WordPress admins are currently sued for using Google Fonts directly from the Google servers without correctly informing users about the data collection by Google. I give a few hints on how to protect yourself against this. Disclaimer: I’m not a Pro in legal regards, so take everything I say with a grain of salt.
This morning I read this article on heise.de (German) – it seems that based on the verdict of the Landgericht München people try to sue WordPress admins for something between 100 and 500 €. The basis for this is that many WordPress themes (including the Zakra theme I currently use) use Google fonts directly from the Google servers. Doing this, your users leave traces on the Google servers, i.e. Google starts to collect data about your readers. If you fail to inform your WordPress readers about that, you may get into trouble.
While I hate this systematic skimming of money based on individual verdicts (“Abmahnwellen”), I do think that privacy of website users needs to be protected. The data protection laws might be inconvenient, but it is not that much effort to comply with their rules. Here are a few recommendations that I found useful when making my pages GDPR-compliant:
- Deepl is an excellent translation engine to translate the Datenschutzerklärung into English. I cannot tell if the translation is still 100% safe in terms of legal compliance, but I decided that this is good enough for me. A few corrections had to be made, but I was surprised by the quality.
- Use a plugin to remove the Google Fonts references to the Google server and serve the fonts directly from your own webserver. I use “Remove Google Fonts References” by Bruno Xu (thanks!), but this – as I just noticed – does not exist any more. But there are many other plugins in the wild! Google itself explicitly allows you to store local versions of the fonts. Make sure to check the specific license agreements for the fonts you use, but they are all very open.
- Open an empty browser page, hit F12 and navigate to “Network analysis” (I could not get my browser to display the dev tools in English – so text might be somehow different).
- Load your page.
- Browse through the “Domain” column – if anything comes up that is different from your own namespace, you should double check if that page collects PII – if so, make sure that you inform users and that you are compliant with data protection laws!