According to German and Austrian DSGVO law, we do not recommend using Google Fonts loading from Google Servers located in the US. The German court (in Jan 2022, LG München, Urteil vom 20.01.2022, Az. 3 O 17493/20) deemed this a violation of Europe’s GDPR (General Data Protection Regulation) because Google Fonts exposes the visitor’s IP address. 

What are Google Fonts?

Google Fonts is an interactive directory of over 1450 fonts provided by Google. This library is freely available and can be used both remotely and locally. They can be used commercially, and even include them within a product that is sold commercially. A wide selection of fonts is available to customize your website and text. In this way, Google Fonts combines simplicity and individuality in one. However, a faulty Google Fonts integration transmits the personal data of website visitors to Google (US), which is why there are privacy concerns.

Privacy vs. Google Fonts

If you download the fonts you want and store them locally on your server, the fonts will be reloaded directly from your server when you visit the website instead of being downloaded online from Google servers. This way, no connection to Google servers is established and no data is sent to Google. With this integration, you are on the safe side and not affected by the ruling.
It only becomes critical if you use Google Fonts remotely and do not store them locally on your own server. In this case, individual fonts are not loaded from your server when the website is called up, but from Google servers. During this process, the personal data of the website visitors (including their IP address) is automatically transmitted to Google. This means that the respective website visitor no longer has any control over the processing of his or her data, which represents an unacceptable violation of general personal rights.
Both you as the website operator and Google LLC are responsible for protecting the personal data of website visitors. If you do not do so, you will have to expect high warning costs due to DSGVO violations.

German court’s ruling threatens a fine (100€ - 400€ ) for each infringement case or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through their use of Google Fonts.

According to LG München I, the local (self-hosting) method is unobjectionable under data protection law, since no data is sent to Google when Google Fonts are integrated locally.

How to check if my website is using Google Fonts?

Here is popular evidence in HTML code that Google Fonts is used from a Google server, not yours (a local one). And such a view should worry German and Austrian webmasters & site owners who care about DSGVO privacy law.

You can also use German Google Fonts scanner from here: https://www.e-recht24.de/google-fonts-scanner

How to disable Google Fonts?

Inside SP Page Builder > Settings you have a switcher that allows you to disable Google Fonts from use. That option will allow you to choose whether you want Google Fonts (and its HTML code) to load or not.

To avoid legal problems for European webmasters/editors we suggest two safe options:

• Use default system fonts (Arial, Tahoma, Verdana, Helvetica, Times New Roman, etc.).
• Use Google Fonts but as a self-hosting option, without connecting to Google servers.

Check the front-end source HTML code of your website and if you would notice that Google Fonts is still loading you have to:

1. Check Helix Ultimate / Helix3 in the Typography settings, and disable all Google Fonts also there, for Body, Headings, Navigation, and Custom areas. Yes, you can keep only system fonts, like Arial, Tahoma, Verdana, etc. which are totally DSGVO/GDPR-safe fonts.
   
   

   

2. Sometimes Google Fonts can be loaded also from additional extensions, like slideshow modules or components. So you have to check on which subpages you have Google Fonts or you don't have them. This will allow you to identify what extension uses Google Fonts.
3. You can also delete font names from a database, for that task you can use the Free version of DB Replacer (from RegularLabs). In below example we searched only inside sppagebuilder Table. And example "Karla" font name. In your case copy font name from HTML name and use it inside Search field and replace with empty space. Follow 1-6 steps from screenshot.

Notice! If you have Goolge Fonts on subpage with Slideshow addon, please check every slide item, every used object if it uses Google Fonts and remove font name. As alternative, faster method is DB Repleacer tool. Remember to make website Database backup first.

How to use Google Fonts in a fully legal way

It is possible to download the desired Google fonts, integrate them locally, and then cut the connection to the Google servers. This procedure does not require consent and the legality is even confirmed in Google's FAQ on Google Fonts. The official Google Fonts website (https://fonts.google.com/)  allows you to download any font after the weight choice. But the downloaded package contains only font files and does not have any CSS/HTML files with examples of how to use it.

If you want to continue using Google Fonts in a more privacy-respecting way, there are many tutorials (also ours) for self-hosting the fonts.

In near future, we will improve the process of adding custom fonts inside SPPB.

Font Awesome and DSGVO law?

All icons and font files used are loaded from your local server only, with no connection with the developer site. FontAwesome is also not made by Google. You don't have to worry about DSVO law in that case and change anything.

Google Recaptcha and DSGVO law

Google reCAPTCHA is a so-called Captcha and that stands for "completely automated public Turing test to tell computers and humans apart". Joomla have built-in plugin for that, we use it inside the Contact and Form Builder addon. Thus, the task of Google reCAPTCHA is already clear, namely to distinguish humans from bots. To use that feature its load's algorithm file api.js from the Google server. However, Google's general privacy policy does not contain any explanation of how Google reCAPTCHA works, and what personal data collect (if any). Whether further data is processed specifically by Google reCAPTCHA in order to analyze user behavior remains unclear. And this is a problem because you have to specify the categories of processed data in your privacy policy (see also Art. 14 (1) (d) DSGVO). Therefore, according to the Bavarian data protection authority, the use of Google reCAPTCHA is already law problematic. For more information in the DE language - read this Recaptcha-DSGVO article.

DSGVO / Google Fonts Scanners (DE)

Online testers-scanners for German & Austria webmasters (free pretest):

• www.e-recht24.de/google-fonts-scanner
• www.ccm19.de/google-fonts-checker/
• www.e-recht24.de/websitescanner