Last week, I once again had the pleasure of taking over Camber’s Twitter account. This time we talked about a recent ruling in Germany that stated that calling Google Fonts over http (the most common way to use them) is not in compliance with the GDPR. This has implications far beyond Google Fonts, involving any third party code that gets included like jQuery, CSS libraries, etc.
I had a great conversation on Twitter with Donata Skillrud from Termageddon. Donata is a privacy lawyer, Vice-Chair of the ABA SciTech ePrivacy Committee, and Chair of the Chicago Chapter of the International Association of Privacy Professionals.
I started off with this question:
Personally I feel like that’s unfortunate. Being able to include a single line of code and then being able to simply use fonts on your site is incredibly useful. It’s particularly frustrating because Google could easily fix this. More on that later in the conversation.
So what else is there? These two tweets proved very useful.
So how far does this go? When I heard the reasoning behind the ruling, I immediately though of jQuery, which has been included in millions of sites for years. Here’s what Donata had to say:
Donata wrote an excellent post about who is affected by GDPR. I was very surprised by some of the seemingly insignificant actions that can make your site liable. For example, if an American site has German language on it, they’re offering a service to Germany.
I mentioned that we as developers need to be careful about how we handle data and where it’s sent and stored, and Donata pointed out that at the end of the day, it’s the responsibility of the site owner to maintain compliance and that we as agencies also have some obligation to our clients.
I’ve always assumed that the reason the GDPR existed was to keep people’s data out of the hands of data thieves. As it turns out, I was quite wrong.
And here’s the real kicker:
It occurred to me that we’ve been talking about encryption, and I remembered that Google Fonts are served over SSL, so I asked why that isn’t good enough.
As I learned in our conversation today, GDPR compliance is very nuanced and is far more complicated than I thought. Donata had some final advice that should be used as a main guiding principle.