You may have heard that serving Google Fonts on your website can constitute a GDPR violation - or more hyperbolically speaking - GDPR makes google fonts illegal. But does it really? The issue was first popularized on the Google Fonts Github Repo. Asad Khan who originally asked the question added a note that can't be restated enough:
IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers).Asad Khan | GDPR Compliance, Google Fonts Github
I'm obliged to say that I'm not a lawyer and this article does not constitute legal advice. I wrote this article to collate the most relevant points of this topic so you can make an informed decision.
With that out of the way, the core of the issue is that Google is a data processor that is recording the IP addresses of visitors to your site in order to serve the font resources from their CDN. This can interpreted as an issue for GDPR because this identifying datapoint (IP address) is not necessarily stored in the EU.
Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are, and are published on our analytics page.
In that same FAQ entry, Google also note the scope of the collected information:
The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.
What does using the Google Fonts API mean for the privacy of my users? | Google Fonts FAQ
Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com, so that your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.
Is this enough to make Google fonts illegal? This is primarily referencing the collection of website data that Google fonts are used on. As I noted in another article, GDPR and IP Address Logging, the collection of IP addresses doesn't necessarily constitute a violation if they can be deemed to be in
Overriding Legitimate Interest.
Not only this, but an IP address alone can only be an identifying datapoint if the data processor (Google) has legal means to obtain the additional data necessary to identify the individual.
It's also worth noting that Google's own Dave Crossland publicly classified Google Fonts as a
Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs.Dave Crossland | GDPR Compliance, Google Fonts Github
This is theoretically important because GDPR specifies that the
Data Controller is responsible for compliance with GDPR. But that's one interpretation, and I tend to think it's not one that will bare out in the long run. If you as a web developer don't give the user the choice to opt out of the use of Google Fonts (or at least the Google Fonts CDN as a method to load fonts) - you're forcing the user to share their IP with Google. Can Google be held liable for that? I don't know.
Anyway, long story short - because this issue is floating in the ethereal grey area of law, it actually is not an issue until it's proven in court otherwise. On top of this Google are actively working on more definition and clarity around the matter. This is just the nature of law.
So to answer the question, are Google fonts illegal? It isn't yet. But this may change.
If you want to avoid the whole debate altogether and just serve the fonts from your web server without using the Google Fonts CDN - just use this free and fantastic plugin from Daan van den Bergh: CAOS for Webfonts | Host Google Fonts Locally. It does all the work for you so there's no messing about with downloading the fonts and uploading them manually.
If your webpage loads resource from an external location, you can't modify the expiry headers (because it's not your server). Now in this case, I personally think it's best to stick with Google's CDN but to each their own.
The local method allows you to avoid the debate altogether and not worry about GDPR... at least until the next internet rumour.