Website fined by German court for leaking visitor's IP address via Google Fonts Earlier this month, a German court fined an unidentified website €100 ($110, £84) for violating EU privacy law by importing a Google-hosted web font. The decision, by Landgericht München's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified …
So many web sites these days include heaps of javascript, trackers, adverts, etc, which are hosted elsewhere. All of these collect information. One of the worst web sites I have found for this is W3 Schools. I understand that web sites want to track readers or viewers or participants. I understand the 'need' for adverts for otherwise free web sites in quite a few (most?) cases. But just how many of these things does a single web site need? Why does a web site need multiple traffic analysis scripts? Before anyone answers, I already know the answer. My question is based on actual 'need' not 'sometimes it is better'.
The mantra 'be careful where you browse to' has become meaningless, when apparently 'safe' web sites are full of information gathering code hosted on sites that I have never directly visited.
The tentacles of Google are everywhere, and it would be extremely naive to think or suggest that all this information is not collated. We probably all have a Google ID somewhere.
Using and assuming the word "design".
Modern web, ahem "design"...bolted together from code scrapped off StackOverflow and underside of shoe, slather tons of React code all over it in a nice gloppy icing type mess, slapped into Github/Azure pipelines and move on to next contract.
Take a look at IBM's very own weather.com sometime. What a clusterfuck. I counted 7 layers of redirection once. For a fucking local weather report. This is progress?
The equestrian websites, designed to keep teenage girls happily occupied, clicking away, dreaming of getting a full time paying job playing with horses are worse.
I just finished reading Surveillance Capitalism; which I imagine was on some internal EU reading list, and was partly responsible for triggering the EU's crackdown on personal data collection. I'm minimising the contact with Google/FB in all my software - that book convinced me that the problem is way worse than I could have imagined initially.
In fairness, the way that websites particularly e-commerce websites are enormously wasteful on bandwidth and the sheer breadth of internet-wide resources that they require. So much website flab.
There are rarely situations where a website needs to use a "specific" font and could rely on the ones that are guaranteed to be supported by the browser instead.
If your browser will let you, toggle the accessibility options to ignore the site-specified fonts/colours & only use the system defaults. This should speed up the page load times by skipping all the attempts to load any fonts, leaving it to the browser to use the ones you're already using.
I also refuse to run JavaScript, auto-refuse 3rd party cookies, & rarely allow even 1st party cookies unless I need to create an account I'll revisit later. All those 3rd party JS calls to load some random unknown bit of crap code, all those analytics trying to set their tracking cookie, all those blocked tracking single pixel images (I'm totally blind & can't see the pretty pictures, so I don't let them download in the first place; the sighted may find this a bit frustrating for some reason), it all combines to force faster page load times.
"You don't use the web, do you?" Yes I do. My bank doesn't require JS, my email provider doesn't require it, my favorite news sites don't require it, and the shopping sites tend to have telephone sales lines to finish the shopping trip. The web is useable without JS, you just need to be willing to force the issue.
*Hands you a pint*
Cheers. =-)
Use your knee to steer, of course, just like everybody else.
There was one gal I used to see on a regular basis on the North bound 101 on-ramp from East bound San Antonio in Palo Alto ... Almost every morning, she'd be drinking coffee, eating a bagel, reading the WSJ, putting on her makeup, and cranking KOME[0] ... steering with her knee, One morning when I was running a trifle late I watched a tow service winching her car out of Adobe Creek.
When you are driving, drive. It's kind of important.
[0] Dating myself ... this was around 30 years ago.
...is usable without getting in, starting the motor, turning it off again, go to my mailbox, wait for the steering wheel to arrive, then go to the corner store, get the paint-package, painting the car, geting in the car, fixing the steering wheel, trying to start the car...
...only to discover that someone last-second-replaced the car keys in my hand with a hot-dog in an attempt to sell me more of them, and now I got mustard all over my Dashboard, because I squelched it against the keyhole accidentially.
A UK bank I use appears to have made a change to the code/behaviour of their Online Banking in the past month or so. I only noticed when I tried to download the latest monthly statement and nothing happened when I clicked on it - apart from that issue I see no other functionality problems.
As I have a very locked-down browser I checked and noticed 2 new bank subdomains being blocked that wanted to load some JavaScript. Not entirely unusual - websites are changed all the time. So I permitted those 2 subdomains and then noticed my browser making requests to 3 "obscure" domains of the form "1.<very long seemingly random name>.com. A "whois" showed the 3 registered at the time date/time about 4 years and the domain owner's name is hidden behind a proxy domain registration company.
These strange web requests are *definately* triggered by enabling the 2 new bank subdomains - if I disable them again then no traffic to the strange domains occurs, re-enable them and it starts again immediately etc
I suspect this traffic is not due to a hack but rather is a new analytics company that the bank has started using in the past month (analytic companies like to use "obscure" domains). However the traffic is suspicious - not the sort of thing I would expect a "secure" online banking system to do.
I've phoned the bank and as expected got nowhere with that approach. I've opened a "help" ticket in online banked and provided "developer mode" screenshots of my brower's requests when this happened.
I suspect it will be a long slow effort to get the bank to comment on this.
Unfortunately, that's only half true - the only icon font that's reasonably widely available is practically useless, so the choice comes down to using either images or a remote icon font. The font is significantly more compact. However, hotlinking from google fonts (or similar) is inexcusable - if your own webserver is set up properly, it's a minimal overhead to deliver the font (ideally stripped down to the parts you actually use) once, with a long cache timeout. The chances of needing to change it more than once every few years are slim to none.
Either way, if your site breaks without javascript and external resources, you're definitely doing something wrong, big time. If it's just a bit of design and a few nice to have details not working, that's how it should be.
who needs an icon font. I just make one as a PNG or JPG - probably takes less time than searching a stupid font for ":just the right thing". Use an 'img' tag with some style things and it lines up just fine. And you can make it look like whatever YOU want (and not some 2D FLATTY google chrome thing with poor color contrast that lets them track your IP address).
I mean how hard IS it to use gimp to make something like that? Oh wait, that's not "modern" enough...
icon, because, FACEPALM
I'm a printer. I own a Heidelburg Windmill, and use it quite regularly. I used to collect typefaces, and own many, many trays, some quite esoteric and rare.
But I quit collecting. Do you know why? Because I found myself only using three or four on a regular basis. In addition, I almost never change the matricies on my linotype machine.
Why? Because the three or four are all that are needed to get the point across. Sure, I can use a zillion different typefaces if I choose. Yes, it says "more than just the semantics" ... it says "The looks are far more important (to me) than the actual content I am trying to convey! I'm here for art's sake, not information transfer! Need info? Look elsewhere!".
The WWW is a billion monkeys with a billion typefaces producing cut & paste copy from the Ransom Note School of Design.
Sometimes less is more.
Arial, Times New Roman and Courier are sufficient for 80%+ of pages on the Web - of course it would upset some of the "designers" but it would make a lot of the pages more readable.
Some of the web pages that "designers" have produced are about as readable as a legal contract displayed in Wingdings font.
Please only use non-standard fonts where really required. (If a page has more than three non-standard fonts then it is normally time to sack the page designer.)
Being a bit of a pedant, but I think "sufficient for 80%+ of pages on the Web" is a bit of a fake-fact. Pretty sure that the billions of pages in Asiatic and African fonts make up considerably more than the remaining 20%. Mind you I can't read them on the occasions when I accidentally fall into them which is why I have suppressed 90% of the default fonts installed by Linux.
Why the f**k don't Linux distributions ask if you want 200+ non-western fonts installed. I'm sure loads of people would appreciate the reduction in install time. [Maybe windoze installs equivalent fonts as well - I wouldn't know since I haven't used it for 15+ years]
At present count, my system makes a bit over 200 fonts available for use. Font-Families exist, as does font-stacking. This should be more than enough for most use cases.
And if a design absolutely, positively, entirely, cannot exist without that one particular font, then whoever runs the website, then whoever runs the site can host it himself.
Hosting your own copy of a free font is NOT that hard.
However, if you MUST (for some copyright reason) ALWAYS get the font from the owner's server, you can most likely have some server-side code fetch and cache it on behalf of the web page that uses it... (then the IP address of your web server would be recorded, and not that of the guest visiting your web site)
Other than that, if you must do a cross-site load of a font, consider using a DIFFERENT font instead (and host it yourself). Many such freebie fonts exist.
Finally!
The hot linking of websites to third parties is an absolute pain. Even EU government sites have embedded stuff that leak data to non-EU hosters. Unfortunate that the penalty was so small. The website does not give you a choice and that is the problem. Therefore, correct decision.
CDNs are not necessary almost all of the time and are lazy programmer/designer problems. And, some (like google and other advert slingers) are real data-leak catchers. Even when some now say not to use the data... wait until management changes and be utterly unsurprised about the change of heart. And then there are those CDNs, who have no (clear) policy published.
Maybe this fine will start a trend.
€100? It might be an irritant in case of my hobby site, but this is not the internets of 2021. Perhaps if they increase the fine, for non-compliance, to €100 per day, then per hour, then per minute, this might force some to notice and fix this. SOME.
> €100? It might be an irritant in case of my hobby site, but this is not the internets of 2021. Perhaps if they increase the fine, for non-compliance, to €100 per day, then per hour, then per minute, this might force some to notice and fix this. SOME.
As per the article this was just a warning (emphasis mine):
The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
Well, you did comment in this forum and that means you may have sent(*) info to "doubleclick.net" and "googletagmanager.com". Both domains are present on this page and are directly or script-activated.
I suggest you use your coat to slap El Reg for €100 for embedding and "forcing" you to send data the third party way.
(*) install an adblocker, NoScript and Privacy Badger. Then use a bit of time to block anything remotely dangerous for your privacy. Maybe add Greasemonkey to mold your own site alterations.
They indeed work and look good. That is the reason why I'm still on this forum. By default, I block all scripts, ads and many cross-site links. If El Reg stops functioning in that setting, then I'll stop being here.
So far, El Reg has been very good at resisting script bloat and are able to have a functional site without it. Hope it stays like that for a very long time.
That's not what you need to do though - all you need to do is to have the user consent to it/give them the choice to object.
Your example of open street maps isn't the same either - fonts can quite trivially be self-hosted, it's not nearly so simple to self host Open Street Maps (there's stuff like OpenMapTiles, but it's still more involved than downloading a font).
That's not what you need to do though - all you need to do is to have the user consent to it/give them the choice to object.
That makes sense when you put it to the sort of audience that you have here on El Reg. However, I wonder how well it would work for less technically-included people, many of whom may not even understand what an IP address is.
Putting yourself in the position of let's say a more mature user who has done a Google search and found the website for a shop. They click on the 'how to find us' link and instead of seeing a helpful map, they get a pop-up with words to the effect of "to proceed beyond this point and see the map, your IP address needs to be shared with a 3rd party" Would they click on that...or would they not understand what it means, get put off and just go elsewhere?
I know at least one person who would read that as "if I click that link then you will tell people where I live" (I know because they got a pop-up like that once, and phoned me in a state of mild agitation)
"instead of seeing a helpful map, they get a pop-up with words to the effect of "to proceed beyond this point and see the map, your IP address needs to be shared with a 3rd party""
The website simply need to self-host an image of the area around their location (like people used to do before the likes of Google Maps) and have that image clickable with the "if you proceed..." message display to obtain informed consent before loading a "proper" map from Google and that's then compliant with GDPR.
With the current situation of directly loading Google Maps on the website the user's browser talks to Google immediately on pageload whether or not the user intends to use Google Maps and that's where the legal problem lies.
I thought the web was meant to be about sharing. If a resource is hosted publicly, what kind of sense does it make for everyone who wants to use it to have to create, host and maintain their own copies?
Yes, yes, I know the answer, and I understand the ruling. I even agree with it. But it's with a heavy heart that I do so. This is not the web I was promised.
@veti
"I thought the web was meant to be about sharing"
Its a brave new world. Sharing doesnt work with the me,me,me people. Everyone wants something for free but dont want to pay a price. While not the approach I take (I dont trust others to go offline) it seems reasonable we should be able to point to the provider for the feature we want. But that goes against privacy for the people who spaff their info all over the interwebs.
Relying on a third party site for a library or font is risky as well. Especially when its a "free" service. Why would the company be doing this for free? It costs them money to host it for you...
What happens when they randomly decide to change the files for something else? Or it gets compromised and 50 million sites all use it?
Host yourself, MUCH better all round.
You can specify a checksum in the script tag, so a changed file won't get processed.
By having every website refer to a single host, that will save millions of downloads as the browser can cache that resource.
If you don't specify the checksum, you can point to the latest version which means that any fixes applied to the library will be deployed to your site automatically, without having to remember to check and update your source.
There are arguments both ways. The bigger problem is the EU deciding that an IP address alone constitutes PII
Naturally this will just lead to more CGNAT deployments, so we will all suffer.
There have been recent cases where open source code used by thousands of sites has been found to have a security hole. If you self-host such code you will not automatically get updated when the code is fixed.
You may never even hear about the problem - you might be running code that is years out of date because you forgot to check for updates.
If you're copying and hosting code you should have a process in place to track reported security issues.
If you pull it dynamically and unchecked from a 3rd party site you're invisibly exposed to any future bugs that get introduced, accidentally or deliberately.
If you're providing code that will be executed by your users or customers there's simply no excuse for not validating and hosting it yourself.
Outsourcing your update process to a third party you don't have any form of legal contract with is a recipe for disaster.
Simply leaving it to them is abdicating your own legal responsibilities too.
Also, an IP address can very much be PII. You can find out exactly who someone is with only the IP address and a date and time to start with...
"The bigger problem is the EU deciding that an IP address alone constitutes PII"
You mean the EU deciding that an IP address alone constitutes Personal Data? "PII" is a term that appears to have originates from USA with their far narrower Data Protection laws. "Personal Data" is the correct GDPR term, the 2 terms are not interchangable and mixing them up only confuses any discussions.
Also whilst it may be a problem for some/many organisations (especially USA-based ones like Google & Facebook) that the EU decided this, it is actually a good thing from the perspective of individuals' own privacy.
"...The bigger problem is the EU deciding that an IP address alone constitutes PII..."
If you can be identified from your IP address, then yes, an IP address truly is PII.
Post an anonymous death threat to BoJo or Joe Biden on Facebook or Twitter and see how long it takes to get a knock on your door ;)
The fact that the *EU* is saying an IP is PII doesn't somehow make it any less true...
There is something weird with Google Fonts that I don’t particularly trust.
A few weeks ago I was working on a completely new site on a completely new domain. And not an easy to guess domain name either.
I never let my own sites download fonts from other places as I don’t like my sites to be dependent on strangers. In this case, however, I used a template generator for a specific part and that generator produced CSS that got the active font from Google. I knew this but the site wasn’t live and nobody was using it or even knew of its existence. For days my visits were the only entries in the server access log. I was going to get to changing the font to a download from my server nearer the publication date.
And then a Google bot visited the site.
I don’t know how it knew of the site’s existence. I hadn’t disclosed the URL to anyone yet. Hadn’t posted it anywhere. Wasn’t using Chrome (or any other Google tools that could inform the mothership).
The only thing I can think of is that Google Font script. It uses some odd techniques in that Google Fonts are not just links to some .WOFF2 file on Google’s servers but you actually need to include a CSS that resides on Google’s servers, which in turn executes the downloading of the fonts. I wonder if that CSS also triggers some process on Google’s servers to check where it’s hosted or referred from.
Anyway, an interesting experiment for a privacy researcher. Set up a new page on an unguessable domain. Only link to Google Fonts and see how long it takes for Google to show up in your server logs.
You've basically followed the same process that made German developers discover that Microsoft was listening in to Skype messages, I think it was in 2004 or so. At the time it was reported on Heise Online.
There too, a totally random newly set up page URL was shared and because they were testing they were monitoring their logs. Within a second of mentioning the URL they got a hit from a Microsoft IP address.
Nowadays, Microsoft as well as everyone else camouflages this surveillance by showing you a preview, but when I saw this reported I started tracking where the ping came from, and over the years it moved from Redmond to Azure, then to Azure in Europe until I lost interest some years ago :). In all that time, it has never taken more than 3 seconds to get a hit - most of the time it was instantaneous.
This post has been deleted by its author
"The only thing I can think of is that Google Font script. It uses some odd techniques in that Google Fonts are not just links to some .WOFF2 file on Google’s servers but you actually need to include a CSS that resides on Google’s servers, which in turn executes the downloading of the fonts."
I believe this is because the original link ultimately can redirect to the font in one of several file formats depending on your browser - from memory there are 3 different file formats varyingly supported in the mainstream browsers and even where more than 1 format is supported the "best" supported format may vary.
.. but to be honest, I wasn't expecting a court to deem what I referred to as sufficient to declare it illegal because there's a sort of haze around its collection stats due to caching.
However, if Google Fonts are out then I would estimate around 99% of all EU Wordpress sites are toast because ALL WP themes seem to be based on Google fonts, but far, FAR more interesting is that this also declares EU use of Adobe Typekit fonts illegal. That one, I reckon, may prove far more entertaining, because Adobe is one of the less recognised data gatherers out there.
As for stats, we've switched to Matomo ages ago..
Don't be silly, you do know better. Of course it can, but, as required by GDPR, you have to ask your visitor if they are OK with "it". Yes, I know, start crying that it's a PITA, not "enhancing the experience", but that is what is all boils down to, right?
To use a appropriate film quote: "Ignorance is bliss". Or to translate it to a remark frequently heard on the other side of the (commercial) pond: Free choice is a PITA...
Clicking on a YT video on the Videos tab, it presents me this message:
YouTube Privacy Warning
YouTube (owned by Google) does not let you watch videos anonymously. As such, watching YouTube videos here will be tracked by YouTube/Google.
Before offering me the "Watch Here" or "Watch on YouTube" buttons (unless you've been silly enough accept the "Remember my choice" option)
Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.
(My emphasis.)
I didn't read the judgement. But that's hinting the problem only occurs where there is a choice to self host and you don't. If the data MUST be served from a third party, then that might be a reasonable defence. (Especially as a video is obvious in the way a font isn't.)
"Can EU sites no longer embed a YouTube video using the same rationale?"
Yes the legal "exposure" is the same.
The solution, which I've seen quite a few website do to address this, is that the "video" on the webpage is actually a locally-hosted image and then when you click on it you are told that clicking again to view the video will use an external 3rd party (i.e. YouTube or Vimeo).
So if when to go to the original webpage nothing is send to YouTube/Vimeo whereas in the more typical situation these days of embedding a YouTube video then Google "know" that you've gone to that webpage whether or not you've viewed the video.
The same issue applies when having Google Maps embedded in one of your webpages.
This is all obvious to anyone who has fully considered the GDPR - I talked about this locally in May 2018 shortly before GDPR came into effect.
Yes and no. A site hosting its own fonts, JS libraries, etc means no need to connect to other servers, But you'll download common resources once for each site, instead of just once.
I'm not sure I understand the basis of the fine. If I host a site, visitors must reveal their IP address to those operating intermediate routers. The visitor has no control over this. That's OK, because there's no alternative? I can reference remote resources but only if hosted by a provider that assures me it won't use the IP addresses it sees, beyond what is necessary?
You can do such data collection and processing as is required to perform the service the resident requested.
No more.
It's very simple.
Giving your IP address to Google is not necessary. For example, the font is demonstrably not required at all - the browser has its own font store.
Heck, the user may be using a screen reader and not rendering fonts at all.
> But you'll download common resources once for each site, instead of just once.
That is FUD from Google and its ilk.
In practice, how likely are you to come across two sites both using the same oh I'm so unique font?
Also, it's often defeated by the browser adding a "no-cache" directive to the request headers.
And in any case, it is a brave man he who doesn't clean all his navigation history upon closing his browser.
It will put British firms at a disadvantage, mostly.
In any event, the new UK non-GDPR can only add to the red tape. With a small savings, possibly, only for UK firms selling inland only. Take on the world, including Europe? Then it will be necessary to STILL comply with GDPR. But now, with an extra layer of UK non-GDPR.
That may be true in some ways and not in others. But, in any case, as the earlier post pointed out:
Just making them different increases red tape!
No Tory donor (sorry, I mean "no global UK business") wants different rules for their worldwide web site from those for their UK site.
"Will google have to remove the information that we now learn it obtained illegally ?"
Until a plaintiff obtains a legally enforceable judgement or court order against Google, the answer is no, it just wont.
And even then, Google is probably big enough to stall the process indefinitely, and even then once that's exhausted, they probably still wouldn't.
Of course! When the Court demands it, alphagoo will quite happily remove all the gathered information from every single production and development system! And they will be equally happy for the court-appointed auditors to verify the removal!
During the meanwhile, at the carefully curated off-site backup location ...
Hmmm, lots of people proclaiming the self hosting ideal, nice idea until a serious flaw is found, compromised and next thing the scuzzbag crews have a nice set of compromisible websites to spew more shite to hook the innocent. How long do you work on a website project contract, 3 or 4 years? Ha, more like 2 months max and then gone leaving something behind that would be left to age disgracefully and unpatched. I don't like pulling resources from CDNs and i do it with a heavy heart, only hooking what I need but I know that if something went wrong patches may not appear there instantly but as soon as they were applied my sites are then patched by dint of being hooked into a common set of libraries.
CDN hosted is the "least worst of" compromise to a terrible state of affairs.
Its really not hard. If you really want to abdicate your responsibilities for managing the code you download to people's browsers to third parties there are many ways to make the code available without allowing the third party to see the user's own IP address.
Two immediately obvious, old-skool approaches are (i) to host the code yourself and have a regular, or even (if you insist) automated update process to fetch new code, (ii) just reverse-proxy the download from your web server so the 3rd party sees only your IP address. These can be trivially enhanced with a caching web server, or can be out-sourced to a third party (such as a CDN) as long as you have appropriate commercial agreements in place to mean you are the data processor and they cannot make their own use of the data they get.
Better still, keep the code simple and employ appropriate programmers (such as through a 3rd party website creation company) to make sure it is professionally maintained. Treat it exactly as you treat your ERP system and your outsourced HR.
Lot's of websites pull resources from other places - in fact, it's often encouraged. Want to display mathematical equations on your site: link to the - external - officially hosted version of MathJax - means you also get updates without having to manage it on your end. Want to use Bootstrap: link to the - external - officially hosted version. This is true for so many (most?) web frameworks, libraries, fonts, and other resources.
If every site has to maintain their own local copy of jQuery, what is their liability for not keeping it up to date? Because we've just been told they're liable for using external 3rd party resources (which silently roll out updates when needed - which is another thorny issue).
I am not trivializing privacy concerns. I prefer to be as untracked as possible, but every single connection on the Internet requires knowledge of the endpoint (yes, you can obscure it through a VPN or proxy, but you're not "anonymous" to them). You can't simply have a policy of not logging or tracking IP addresses, because that information is useful for blocking "hostile" actors (you know, the ones who keep trying to hack your site). On the other hand, it is really, really creepy if an actor - like Google - is taking access to a "public" resource and then trying to use it to build an identifiable profile.
Does the onus belong on a website using a 3rd party resource in good faith, or does it belong on the 3rd party providing a public resource in bad faith. Never mind all the thorny issues of what is appropriate due diligence on a website's part.
Security and privacy on the Internet are very difficult things.
This nuanced reply is what I was hoping to see. I understand both sides of the argument but I think criminal penalties against a site for fetching third party resources is out of line.
I manage a few complex sites for our company that use external resources such as jQuery and commonly used Google fonts. We use only two typefaces across the whole site and they don't just make the design more attractive, the sans serif font we chose is very clean and readable when presenting large amounts of data on screen. Nothing breaks in formatting or function if a user wants to disable the custom fonts for any reason.
Google and other search engines penalize slower sites heavily in search rankings so it's considered good practice to use known safe public repositories for commonly used libraries. This way instead of fetching a fresh copy of jQuery or common Google fonts the client can use their cached copy.
I would really like more context about this story to find out how big the site is, what the complainant's motivations are, whether the site was warned in advance etc. but unfortunately I don't speak German.
Having waded trough the decision via the link provided I was surprised to see that it did not rely on the Schrems decsions. Instead, since there wasn't consent the defendant tried to rely on legitimate interest but the court ruled that it doesn't apply as the font could have been self-hosted and therefore there was no need to Google to get the IP-address; Google being well-known data hoarder was also mentioned. I'd think the use 3rd party resources might still be legal on legitimate interest grounds if there isn't a straightforward alternative and if the 3rd party could be trusted not to use the IP-address for its own purposes; a contract preventing such use or the 3rd party merely being in the EU or another jurisdiction with sufficient data protection legislation making such use illegal could suffice (in any case 3rd parties located in the US are out though because of the Schrems decisions).
I remember questioning the GDPR impact of the use of Google Fonts (or indeed other 3rd party hosted fonts, videos, maps, etc) back in May 2018 when discussing the introduction of GDPR with a local group of IT people.
Good to see some clarity finally.
It has been a while since I dug through Google's GDPR-related docs for their services but wasn't Google Fonts one of the services where Google claim to be just a Data Processor acting on behalf of the website and that, as part of the website's agreement with Google for use Google Fonts, Google *requires* the website to draw individuals' attention to the use of this Google service *in advance*? How do you inform someone in advance if any page on the website to inform them makes use of Google fonts in the 1st place?
I see the same sort of "sillyness" with many companies' Privacy Notices where I cannot actually read them, so that they can inform me of 3rd party stuff, as I don't have 3rd party fonts/javascript/trackers/other content enabled - in many case I just see a blank page.
BTW Google's anonymisation of IP addresses for their services is not actually valid for IPv6, they truncate on a /48 when a /48 is a valid prefix to allocation to a *single* customer and some ISPs do actually allocate /48 to domestic customers. They should be truncating on something like a /40 to have any sort of credible anonymisation..
Where does it stop?
TheReg has google stuff embeddeed in it's main page, so does pretty much every site I've ever seen. This is completely commonplace normal practice. CDNs are there for plenty good reasons. They save time and bandwidth both for site owners and end users. Will this ruling kill them all off and make everyone go back to the old ways?
So much for progress, everything that's useful is gradually being killed off by people who don't understand the question
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
