GDPR concerns with Google Fonts

[LukeMoll]

Using the Google Fonts API¹ seems to log IP addresses of visitors to sites using it²³. Using Google Fonts in this way does not fall under Legitimate Interest⁴.

Without LI, and without a good mechanism for visitors to opt-in before fonts are fetched, the logical course to comply with GDPR would be to remove use of the Fonts API. While the likelihood of HackSoc facing any legal action through GDPR is slim to none, complying is often in the interest of our visitors' privacy.

The Google Fonts service also offers downloads of fonts for developers to host on their own servers; hosting fonts in this way would remove any data privacy concerns.

Moving from Google's infrastructure to our own does come with risks: without a powerful CDN, and since fonts could only be cached by visits to HackSoc sites⁴ (and not by other sites using the same Google Fonts), site load times could increase. When implementing this move, care should be given to performance on slow connections, and different font-loading behaviours (ie using a local font rather than not displaying text until the font has loaded).

Additionally, if the downloaded fonts are added to the repository (as is the case with one font already), we should make sure this is compliant with their licenses, and put the licences alongside the font files in the repo.

Footnotes

1. https://developers.google.com/fonts/docs/getting_started ↩

2. https://github.com/google/fonts/issues/1495 ↩

3. https://www.brycewray.com/posts/2020/08/google-fonts-privacy/#issue-%231495 ↩

4. https://twitter.com/FascinatingTech/status/1487342734906171393?t=JI18f01KhUNw4OJDooY5fA&s=19 ↩ ↩²

[LukeMoll]

The server pages also use Google Fonts, and so if fonts are re-hosted, CORS headers will need to be set to prevent #181 from being exacerbated.

[LukeMoll]

BunnyCDN offers BunnyFonts as a free, drop-in Google Fonts replacement with an emphasis on GDPR compliance.