General Data Protection Regulation drastically increased (or should have increased) the degree of attention we put in our everyday work when it comes to use external services or include external libraries: the recent sentence about Google Analytics considered illegal by Australian Data Protector Authority it’s an evidence of how much can be harmful not to pay attention to what we use for our customer’s web properties.
As a dutiful introduction, I must clarify that my feelings about GDPR and all the “privacy enforcing” topics are not exactly positive, mainly because I suspect there’s a great degree of inconguence between the regulation and its usefulness. Cmon: it takes only half an hour of standard browsing on new websites to get you click that “allow all” button faster than Dominic Toretto driving his Dodge Charger.
That said, I’m a huge fan of “the law is the law”, and also I’m not willing to explain to our customer’s legal departments whats going on with that 4% of annual global turnover fine. I pay as much attention in evaluating GDPR’s side effects as in reading general EULAs (remember my TLDR article?). The problems is that every time I feel I reached a pretty good mastering of something, in this case GDPR compliance, a german european court pop out and start ruling websites implementing Google Font’s embed.
Is Google Fonts illegal?
Short version is that Google Fonts is not a deal breaker for your GDPR compliance, but as any external service connected to an US based company, you need to look carefully at what you are doing.
Long version is not so long, though: the original rule (in german, sorry) talks about the “data (IP address) sent to a company based in US” and that there is “no justification because Google Fonts can also be used by the defendant without a connection to a Google Server is established and the IP address of the website user is transmitted to Google”. That’s obviously true: Google Fonts can be embedded the easiest way, directly using Google’s CDN and trasmitting user’s IP address to Google’s servers, or the “hardest” way, copied to the local server and used directly from there, without sending anything to Google .
Don’t take shortcuts
As many other times in my working history, worst mistakes has been made because of shortcuts, usually done without even having any clue of what’s going on. In this case, avoiding a two hours work using the easy embedding way, without even worrying about IP disclosure, could lead to potential legal issues that could have been avoided.
Long story short: don’t simply cut and paste something, specially if it came from Google or from any other US based service under privacy regulation’s spotlights ; investing a brief period trying to understand what’s happening under the hoods usually pay more than implement something in the dark.
Rules of thumb are:
- Always double check if you are sending sensible data to some other external web server. Remember that if you are calling any external source inside a web page (not server-side), you are at least sending the IP address of the user to that server. If so, try to understand if there’s another way you can obtain the same result using resources on your server, and move everything on premise. Oh yes, I really said “on premise”, welcome to stone age my friend, but hiding those IP address is a priority, isn’t it?. Please considerthat, for some reason I’m not aware of, seems like CDNs like jQuery’s are not (as for now) against GDPR compliance, probably because they don’t track IPs (even if it’s not stated anywhere) and because they don’t use those IP for marketing purposes anyway (even if it’s not stated anywhere neither). Don’t take this as a legal advice, though.
- If there’s no way to include the resource other than calling directly the external web server, try to understand if there’s some sort of disclaimer you can add to your Privacy Policy to avoid troubles;
- If possible, always ask for legal advice, better if privacy or GDPR focused: a 5K legal bill at the end of the year is always better than a 250K fine for nothing
Photo by CHUTTERSNAP on Unsplash
Be First to Comment