GDPR compliance #1495
Comments
|
This is also a huge concern for us... We'd definitely be interested to know how google-fonts is planning to comply. |
|
The main issue seems to be, that a direct connection between a Google Inc. server and the client (browser of a website visitor) is established, which means the user's IP address is sent to Google. This obviously happens on page load, which means there is no time for the user to explicitly consent with it before the page loads. |
|
Please be reassured that the Google Fonts team is working on GDPR compliance. I can also point out an older FAQ entry, https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users |
|
Thanks for the reply @davelab6! |
|
I'm currently investigating this for our company. I've found this (the section on international data transfers near the bottom) which suggests full compliance to me. Is that not the case? https://privacy.google.com/businesses/compliance/#?modal_active=none |
|
@limegreenmatt all it says there is that data transfers are secure. However it still doesn't say what kind of data is collected... For example collecting and processing the user's IP without the user's consent is against the GDPR. If the user does not consent then it doesn't matter how the data is collected/processed/transferred, it's still against the law. |
|
Technically speaking, logging of IP address is allowed for lawful basis without consent (note consent is only one of the lawful basis). But this is best left to Google lawyers if there's a "lawful basis" on how they're processing this data but I am guessing it will be point f. In Recital 49 for Article 6, Point [f]:
This is what we need from Google. We need them to tell us they're using the data they log in a lawful basis - we need to know how they're using the data they log. Google's general privacy policy isn't enough in this case as it isn't specific to Google fonts. |
|
@asadkn I agree 100% with that... though lawful basis in the context of that excerpt basically means things like logging the IP address in an access log for a limited period of time in order to prevent and diagnose attacks, or as part of an authorization to enter my account. |
|
@davelab6 can you give us any kind of timeline as to when we can expect an update and/or resolution of this? As we provide our customers with access to Google Fonts as part of our WordPress themes, it's important for us to understand whether our customers are going to be impacted by this, and if we need to take any remedial action. Appreciate any insight you can give. |
|
any updates yet? |
|
Also waiting for info on this. I don't want to self-host fonts for about 70 sites I'm managing.... PLEASE, Google, help us poor Europeans!!! |
|
@clickwork-git those FAQ do not mention the GDPR at all. It does mention something about tracking though:
|
|
@clickwork-git according to numerous court decisions in the EU, an IP is considered identifiable user-data and should not be collected without the user's consent.
No matter how secure the storage of such data is, the point of the law is that no data should be collected without the user's explicit consent. Data collecting is no longer opt-out, it's opt-in. So if the IPs collected by Google are not partially anonymized for example by replacing the last part of the IP with a |
IMHO, we should refrain from issuing this statement - there's enough FUD over the internet already. This statement is only partially true as I referred earlier to the other lawful basis. It gives the impression to novices that there won't be any basis of compliance at all, creating further panic. And since none of us are lawyers here, it'd best to not discuss it anyways. All we know is we need is an official reply from Google. I agree with the urgency here. There are only 2 months left before this goes into effect. The least we need is an assurance there will be GDPR compliance. To re-iterate, Google hasn't specified their privacy policy for Google Fonts on how they're using the data they log or if there's a lawful basis for it. We need this moving forward. Frankly, it doesn't really matter to us what legal basis their lawyers come up with, as long as they confirm GDPR compliance. |
|
The FAQs do state
While that does leave a lot of room for speculation it does suggest compliance since it states that no data is recorded that is not needed for delivering the font (and I wouldn't see a reason for the IP being recorded to deliver the font..) |
|
The problem is, you have to be very certain about this, so speculation or the assumption of something doesn't really help here. As the fines are high, and statements like "I assumed our customers have their privacy ensured" won't be a viable excuse. That is where I see the biggest problem. Explicit and dedicated information is needed here. |
|
I have a basic Wordpress website where the font is loaded this way:
By doing so, I'm communicating to Google the IP of the user. What if I substitute this direct call with a call done using PHP+curl (or other APIs to get data from a server) from the website server? This way Google would only get the IP of my server, not the users'. Something like this:
From |
|
Host the fonts locally, and the problem is gone. |
Not practical if what you're building is a WordPress theme for example - in which case users on their sites use whatever font they wish |
|
@psinger You loose the benefits of the CDN (mainly performance), but of course another option is storing fonts locally (this is ok for the fonts, but non every single resource a website can link, anyway) |
|
I agree, it's certainly not as convenient, but it is an option. If you develop a wordpress theme, just add an option to disable google fonts for the user of the theme. I am actually struggling currently with disabling google fonts in several wordpress themes / plugins, mostly it is not even possible. |
|
Well, the main purpose of Google fonts is, that they actually get used on websites. So, it is in the best interest of Google to do everything to make sure it will be possible in the future. Disabling them on a site or in a theme, or adding them locally, is only a work around, which might be ok for a single site, but not for WP themes with a larger user base. And it kinda also defeats the purpose of what Google offers. |
|
Maybe we're going a little bit OT:
|
|
@clickwork-git what an insightful post, thank you for sharing. It is much appreciated. |
|
Here's an official statement: Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users. |
|
@davelab6 we appreciate you taking the time to respond. However, please try to understand how this whole situation appears to everyone who doesn't work at Google, doesn't have any knowledge of how the company operates or what is going on behind a veil of complete silence.
From our point of view it doesn't seem that Google is doing anything. There is no official announcement, no update, nothing. GDPR goes in effect in 37 days, which leaves 28 work days for all companies to implement whatever needs to be implemented.
The problem we have is that no, there is not enough info on the FAQ page. If there was enough info on that page nobody would be asking for more info.
What that page is not telling us and is of concern for GDPR is this:
Without specific information we can't know if we need to ask for user consent, download the fonts server-side and not use the Google CDN, or just ignore everything and assume it's going to be alright. Which of course can't happen... we can't just assume that Google will be compliant in time. I am sorry if this whole discussion seems a bit like over-reacting... We all have better things to do than post in this repository asking for info and discussing. But we've all come to depend on Google Fonts one way or the other and we don't have a lot of time left to do what needs to be done. |
|
Does anyone know if there have been any meaningful updates since end of 2018 in regards to this issue? |
|
Nope, nothing meaningful. |
|
Nobody is forced to stop using it. You can declare the use in the privacy policy as the use of other tools. There is still no legal case. And the question is rather if the GDPR is meaningfull. Two years and still collecting of data as ever. |
informing users is not the same as allowing users to choose if they want to or not. Informing them without asking permission is not OK. So yes, we are forced to stop using because we cannot - in good conscience - allow any company to collect our users data without their explicit consent.
That's only because as an individual none of us has the resources to go against a giant.
That's only because some developers keep using services that violate their users' trust. The GDPR is 100% meaningful... IF you actually follow it. Otherwise you just have users like me who blacklist gfonts, analytics and others browser-side |
Using a lack of enforcement (of the law) as an argument to question the relevance of that law seems to be quite a questionable way of framing the issue. Especially when considering that, according to the separation of powers (which is still supposed to be a very central principle of democratic countries), the people writing the laws and the people doing the enforcement are supposed to be entirely different groups. Traffic code is mostly not enforced in my city. Does that mean it’s OK for someone to pretend these rules do no exist, and then start to explicitly threaten or injure pedestrians/cyclists/motorcyclists with his shiny new car? I don’t think so. I think @aristath is right. As long as you cannot ensure a service respects both the law and the trust of people, the best (and safest) thing to do is not to use it as all. |
|
Yes, @aristath's point on consent is very valid with any service collecting user information. Simply listing the tool doesn't suffice unless you have a site consent mechanism which takes the user through that policy to get their consent for sharing their data with that service. Aside from abandoning the service, which is simplest, I've seen developers host the fonts locally to ensure there's no data sharing via the CDN or have a fallback webfont loaded that's replaced with gfont upon user consent via their consent mechanism (often a cookie popup). |
I was wondering about this when I read through this thread. By fallback font would you just use on of the standard "every computer has them" fonts like Arial or Helvetica, and then load the gfont if the user gives consent? Because it seemed redundant to serve a local copy of the gfont only to replace it with the CDN version afterwards. Might as well just serve locally then. |
Yes exactly, you would use a web safe font that's similar enough to your gfont that upon consent the change isn't overly drastic. |
|
Amazed there has been no updates on this EU GDPR compliance issue of Google Fonts since this thread started in March 2018. Partly anonymizing ip addresses and indicating in a statement or FAQ, including storage duration and what else is gathered that does not violate privacy, would solve the issue and should not be that big of a deal you would think. Using a fallback font to show until consent is given spoils the whole looks of a website for which a specific Google Font or fonts were chosen. Better then to work with Google Fonts locally using Font Source or Google Web Font Helper. |
|
The CDN must not be used, iIt must be used locally. The use of the CDN, puts you in violation of the GDPR. On July 16, 2020, the EU Court of Justice (CJEU) ruled that protections provided by the EU-US Privacy Shield were invalid and that US law cannot adequately ensure protection of personal data of those in the European Economic Area (EEA). Prior to this decision, the EU-US Privacy Shield was likely the most commonly used mechanism for US companies to lawfully receive, process, store and transfer personal information of people in the EEA. The ruling was largely based on the finding that the US government does not limit surveillance of foreigners to that which is strictly necessary, and that US laws lack appropriate remedies for those in the EEA. |
I respectfully disagree. The EU-US Privacy Shield governed the transfer of PII to from Europe to the US. When using Google Fonts via the API, no PII is being transferred. “Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com” (Source: https://developers.google.com/fonts/faq?hl=en). |
Before 16/07/2020, When the visitor of, for example fonts.com, has not yet cached the required fonts to display the page correctly a request to Google’s server will be made to acquire the correct assets and files to store in the browser and load the Google Fonts required. And this is where it get’s tricky; does the API request send anything that relates to personal data, according to the GDPR? What questions should we ask to see if we need to take action? The personal data that is stored is at least an IP-address from the website visitor. And yes, this is personal data according to the GDPR, as it is an unique personal identifier. As the website owner who implemented the Google API: Do you need to ask permission or consent from the website visitor before the request to the Google server is made? This vague statement suggests storage of personal data (IP Address) after the request has been made, whether it is limited or not. So consent is required! This means the website cannot load Google Fonts from the Google servers without getting consent first: the website needs to block Google Fonts, then request consent, and finally, after consent is given, load the fonts. After 16/07/2020, Even with consent, it's no longer legal. |
|
To be honest, this whole discussion is a bit ridiculous. IP addresses are needed to transfer files effectively between computers and to view webpages. If you use the internet, you are going to expose your IP address to at least some services, with or without your consent – it's as simple as that. Google Fonts is not the only service that will be storing your IP address when you visit a website. An average website or app will be loading anywhere between 5-20 external resources or scripts which are often all needed for the webpage to function as intended and to make the life of the visitor easier. It's not practical to go back to the stone ages and move all of these services to be fully self hosted again, avoiding all CDNs and external services. And even with self hosting you have no control over what nodes or proxies a request from browser A to server B travels through. Along the way, no doubt countless of logs will be generated on various systems and computers capturing the IP address and other details about the request. This is unavoidable. It's literally impossible to serve a webpage to a visitor without transmitting the IP address of the visitor to a single external service before they give consent. Treating IP addresses as private data seems inherently flawed, at least within the framework of how the internet currently works. What would be more practical and sensible instead of avoiding IP addresses are sent to 3rd party services, is ensuring that those IP addresses cannot be linked to other personal data of the visitor. That way it becomes nothing more than a random number which cannot be tracked back to a specific person. |
|
@adamreisnz Your attitude is very dismissive and defeatist. "Privacy is hard, so we just should not do it." Bear in mind, any benefits to CDNs have been fully rendered irrelevant by browser security measures. Not only is Google Fonts embedding an actively hostile party into a website, it doesn't even serve any benefit to the website owner to do so. It is arguable that Google Fonts should not exist, except as a convenient portal to download and preview fonts. There's nothing "stone age" about fully self-hosting: It's what everyone should be doing, especially if they care about their users or their privacy. If I were looking for services like yours, I would be very concerned that the founder has an attitude such as yours. And frankly, the point of this thread is legal compliance, and IP addresses are, in fact, considered private data by GDPR. So you might want to check your legal exposure. Many lawsuits have been filed on the basis that an IP can be reasonably mapped to a user or household, so your opinion that it shouldn't be... isn't going to help you much. |
|
I disagree with your interpretation of my statement. I am very pro privacy and we are doing our very best to ensure that our users privacy is respected and that all relevant regulations are followed. The very fact that I have been following this discussion here for the past years should reflect that I care about these issues. I am merely expressing the opinion that there are limits, and that it seems that with this particular rule, regulation crosses over from practical and helpful to simply detached from reality and quite frankly outside of the realm of technical possibility. Can you explain to me how you can ensure that the IP address of a visitor to your website is not shared with any other 3rd party whatsoever without their prior consent? This cannot be accomplished with our current technology, unless you hand them a USB stick with your website on it. Maybe regulatory efforts should be aimed at ISP's instead, ensuring that IP addresses are randomised and not traceable to specific devices or households.
You're right, I love having to update our static asset files every time a new version of the Material icons font comes out with new icons, and converting TTF files to WOFF and WOFF2. No benefit to having this conveniently hosted and maintained by a 3rd party at all. |
|
@adamreisnz You aren't doing your very best if you're making an unnecessary callout to an adtech company just to save yourself having to update a font.
This is what I mean by defeatist. No, you can't avoid talking out to any third party whatsoever, but you should be doing your best to minimize it. And in the case here, failing to do so may make your service fail to be GDPR compliant, as Google has failed to address this issue over the past three years. |
|
Yes, and that is the reason why we are moving to self hosted Google Fonts. But I can still express frustration and annoyance about it and the fact that in the end, it's pointless as anyone's IP address will end up in a plethora of logs and databases regardless. There's nothing defeatist about that, it's just reality. |
I cannot guarantee no one will murder my customers, but I can still not be the one to do it. The same is true for their privacy. |
|
I think its important to note, and to understand, that GDPR it no way prohibits, or aims to prohibit sharing of IP addresses via normal functioning of a web.
It does, however, postulate very clearly that in doing so, a balancing act must be made between the technological necessities and ones privacy.
It might be, that a good balance is attained, once google outlines what data it collects, for what purposes, for how long, and how the data is used, traded or shared. For several years now, google is declining to do so. This simply cannot mean or imply, that due to that its ok to use such a service and call it privacy oriented design.
If the balancing act cannot be made, its not enough and it cannot be simply wished away.
… On 13 Feb 2021, at 00:46, Adam Reis ***@***.***> wrote:
I disagree with your interpretation of my statement. I am very pro privacy and we are doing our very best to ensure that our users privacy is respected and that all relevant regulations are followed. I am merely expressing the opinion that there are limits, and that it seems that with this particular rule, regulation crosses over from practical and helpful to simply detached from reality and quite frankly outside of the realm of technical possibility.
Can you explain to me how you can ensure that the IP address of a visitor to your website is not shared with any other 3rd party whatsoever without their prior consent?
This cannot be accomplished with our current technology, unless you hand them a USB stick with your website on it.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
It is one thing to say that any person’s IP will be exposed when using the Web (well, except in the many different scenarios where they could use Tor, a VPN, etc.). It is another thing to consider that, given that, it’s OK to use any ‘service’ that is actively recording those IP addresses (and, in Google’s case, even mining them like precious gold). I used to tell lawmakers a lot that, from a technical perspective, the Web works in a very different way than what they think of when creating rules. As a result, some specifics of those rules might look quite bizarre or hard to implement. Human-made laws are about goals and objectives, not specific details. And it is a matter of deciding what kind of world we want to live in. Technical aspects then might have to be adapted or reshaped in some cases. The goal of the GDPR is to protect people’s privacy (and also try to hinder spying crimes committed by the USA against the rest of the planet, but that’s another story). That’s the objective to keep in mind, that is the goal. It is a matter of not considering that, since IPs are exposed by default, it is OK to use whatever third party we like. Google is actively and knowingly violating the law, and fully intends to continue doing so, so I think it is both our legal and professional duty not to use their ‘services’ (Google Fonts in this case, but this applies to others as well) and to even strongly discourage other developers from using them as well, in order to protect both their users and their company. |
The fact that many people are doing something wrong doesn't mean it's the right thing to do.
Not entirely true... It makes the web developer's life easier, not the user's. No web page "needs" to load resources from 3rd-party websites. Doing it saves time to developers and is a convenience, but comes at a cost and that cost is transfered to users by exposing their data to companies they have not agreed to share their data with. The fact that we've been using the web wrong for a decade is no excuse to keep perpetuating the same bad practices. A few years ago it was a matter of ethics, now it's a matter of law. |
That is entirely false in the context of your explaining of "normal functioning of the web".
Yeah, balancing! Easy task! No balancing! And google itself admits that they do collect data with google fonts:
|
|
Should we like, reopen this? https://www.zylstra.org/blog/2022/01/using-google-fonts-breaches-gdpr/ |
Hi, I cannot find this "official statement" by Google anywhere else but here. In particular I cannot find a precise statement about Google acting as a Data Controller for Google Fonts neither in the Term of Services nor in the Privacy Policy. @asadkn can you please share a link to the official statement on a Google's site? |
and others
Notice: Official Statement by Google Fonts made April 17, 2018
Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.
Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.
Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.
End Of Notice. Original question by @asadkn follows
There's a lot of misinformation being spread around the EU GDPR compliance when using Google Fonts. It would be great to start this discussions here to get an official response.
I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)
My knowledge of GDPR law is limited and I haven't personally evaluated the concerns thrown around. However, we definitely need to address it before the rumors get out of hand.
IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.
The text was updated successfully, but these errors were encountered: