Yes. If it's not technically necessary then don't do it. Host the fonts yourself rather than letting Google track people to your site.

Exactly. Why would you serve your own copy of the fonts if a previous request to that cdn may have cached them in your browser already? Opt-In goes against the architecture of websites. What's next? A popup for each third party request? It is not feasible and just another stumbling block - like Impressum for private persons and third party cookie consent to host websites in Germany. It makes more sense to fix the issue at the fundamental browser level by the vendor (natively, without the need for plugins) and explain the dangers to the users. Educated users block requests anyway for example.

I think hosting it by yourself is the solution here, but it's getting difficult to keep up with all the rules, especially when the fundamental design of the web moves in the opposite direction.

> a previous request to that cdn may have cached them in your browser already? Opt-In goes against the architecture of websites

Browsers partition their caches by origin and third-party origin (it's a bit more complex than that in reality) so common third-party resource e.g. fonts, used on one site won't be reused on another

Instead a fresh version of the font will will be fetched

Safari's done this since 2013 (?), and Chromium & Firefox adopting the same behaviour in 2020 (?)

The browsers don't share third-party caches across domains, because it made it easier to leak information about which sites the user has visited.

> The browsers don't share third-party caches across domains

Do you have a source for this? I believe(d?) it too, but when re-checking just now, I could not find any.

I couldn't find anything related to Edge.

Safari: https://webkit.org/blog/8613/intelligent-tracking-prevention...

Chrome: https://developers.google.com/web/updates/2020/10/http-cache...

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1536058

Great, thanks!

Informing them is probably not enough – you would need explicit consent and a fallback option. The only reasonable option is not to do it or maybe it's possible to get a contract with google regarding processing of personal data.

It seems pretty reasonable to me.

1. In Germany an IP address is considered PI under GDPR because it is easily associated to a natural person.

2. Google is open about the fact that they log IP address with Google Font request activity, which includes the page you are on.

3. GDPR requires justification by necessity to collect and/or send PI to a 3rd party without consent.

4. No consent was given.

5. It is not necessary in this case because it is possible to use Google Fonts in other ways that don't send PI to Google, without significant burden.

I'm not a lawyer but I am responsible for GDPR compliance at a German startup.

edit: typo

By that logic you must self-host any landing page, otherwise you are leaking IP addresses to whoever is hosting your website.

We have a contract with our hosting provider that specifies what data they may collect, the limited purposes for which they can use it, and when it must be deleted.

This is called a Data Processing Agreement and is also part of GDPR compliance.

We have the same thing in place with all 3rd party vendors.

As a German citizen, this isn’t nuts.

Leaking extremely sensitive user data, like their IP addresses, to third parties, enable them to finger print users.

Leaking those to third parties outside the EU, and in particular to companies whose revenue depends on this finger printing, like Google, just to serve a font, it’s the dumbest thing I’ve heard all week.

The whole purpose of the GDPR is to discourage this behavior, requiring websites to inform users of all their crappy unnecessary things they want to do before they do it.

The only reason Google gives you hot loading for free is to get your users data. Trading your users personal data to serve a font is brain dead.

IMO this fine of 100€ is too small. They should have made it 10% of their revenue to send the clear message that this is not ok.

I agree with everything you said except the last paragraph.

100€ was fine in my opinion, because a) it isn't that big of an infraction b) it probably was their first offense and c) this legal ruling is indeed setting some kind of precedence and therefore was unexpected given industry practices. If the ruling stands and other courts follow a similar reasoning I would expect higher fines in the future.

You have a point and I as a dev will ensure to follow this principle. The issue is that serving fonts and other assets from an external service is pretty much normal practice. This is new ground. The understanding so far was explicit tracking being the issue and not serving static assets. This ruling makes sense but goes way beyond what the consensus was so far.

I meant consensus among developers. Using external _static_ resources has been a normal thing for very long and generally hasn’t been discussed under the light of GDPR.

In fact I would argue that most devs don’t assume that this is a problem at first glance. The general awareness and education should be better here.

IP Address is far from "extremely sensitive user data". Really.

Giving an IP Address to Google including referrer header is. They can do a lot with this and as long as the Google Font hosting service doesn't give out assurances (they can be sued for for breaking) that this data is not used in any way which would enable Google to track a person.