Google Fonts, Analytics, reCAPTCHA & GDPR
General Data Protection Regulation (GDPR) Issues
Google fonts, Google analytics and Google reCAPTCHA are Google "tools" that have been heavily used across websites for years. However, several EU courts have recently found that websites utilising these tools are in breach of GDPR regulations.
Who Does GDPR Apply To?
Different countries have different rules when it comes to data and privacy. The General Data Protection Regulation (GDPR) privacy and security law was passed by the European Union (EU) and applies to any business that collects data on EU citizens.
GDPR came into effect on May 25, 2018 and applies to any business that:
- resides in the EU
- offers goods or services to EU citizens (whether or not the business is located in the EU)
If your business meets any one of the above criteria, then GDPR applies to you.
EU Courts Rulings
The court rulings below have made the use of Google fonts and Google analytics unlawful. Google reCAPTCHA has not yet been deemed to break GDPR in a court of law.
The Regional Court of Munich (Landgericht München - LG München) 3 O 17493/20 on January 20, 2022 ruled that the use of Google fonts and the collection of IP addresses violated GDPR.
The ruling stated a website was using Google Fonts based on Art. 6 (1) p.1 lit. f GDPR under legitimate interest lawfulness of processing where "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child". However, the court found that legitimate interest could not be used as Google fonts can be used without having to connect to Google's servers.
The court said: "The disclosure of the user's IP address in the above-mentioned manner and the associated encroachment on the general right of personality is so significant with regard to the loss of control over a personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the user as a result, that a claim for damages is justified."
Alternatives To Google Fonts
If the above court ruling impacts your website, what can you do? Below are alternatives to using Google Fonts.
Instead of "importing" the fonts from Google servers, fonts can be hosted locally.
To host Google Fonts locally you'll need to find and upload the required font files (WOFF and WOFF2 for modern browsers and TTF, EOT, SVG if you wish to support older browsers including Safari, Android and iOS; regular, regular italic, bold, bold italic) to your server and then add the appropriate
@font-face rules to your style sheet.
An example of
/* lato-regular - latin */
Then specifiy how the font is used e.g.
font-family: 'Lato', sans-serif;
An excellent tool which can be used to achieve this is the Google Web Fonts Helper.
The Austrian Data Protection Authority (Datenschutzbehörde or DSB) found on January 13, 2022 that the use of Google Analytics violated Chapter V (transfers of data to third parties) of the GDPR based on the Schrems II judgment (a key ruling in July 2020 where the Court of Justice of the European Union (CJEU) declared that Privacy Shield, the EU-US personal data transfer mechanism, was no longer lawful).
The French data protection authority Commission Nationale de l'informatique et des Libertés (CNIL) stated on February 10, 2022 that "it considers [Google Analytics data] transfers to be illegal," because Google Aanlytics transfers European citizens data to the USA and concludes that data transfers to the USA "are currently not sufficiently regulated, contravene article 44 onwards of the EU's General Data Protection Regulation and therefore a risk for French website users who use this service and whose data is exported."
A ruling by the Italian Data Protection Authority (Garante per la protezione dei dati personali) has also declared that Google Analytics use is unlawful as it "did not ensure an adequate level of protection for users' personal data in the light of the guidance provided by the EDPB through its Recommendations No 1/2020 of 18 June 2021."
Alternatives To Google Analytics
There are several Google Analytics alternatives which are GDPR compliant. These include:
Alternatively, you can setup a cookie consent script/banner which asks site visitors for their consent to use Google Analytics to collect data.
Although there have been no court rulings regarding the use of Google reCAPTCHA on websites, where reCAPTCHA is present, it installs a user-specific cookie and gathers data on whether site visitors are logged into their Google account, the mouse clicks and movements they perform, their typing patterns and IP address.
The tool processes and analyses the data it collects in USA data centres. It is for this reason that many EU countries have banned the use of Google Fonts and Google Analytics.
Alternatives To Google reCAPTCHA
Replacements for Google reCAPTCHA usually take the form of honeypots, challenges, and machine learning. A few examples are:
We cannot give any guarantees on the efficacy of any of the alternatives above.
UK Data Protection and Cookie Laws Are Changing
UK businesses who only supply services within the UK should note that having left the EU, the UK government are looking to review UK law on how businesses should deal with data privacy.
Current UK data protection consists of the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA).
The Department for Digital, Culture, Media & Sport "Data: a new direction" consultation which was launched on September 10, 2021 was the first step in the process to reform the UK's data protection laws. The outcome of the consultation is summarised in "Data: a new direction - government response to consultation".
Some of the highlights covering the use of data processing and cookies include:
- taking forward reforms that will allow the UK to use more risk-based decision-making in its adequacy assessments.
- removing the requirements for websites to display cookie banners if services are only for UK residents and permitting cookies (or similar technologies) to be placed on a visitors device without their explicit consent, for a small number of other non-intrusive purposes.
- moving to an opt-out consent model in the future thereby allowing cookies to be set without seeking the user's consent. Websites would still have to provide clear information on how to opt-out. The opt-out model would not apply to websites likely to be accessed by children.
UK businesses will need to stay informed with regards to changes to UK data privacy as this evolves and to EU GDPR where businesses service EU countries.