GDPR (DSGVO) and Google fonts
Permalink
Since 25th of May it is not legal any more to use Google fonts. There is no chance to get the permission of the visitor to transfer his data to the Google servers before the ip-address is sent. Therefore it is important to remove all Google fonts. I am searching for an easy and safe way to do so.
Tom
Tom
Do you have many websites that you ask this question? Or, what's the problem of manually replacing Google Fonts with a local font?
1. I think there are a lot of people using c5 only like they would use WP or any other CMS. I do so too. Some years ago I developed my webpages just with css and html. Therefore for me it might be possible to find a way to host Google fonts locally. But for most users shurly not.
2. I for myself do not use gf, but the themes load them inspite of the fact that they are not necessary.
3. I am always looking for solutions for the „common user“ and for me. May be there is a quick and dirty workarround for me, but this is not the right way.
4. Have a look at WP, they are discussing the same. And please, think about that a lot of people are not able to manipulate the sources.
2. I for myself do not use gf, but the themes load them inspite of the fact that they are not necessary.
3. I am always looking for solutions for the „common user“ and for me. May be there is a quick and dirty workarround for me, but this is not the right way.
4. Have a look at WP, they are discussing the same. And please, think about that a lot of people are not able to manipulate the sources.
What about posting an issue to the Support section of where the theme has been bought?
With a little look at my point 3 you can see that in my oppinion it would be great to have a solution for everyone.
Maybe for me it is a way to ask the supporters of the 3 themes I am using (one for my website, the others for the sites of my wife and a friend of mine).
Maybe for me it is a way to ask the supporters of the 3 themes I am using (one for my website, the others for the sites of my wife and a friend of mine).
> "With a little look at my point 3"
OK, I'm out. Maybe someone else can help you
OK, I'm out. Maybe someone else can help you
Thanks a lot for your attempt to help me and have a nice weekend :-)
Is this true? What about Typekit?
With typekit it is just the same, I think.
The general opinion of legally trained is this one:
“While it may be the case that Google is sometimes operating as a controller … that does not mean that Google has the right to make unilateral decisions about the use of personal data collected from publisher properties. … The publishers are the primary controllers of that data and, perhaps more importantly, have the direct relationship with the consumer,”
(Frankfurt Kurnit Klein & Selz, NY)
That is the reason for you to get the "declaration of consent" from your website visitor before your website or the included services transfer any personal data (the ip-address of the visitor belongs to them too!) to Google, Adobe or what ever else.
“While it may be the case that Google is sometimes operating as a controller … that does not mean that Google has the right to make unilateral decisions about the use of personal data collected from publisher properties. … The publishers are the primary controllers of that data and, perhaps more importantly, have the direct relationship with the consumer,”
(Frankfurt Kurnit Klein & Selz, NY)
That is the reason for you to get the "declaration of consent" from your website visitor before your website or the included services transfer any personal data (the ip-address of the visitor belongs to them too!) to Google, Adobe or what ever else.
for Google fonts If you serve the fonts yourself directly you don't have a problem
Question:
Is it legal to store the googlefonts in your theme folder?
We do this by default, because our themes are not only for internet use, - we also use it for intranet without internet connection.
Is it legal to store the googlefonts in your theme folder?
We do this by default, because our themes are not only for internet use, - we also use it for intranet without internet connection.
It depends...
Has everyone using your intranet declared that for him it is ok that his data will be transfered to Google?
Has everyone using your intranet declared that for him it is ok that his data will be transfered to Google?
...or do you store GF local and no data is never transfered to others?
important is not to have "@import url(http://fonts.googleapis.com/..." in your sources.
You can check it in your browser (developer tools).
You can check it in your browser (developer tools).
I really like this nice tool for self-Hosting Google Webfonts:
https://google-webfonts-helper.herokuapp.com/fonts/...
https://google-webfonts-helper.herokuapp.com/fonts/...
...but it makes no sense if you dont use any of the Google fonts the themes include in the generated pages.
And please do not forget: a big webhosting provider in Germany offers concrete5 as one of some "out-of-the-box" cms solutions. I think most users of these pages dont ever know what you mean...
I don't understand.
You asked:
"Therefore it is important to remove all Google fonts. I am searching for an easy and safe way to do so."
@mnakalay's and my answer is, you don't have to remove all Google fonts, you just have to host it on your server in order to comply with GDPR (DSGVO).
It's of course not illegal to use Google Webfonts. You just have to make sure that your theme doesn't request them directly from Google's servers. The tool that i mentioned can be helpful in this regard.
You asked:
"Therefore it is important to remove all Google fonts. I am searching for an easy and safe way to do so."
@mnakalay's and my answer is, you don't have to remove all Google fonts, you just have to host it on your server in order to comply with GDPR (DSGVO).
It's of course not illegal to use Google Webfonts. You just have to make sure that your theme doesn't request them directly from Google's servers. The tool that i mentioned can be helpful in this regard.
Yes! Of course it is possible to Store these fonts localy (unconsidered some discussions about the legality of doing this...).
And Yes! I think I will find a way to remove these useless fonts from the source.
And No! I am not of the opinion that concrete5 is just for me and some more initiated.
And Yes! I think that it would be very helpful for a lot of people (not even knowing that their websites aren't GDPR-compliant) beeing able to switch of the inclusion of Google fonts.
And Yes! I think I will find a way to remove these useless fonts from the source.
And No! I am not of the opinion that concrete5 is just for me and some more initiated.
And Yes! I think that it would be very helpful for a lot of people (not even knowing that their websites aren't GDPR-compliant) beeing able to switch of the inclusion of Google fonts.
There are some people "outside" of the IT-world looking for beautiful themes. They do not know anything about GDPR and fonts, neither about to go into the sources and to diable the call of Google addresses,
OK, I admit, I can set an extra page in front of my website where I ask for the permission to transfer data to Google, Adobe, Microsoft ... and to refer to their data privacy statement. But as you can read in ongoing discussions you are still responsible.
My point is only: it would be great for a great tool like concrete5 to have an easy way to be compliant.
My point is only: it would be great for a great tool like concrete5 to have an easy way to be compliant.
This is the best answer?
@kfog if you host the Google Fonts you use yourself, you effectively detach your site from Google's and, for the fonts at least, have isolated your site from it. So you don't need to ask your users anything.
If, on the other hand, you are using the Fonts directly from Google, then you have to look into complying with GDPR.
If, on the other hand, you are using the Fonts directly from Google, then you have to look into complying with GDPR.
...thank you, it looks as if you understand my intent...
I think you could handle the GDPR issue of Google Fonts by linking to Google's policy from your own policy. If Google tracks the font delivery, then Google is in breach of GDPR.
This whole chicken and egg problem of not being permitted to deliver an external font until they have acknowledged you can use an external font is a customer reading themselves into a knot rather than just being practical about it. Being deliberately ridiculous along the same lines, the site should also be asking visitors permission to serve their web site through their hosting provider, because the host server logs could include a visitor's IP address.
This whole chicken and egg problem of not being permitted to deliver an external font until they have acknowledged you can use an external font is a customer reading themselves into a knot rather than just being practical about it. Being deliberately ridiculous along the same lines, the site should also be asking visitors permission to serve their web site through their hosting provider, because the host server logs could include a visitor's IP address.
One of the important points of the DSGVO is transparency.
Google Fonts are registering the IP-adresses of their users, that's because the DSGVO says, it's prohibited to load fonts directly from servers outside the European Union.
Google Fonts are registering the IP-adresses of their users, that's because the DSGVO says, it's prohibited to load fonts directly from servers outside the European Union.
Whilst Google is a US company, they have massive server farms in Europe.
Oh, it is not important where the servers are. As soon as you transfer personal data, and the ip-address belongs to it, to a third party without a legal reason or the declaration of agreement you are violating GDPR.
Who do we have to thank for this legal morass? Zuck? Snowden?
Certainly should cut down on Googles traffic.
Certainly should cut down on Googles traffic.
This has been longer in the planning than all the Data scandals. But let's say - the scandals justify the move now.
I do not believe that adding a Item to the Privacy Statement would suffice for external loading of ressources. If this would be the case, all the "Share and Like" Plugins would be completely legal because they just request the IP of the visitor.
So, if not getting a consent from the customer (which would be safe), it think that:
1. Having a Data processing agreement with Google, in which they state how the treat the data
and
2. Loading from servers within the EU
would be best.
In the end, no one really knows if anybody will ever be in trouble for something like the loading of external ressources (Let's not think of CDNs or Google Charts API or AJAX or whatever). But even if no one really cares, as long as an IP Adress is considered "Personal Data" there are all kinds of problems around using external services.
AND the use of Webfonts can't be justified as "necessary use of data" because it is just cosmetics.
What I do now: I avoid using Webfonts from external sources in new projects and adivce all older clients to swith to local fonts (if the refuse, it is their choice).
For all external services I use, I hold data processing agreements and, if possible (like with AWS), I choose european destinations.
I do not believe that adding a Item to the Privacy Statement would suffice for external loading of ressources. If this would be the case, all the "Share and Like" Plugins would be completely legal because they just request the IP of the visitor.
So, if not getting a consent from the customer (which would be safe), it think that:
1. Having a Data processing agreement with Google, in which they state how the treat the data
and
2. Loading from servers within the EU
would be best.
In the end, no one really knows if anybody will ever be in trouble for something like the loading of external ressources (Let's not think of CDNs or Google Charts API or AJAX or whatever). But even if no one really cares, as long as an IP Adress is considered "Personal Data" there are all kinds of problems around using external services.
AND the use of Webfonts can't be justified as "necessary use of data" because it is just cosmetics.
What I do now: I avoid using Webfonts from external sources in new projects and adivce all older clients to swith to local fonts (if the refuse, it is their choice).
For all external services I use, I hold data processing agreements and, if possible (like with AWS), I choose european destinations.
For the moment I walked through the sources of my concrete5-sites with find and grep and commented out all lines with googleapis. But never the less I think this is not the right way for such a great tool. "John Doe" shouldnt have to do so
True, John Does shouldn't have to do that.
But Concrete5 is not "aware" of google fonts. Themes and plugins developers are and it's their responsibility to deal with that.
But Concrete5 is not "aware" of google fonts. Themes and plugins developers are and it's their responsibility to deal with that.
What if John Doe uses the preinstalled theme "Elemental", residing in the core?
You are right, I forgot Elemental used it. And come to think about it the whole C5 dashboard uses Roboto hosted by Google.
I think it should probably be changed to something else or hosted locally at least for Elemental.
I think it should probably be changed to something else or hosted locally at least for Elemental.
How did you do that? I which concrete files could you find the links?
I use a bought theme for concrete 5 and I removed there so far as I could find all the google lines.
My website still shows in the code
<!-- Fonts -->
<link href='http://fonts.googleapis.com/css?family=Raleway:400,600' rel='stylesheet' type='text/css'>
So far I have no idea where to look in concrete 5 files. There are thousand of them in the root. I read some of them but it was too much. Can you give me a hint please?
Thank you.
I use a bought theme for concrete 5 and I removed there so far as I could find all the google lines.
My website still shows in the code
<!-- Fonts -->
<link href='http://fonts.googleapis.com/css?family=Raleway:400,600' rel='stylesheet' type='text/css'>
So far I have no idea where to look in concrete 5 files. There are thousand of them in the root. I read some of them but it was too much. Can you give me a hint please?
Thank you.
Yes, in 8.4.1, the Elemental theme still comes with external Google Fonts:
Not sure if these could be overridden by creating corresponding .less files in
pointing to local fonts in a custom fonts directory
@mnakalay: what do you think, would that be possible?
/concrete/themes/elemental/css/build/fonts/...
Not sure if these could be overridden by creating corresponding .less files in
/application/themes/elemental/css/build/fonts/...
pointing to local fonts in a custom fonts directory
/application/themes/elemental/fonts/
@mnakalay: what do you think, would that be possible?
Overriding Less files that way is not possible.
One possible solution, but I didn't test it would be to override the theme itself. You wouldn't need to override the whole thing. You would need to bring over only the CSS folder and the file elements/header_top.php
My untested theory is that if you override header_top.php which loads the Less files, it will be looking in the current (override) directory for those Less files. If that is correct then you can modify them in the override to load fonts manually.
I am working on a new package that I will offer on the marketplace for free that will offer a way to (kind of) solve this problem.
I'm probably around 2 to 4 weeks away from completing it. If you're not in a hurry, that should provide users of Elemental with a workable solution.
One possible solution, but I didn't test it would be to override the theme itself. You wouldn't need to override the whole thing. You would need to bring over only the CSS folder and the file elements/header_top.php
My untested theory is that if you override header_top.php which loads the Less files, it will be looking in the current (override) directory for those Less files. If that is correct then you can modify them in the override to load fonts manually.
I am working on a new package that I will offer on the marketplace for free that will offer a way to (kind of) solve this problem.
I'm probably around 2 to 4 weeks away from completing it. If you're not in a hurry, that should provide users of Elemental with a workable solution.
How should I override header_top.php? When I use theme equinox, I shouldn't matter wich other themes are installed in concrete, or? Do I have to delete some code or what should I try to override the css presets for elements? Thank you.
C5 will use files for whatever theme is active, not the others.
To override a theme, you copy the theme's folder to applications/themes and you keep only the files you want to override. So, in this case, you will keep the whole CSS folder and the folder elements with only the file header_top.php inside it. Again this is an untested theory.
If you don't know how to modify the LESS file to have it load fonts locally it's a problem as it will be a little more involved. I cannot say how to do it for Equinox as I never used that theme.
To override a theme, you copy the theme's folder to applications/themes and you keep only the files you want to override. So, in this case, you will keep the whole CSS folder and the folder elements with only the file header_top.php inside it. Again this is an untested theory.
If you don't know how to modify the LESS file to have it load fonts locally it's a problem as it will be a little more involved. I cannot say how to do it for Equinox as I never used that theme.
For those of you still interested in this, I built a tool that allows you to make copies of Elemental as new independent themes. One option of the tool is to make your new theme load Google Fonts from your server instead of from their server so it complies with GDPR.
Here's the link:http://www.concrete5.org/marketplace/addons/elemental-cloner/...
It's totally free by the way
Here's the link:http://www.concrete5.org/marketplace/addons/elemental-cloner/...
It's totally free by the way
