Google Fonts and Google Analytics: Are They GDPR Compliant?

Let’s talk about Google Fonts and Google Analytics.

Today we’ll cover what these services are, how they work, and whether they can be used in compliance with privacy law.

Google Fonts

Google Fonts optimize your website performance while making it more beautiful at the same time. It also helps avoid licensing problems since Google Fonts service is free to use. The most popular fonts in the Google Fonts library include Roboto, Open Sans, Lato, Oswald, Montserrat, and Source Sans Pro.  

Google Fonts is a great way to bring personality and performance to your websites and products. But did you know that to send you the font, the Google server needs to collect your IP address? This is because you can’t get the font unless the server knows where to send it. 

The potential controversy here is that according to the GDPR, specifically a decision by the European Court of Justice, IP addresses are considered personally identifiable information (PII). And although Google claims that its personal data collection storage is “limited”, Google servers still record users’ personal data and may track users’ website behavior. 

In January 2022 the regional court in the German city of Munich has declared that Google Fonts is not GDPR-compliant. To put this into simpler terms: if you do not ask for consent for Google Fonts and still load them, you will violate the GDPR. Cease and desist letters have already been sent out in bulk to many organizations. 

So what are the solutions to avoid this kind of violation? The best option is to host Google fonts locally. Hosting locally means saving all the files for your Google Fonts on your server instead of sending them to Google’s servers. This will eliminate sending personal data from users to Google’s servers, which means that you won’t violate GDPR. 

Here’s how to host Google Fonts locally: 

  1. Download Google Fonts to your server.
  2. Generate a stylesheet for your Google Fonts.
  3. Disable Google Fonts

 

There are also other methods to be GDPR compliant, such as using the OMGF WordPress plugin (which disables and removes Google Fonts from your website and automatically hosts and loads them locally), using WordPress default fonts, or getting user consent.  

If you want your site to use Google Fonts directly from Google servers, you must request and get user consent to use their personal data. But as long as you’re careful and you take the necessary steps to be GDPR compliant, you don’t have to stop using Google Fonts. 

Google Analytics 

Google Analytics is Google’s most powerful and popular traffic tool that allows you to get deep, real-time insights into how your website is being used, by how much, and by whom. It works through JavaScript tags that run in your website’s source code. These tags set cookies on your website user’s browsers.  

These cookies harvest personal and sometimes sensitive data, meaning Google analytics is a completely different story than Google fonts. Using Google analytics is not GDPR compliant by default—it always requires consent from the end user. So how does one stay compliant with this service? 

Let’s elaborate on the 3 steps to becoming GDPR compliant in Google Analytics: 

  1. You must ask for and obtain valid user consent. It must be freely given, easily withdrawn, and securely stored as legal evidence. 
  2. You must have an exhaustive privacy and cookie policy. Make sure that all data processing is CLEARLY stated in your privacy policy, including the reasons for which you collect data, what data you collect, and whom the data is shared with.
  3. It’s a good idea to turn on the IP anonymization feature in Google analytics as well. This change will slightly reduce the geographic reporting accuracy of your Google analytics account, and help Google anonymize the IP address since once the feature is enabled, the IP address does not get written to the disk according to Google.


Overall, Google Fonts and Google Analytics are great tool to help businesses improve their website design and track customer behavior. 
 

However, since these services do indeed collect, store, and may process personal user data, it is crucial to inform users and get consent to use their private data in order to be GDPR compliant (or at least self-host Google Fonts locally on your servers).   

We know the GDPR is complicated, so we hope this article was helpful. We look forward to sharing more tips on how you can stay compliant and avoid hefty GDPR fines and lawsuits in the future. 

Find out if you are using Google Fonts and Google Analytics in compliance with privacy law with Ubiscore.