GDPR and Webfonts loading = problem ?!



  • Hi, as part of the GDPR handling, I came across the fact that a 3rd-party shop module loads Google web fonts (and i think also the original Theme does so).

    That seems to be a problem and has to be noted in the privacy policy, according to law. I also found some detailed information in German (https://www.7media.de/wp-coaching/dsgvo-neue-datenschutz-anforderungen/) This report is just about it, it’s about the reloading of webfonts with GDPR and that this reloading definitely should not be done anymore with 25. May.

    Everyone can check for themselves, if the design or Theme of the shop itself uses Google fonts and usually then they are reloaded from the Google servers. You can search for something like this in the source code: //ajax.googleapis.com / .

    If I understand the Google license correctly, you can use the fonts offered by Google (https://fonts.google.com/) for free and also install them locally. But these fonts are only available in .tff , and conversion to another file format like , .eot, .svg etc. seems to be a license violation.

    In many themes (also in the original) there is a script that loads the webfonts.

    How do you deal with it now? I’m a bit baffled here again and would like to try to load the Google Webfonts not from extern source, but only from local server. How can we do this?



  • I am not convinced that they are a problem. The do not cookie, and there is no documentation that Google actually stores a log.

    The code you are talking about is the ajax font loader, not all themes use that method, some are directly inserted.



  • Hello, when a Google font is loaded directly from the Google server in the US, your IP address will be sent to this server. Advocates and IT-consultants have concerns that Google may store this data internally (and maybe use it not or later to track visitors or to create profiles).

    Would it be possible with TB store to load the webfonts from the local server the shop is installed? Should not that much effort and another security thing to be ok with GDPR.



  • If they do not log it, it is not an issue then IMO. But if it is an issue, then its going to be more than GWF that are a problem. Browser shims will be a problem, using cloudflare will be a problem, having a webhost will be a problem, cloud servers will be a problem, jquery will be a problem, so the webfonts are actually the least of the problem.

    But to answer your question directly, yes, its possible. Somewhere some time ago I wrote something for 1.7 because of it. It might be in the gitter archives, I am not sure.



  • You might read this github thread as well, https://github.com/google/fonts/issues/1495

    asadkn created this issue in google/fonts

    closed GDPR compliance #1495



  • Thank you for your input about his. I have found https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users
    which sometimes is good and sometimes not… damn.

    but thats an fact from the Github discussion: …For example collecting and processing the user’s IP without the user’s consent is against the GDPR. If the user does not consent then it doesn’t matter how the data is collected/processed/transferred, it’s still against the law…

    more about this is in Recital 49 EU GDPR



  • The thirty bees GDPR module will block Google Fonts by default thanks to the Content-Security-Policy header it sets. After (tracking) consent it will start loading the Google Fonts, but if the user does not accept this consent level (you can define them in the module), then you will have to rely on the alternative fonts defined in your CSS and hope the layout does not look too bad.



  • OK thank you, thats also an solution. Would it be possible to choose the consents in BO ?



  • It’s as follows, three levels:

    • Functional and Performance: always enabled and like this on first visit
    • Tracking (+ Functional and Performance): needs consent, defaults to disabled in the consent popup when the browser sends a DNT header (Do not track)
    • Targeting (+ Functional and Performance, Tracking): needs consent, defaults to disabled in the consent popup when the browser sends a DNT header (Do no track)
      If you can’t make a functional website at the first and second level, you don’t have to offer these options in the consent popup.


  • More info on the levels:
    Functional + Performance

    • Remember what is in your shopping basket
    • Remember how far you are through an order
    • Remember your log-in details
    • Make sure you’re secure when logged in to the website
    • Make sure the website looks consistent

    Tracking

    • Monitor how you travel through the website

    Targeting

    • Allow you to share pages with social networks like Facebook
    • Send information to other websites so that advertising is more relevant to you


  • the alternative fonts defined in your CSS and hope the layout does not look too bad.

    These Google fonts are Open Source, aren’t they? Accordingly, font and alternative font can be the same.

    AFAIK, the original idea of these Google fonts was the hope to have shorter loading times due to another site visited by the user downloading the font already. With virtually every site choosing a different font this foundation dwindles. I’d simply stop asking for Google fonts from Google sites and provide my own copy instead. Server load for serving files unprocessed (like fonts, static images, static pages) is minuscule.



  • Here’s a mockup of the consent popup: https://codepen.io/firstred/pen/odyYYp



  • this cookie hint looks awesome, great job. for the moment we will not use a cookie hint. prefered is to load the fonts locally from the webhosting server (its only 1 font). if we need this cookie thing in the future it is definitely the best i have seen at the moment, also for users!



  • Here’s a mockup of the consent popup: https://codepen.io/firstred/pen/odyYYp

    Excellent strategy!

    Three cents:

    1. One can’t deselect the first checkbox. Intuitively I’d expect a slider starting at zero or another checkbox with ‘None’.
    2. This one: Make sure the website looks consistent should be granted with or without cookies 🙂 First visits to a site are without cookies and first visits are the most important ones, so one can’t afford to have a messed up design, then.
    3. I’d drop the word Performance. Meaningless buzzword.


  • I bet it will kill sales bigtime. I hate the whole gdpr stuff. Making the user choose even the fonts… GOD!
    I think I will use https://mranftl.com/2014/12/23/self-hosting-google-web-fonts/ and selfhost those and remove one problem from my list

    PS: why does tb not update the theme with fonts included ?



  • Because it already has fallback fonts if you block Google fonts.



  • @mdekker I would surprise me if it didn’t 😃



  • lol

    Please allow cookies to read our terms: https://codepen.io/firstred/pen/BxVxdJ


 

Looks like your connection to thirty bees forum was lost, please wait while we try to reconnect.