowledge of GDPR law is limited and I haven't personally evaluated the concerns thrown around. However, we definitely need to address it before the rumors get out of hand.

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

[aristath]

This is also a huge concern for us... We'd definitely be interested to know how google-fonts is planning to comply.
What kind of data is currently collected & stored?
What are the plans to make the service GDPR-compliant?
Surely asking for user-consent before rendering the fonts is not a viable solution, nor is downloading the fonts locally to then embed on a site using other methods.

[maximus80]

The main issue seems to be, that a direct connection between a Google Inc. server and the client (browser of a website visitor) is established, which means the user's IP address is sent to Google. This obviously happens on page load, which means there is no time for the user to explicitly consent with it before the page loads.
Does this have to be considered a privacy issue with regards to the new GDPR?
If so, any integration of Google fonts directly via Google would render websites pretty hard to use and ugly on first load.
Any insight on this, is highly appreciated.

[davelab6]

Please be reassured that the Google Fonts team is working on GDPR compliance.

I can also point out an older FAQ entry, https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

[maximus80]

Thanks for the reply @davelab6!
I've seen the FAQ entry, unfortunately it doesn't really provide a full answer to the main questions above.
From your reply I take that the team is still working on GDPR compliance, so that the details are not fully hashed out. Once they are, it would be awesome if you could let us know here, so that we can implement needed adjustments on our part.
Thanks!

[dontcallmemark]

I'm currently investigating this for our company. I've found this (the section on international data transfers near the bottom) which suggests full compliance to me. Is that not the case?

https://privacy.google.com/businesses/compliance/#?modal_active=none

[aristath]

@limegreenmatt all it says there is that data transfers are secure. However it still doesn't say what kind of data is collected... For example collecting and processing the user's IP without the user's consent is against the GDPR. If the user does not consent then it doesn't matter how the data is collected/processed/transferred, it's still against the law.
Plus, that page is for businesses so I'm not even sure it even applies to google-fonts. There's just not enough info anywhere about what happens.

[asadkn]

Technically speaking, logging of IP address is allowed for lawful basis without consent (note consent is only one of the lawful basis). But this is best left to Google lawyers if there's a "lawful basis" on how they're processing this data but I am guessing it will be point f.

In Recital 49 for Article 6, Point [f]:

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

This is what we need from Google. We need them to tell us they're using the data they log in a lawful basis - we need to know how they're using the data they log. Google's general privacy policy isn't enough in this case as it isn't specific to Google fonts.

[aristath]

@asadkn I agree 100% with that... though lawful basis in the context of that excerpt basically means things like logging the IP address in an access log for a limited period of time in order to prevent and diagnose attacks, or as part of an authorization to enter my account.
However in the context of google fonts, the accumulation of IPs which are then processed for statistical purposes can only be considered legal if the IPs are partially anonymized.
If the IPs are not anonymized (usually by replacing their last part with a 0 digit) then there is no legal basis for collecting them.

[dontcallmemark]

@davelab6 can you give us any kind of timeline as to when we can expect an update and/or resolution of this? As we provide our customers with access to Google Fonts as part of our WordPress themes, it's important for us to understand whether our customers are going to be impacted by this, and if we need to take any remedial action. Appreciate any insight you can give.

[daemkl]

any updates yet?

[zartgesotten]

Also waiting for info on this. I don't want to self-host fonts for about 70 sites I'm managing.... PLEASE, Google, help us poor Europeans!!!

[fritzmg]

@clickwork-git those FAQ do not mention the GDPR at all. It does mention something about tracking though:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are, and are published on our analytics page. We use data from Google’s web crawler to detect which websites use Google fonts. This data is published and accessible in the Google Fonts BigQuery database. To learn more about the information Google collects and how it is used and secured, see Google's Privacy Policy.