A few days ago the WordPress.org theme team announced that they are considering requiring WordPress themes to stop loading fonts from Google’s CDN and to host them along with the theme files.
Why can’t I use Google Fonts now?
This is because, as has been known for some time but no action was taken, Google Fonts does not comply with the privacy rights of users under the GDPR.
Google Fonts does not set cookies, but if used through requests to the Google Developer API, some end-user data, such as your IP address, is collected, stored and may be used for statistical purposes.
In addition, it is possible for Google to track the end user through the user’s own browser fingerprint, cross-referenced with other Google services they may be using.
But, until now, no decision had been taken in this regard within the WordPress community… why? Well, something as human and basic as the well is not covered until a child falls ….
What happened? Well, a user reported in the forums a few days ago that he had been fined for making a website for a friend using a default WordPress theme that, like almost all themes, serves sources from the Google CDN.
And now, yes, we have to take action…
Google Fonts do not comply with the GDPR
Yes, it was known, but nothing was done, until a German court ruled in February 2022 that any website using Google Fonts served remotely from Google’s servers is in breach of the GDPR.
The German court ruled that serving Google Fonts on a website violates the GDPR because such use of Google Fonts does not comply with any of the legal bases that can be used to process personal data.
The GDPR prohibits the collection and use of personal data (such as the IP address collected by Google Fonts) unless a lawful basis applies. The following lawful bases may be used to process personal data under the GDPR:
- The individual has consented to the use of his or her personal data.
- The processing of personal data is necessary for the performance of a contract or to take steps at the request of the individual prior to entering into a contract.
- The processing is necessary for compliance with a legal obligation.
- The processing is necessary to protect the vital interests of the individual or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the company.
- The processing is necessary for the purposes of legitimate interests pursued by the company or a third party.
And, I guess you will be with me that none of these assumptions apply to the use of Google fonts on a website, but to purely aesthetic criteria right?
From the German court’s decision, it appears that the company was using the basis of legitimate interests to process users’ IP addresses when serving Google Fonts on the web.
The German court concluded that the company did not have a legitimate interest in processing this data because the company can use Google Fonts without having to connect to a Google server and therefore collect IP addresses. The decision does not adequately address whether the use of Google Fonts would violate the GDPR if the user consented to such use. However, the decision establishes that the individual is not required to encrypt his or her own IP address and that the use of Google Fonts violates the GDPR.
Can I no longer use Google Fonts?
If you have read all of the above there are 2 clear conclusions:
- Using Google Fonts remotely from Google servers breaches the GDPR – It is not legal to use them this way.
- Using Google Fonts physically hosted on your website complies with the GDPR, as the only problem with these fonts is the data collection that Google does when they are served from its CDN – It is legal to use them like this.
So there are several possible solutions:
- Host the Google fonts you need locally, so that you don’t need to connect to Google’s API to display them.
- Use a theme that does not serve Google fonts remotely, but hosted locally.
My theme serves fonts from Google CDN, what do I do?
As long as there are no new firm guidelines from the WordPress.org theme team, it is still possible to install and upload themes with Google Fonts served remotely, so on this side there is still no guarantee.
However, this rule may not take long to be implemented, so in the meantime, it would be a good idea to host your Google Fonts locally manually, as they can be easily downloaded, or via some plugin.
It would also be wise, if you use a premium theme that is not on WordPress.org, to contact the company or developer, so that they can tell you what they are going to do to comply with the GDPR in this regard.
If you use the Astra theme, for example, you can easily disable Google fonts, or host them locally with a single click, so you would already be GDPR compliant while still using your favorite Google fonts.
What about the default WordPress themes?
The WordPress theme development team is already at it, mimicking the system used in the latest theme, Twenty Twenty-two, which uses the WordPress Webfonts API.