Introduction and risks when using external fonts:
Websites often use Google Fonts or other external font services to design the fonts of their pages. While these services are useful, they can also have data protection implications as they often collect personal data such as IP addresses. Here are the GDPR requirements explained in detail:
Consent and transparency (Article 6 and Article 7 GDPR):
- Consent: Websites must obtain consent from users before loading external fonts that transmit personal data. Consent must be voluntary, informed and specific.
- Transparency: Users must be informed that their IP address and other personal data will be transferred to the external font service. This information should be included in the website’s privacy policy.
Technical solutions to avoid data transfers:
- Local hosting: To avoid transferring personal data to external font services, websites can host the fonts they need locally on their own server. This ensures that no data is passed on to third parties.
- Content Security Policy (CSP): Implementation of CSPs to allow the execution of content only from trusted sources and to minimize the risks of unwanted data transfers.
Relevant articles of the GDPR:
- Article 6: Lawfulness of processing
- Article 7: Conditions for consent
- Article 13: Obligation to provide information when collecting personal data from the data subject
Summary:
Websites that use Google Fonts or other external fonts must ensure that they obtain the consent of users and inform them transparently about the data transfers. Alternatively, they can host the fonts locally to avoid data protection risks. Implementing these measures will improve the protection of personal data and ensure compliance with the GDPR.
 

