European WordPress Bloggers beware: “Abmahnwelle” due to Google Fonts!
WordPress admins are currently sued for using Google Fonts directly from the Google servers without correctly informing users about the data collection by Google. I give a few hints on how to protect yourself against this. Disclaimer: I’m not a Pro in legal regards, so take everything I say with a grain of salt.
This morning I read this article on heise.de (German) – it seems that based on the verdict of the Landgericht München people try to sue WordPress admins for something between 100 and 500 €. The basis for this is that many WordPress themes (including the Zakra theme I currently use) use Google fonts directly from the Google servers. Doing this, your users leave traces on the Google servers, i.e. Google starts to collect data about your readers. If you fail to inform your WordPress readers about that, you may get into trouble.
While I hate this systematic skimming of money based on individual verdicts (“Abmahnwellen”), I do think that privacy of website users needs to be protected. The data protection laws might be inconvenient, but it is not that much effort to comply with their rules. Here are a few recommendations that I found useful when making my pages GDPR-compliant:
- As soon as you collect any personaly identifiable information (PII) – and you’ll be surprised what qualifies as PII, like e.g. IP addresses -, you need a privacy policy. The Datenschutzerklärungsgenerator by RA Schwenke helps you formulating the necessary text in German for free (as long as you give credits and don’t turn over more than 5000,- € per year with your website).
- Deepl is an excellent translation engine to translate the Datenschutzerklärung into English. I cannot tell if the translation is still 100% safe in terms of legal compliance, but I decided that this is good enough for me. A few corrections had to be made, but I was surprised by the quality.
- Depending on your use of cookies, you need a cookie consent collection. Since I do not use cookies that need consent (a matter that may be debatable), I do not have such a page and cannot give recommendations beyond that there exist plugins for that.
- Use a plugin to remove the Google Fonts references to the Google server and serve the fonts directly from your own webserver. I use “Remove Google Fonts References” by Bruno Xu (thanks!), but this – as I just noticed – does not exist any more. But there are many other plugins in the wild! Google itself explicitly allows you to store local versions of the fonts. Make sure to check the specific license agreements for the fonts you use, but they are all very open.
- Use a modern browser to check where your website actually takes your users to! When I created the privacy policy for my website, I realized that I promise a lot in there and made sure that I keep my promises. And here is how to check (as seen in Firefox – other browsers may look different):
- Open an empty browser page, hit F12 and navigate to “Network analysis” (I could not get my browser to display the dev tools in English – so text might be somehow different).
- Load your page.
- Browse through the “Domain” column – if anything comes up that is different from your own namespace, you should double check if that page collects PII – if so, make sure that you inform users and that you are compliant with data protection laws!