We're still coming to terms with the ramifications of the EU's General Data Protection Regulation (GDPR). If you don't run a website, it's a lot less complicated. If you do... well, you might be surprised to learn it's not just the obvious things you have to worry about. Take something as simple as the fonts you use — if they're served via Google Fonts, you could be in breach.
The EU recently passed a new set of privacy regulations protecting the rights of individuals and giving them control over the PII held by companies operating in the EU. The General Data Protection Regulation (GDPR) is a new regulation created by the European Parliament.
In March, an issue was raised on Google's "fonts" repo on GitHub, wondering if the act of using Google Fonts on one's website was a potential breach of the new regulations:
I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)
- you may need to ask for a consent from a visitor if Google is logging personal data
- you're sending personal data to the processor who's not in the EU
- Google as a processor might be performing profiling
I know what you're thinking — how could using fonts via Google's service possibly run afoul of GDPR? The fact of the matter is that, when a font is requested by the user's browser, their IP is logged by Google and used for analytics.
An IP address is considered identifying information and enough to raise the concerns of web developers who just want to do the right thing.
The GitHub issue prompted a great deal of discussion — as expected — before Google's Dave Crossland, who works on the Fonts project, provided this update:
Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.
Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.
Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.
Going by this statement, as a "data controller", the burden of responsibility for making sure Google Fonts is compliant falls on Google, rather than websites.
This distinction is important for compliance. Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc.
A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.
However, it's up to Google to vet processors, who should make all efforts to otherwise be compliant:
...data controllers, i.e. customers of data processors, shall only choose processors that comply with the GDPR, or risk penalties themselves.
So, what's the answer? It's still a grey area, to be honest. Fortunately, if you're a web developer using Google Fonts and want to play it safe, you can simply serve the font files directly.
The big new European data-privacy law known as the General Data Protection Regulation (GDPR) is here, and it's ushered in a host of changes to the way companies treat your personal information.
GDPR compliance [GitHub]