How Google Fonts Became ‘Illegal’ in Europe
Cookies are everywhere
GDPR & EPR restrictions aren’t well known to developers outside of the EU or small websites with no legal team and this can affect many applications out there.
Google Fonts Illegal?
Yes & No
Recently an article surfaced on HackerNews stating how a German court ordered a website operator to pay up to €100 for unknowingly sending the user’s IP to Google via embedding a Google Fonts script.
That sounds like a very improbable thing to happen to you because you may be hosting the fonts on your own server so you’re saved. Unfortunately, this doesn’t apply only to Google Fonts, most Google APIs are infamous for recording user data in some shape or form.
The puny penalty isn’t that scary for large businesses but it should raise the question if it’s worth ignoring it further and risk higher penalties since solving it isn’t really that much of a hassle.
What are GDPR & EPR
Overly complicated legal stuff no developer likes.
The General Data Protection Regulation (GDPR) is the world’s most stringent privacy and security regulation. Despite the fact that it was designed and enacted by the European Union (EU), it imposes duties on enterprises everywhere that target or collects data about EU citizens. On May 25, 2018, the regulation went into force.
Those that break the GDPR’s privacy and security regulations will face severe fines, with penalties ranging in the tens of millions of euros.
Let’s give a more serious example that could actually cause real allegations for user tracking. I recently launched GenIdea an OpenAI powered App Idea Generator and wanted to try the brand new Google Analytics 4 API out of pure curiosity.
GA4 is probably the single most intrusive tracking software you could implement in a website and luckily I remembered just in time to comply with GDPR policies and added consent to the cookies feature.
A few weeks before the Google Fonts legal claim the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics by NetDoktor, a health-focused website, violates the GDPR regulation by exporting visitors’ data to Google servers in the United States, potentially opening the door to US intelligence surveillance.
This confirms the importance of giving users a way to decide which cookies they consent to even if it downgrades the user experience through annoying popups.
How to comply with EU laws
Dreaded consent to cookies popup everywhere
There are 2 ways to do this and neither is really perfect, the most obvious one is simply not using any tracking APIs but this is debatable since even cookies are also considered as PII (personal identifiable information).
You may be lucky and your website is truly free of all possible GDPR violation-inducing features and you are good to go but if that’s not the case it’s cookies time.
Cookies have existed forever (since 94’) and they are a standard for passing useful session information, authentication, or even tracking data back and forth between client and server.
How come cookies are the solution when they are also one of the main causes for personal data collection?
The solution is to give users a way to consent to cookies, this is most often implemented via an overlay/modal/popup that annoyingly covers most of the screen the second you enter the website. Obviously, this increases development time but I guess there’s always a balance between UX vs. DX (user experience vs. developer experience).
I found this situation utterly similar to the ‘Calendar Apps Need All Permissions Fiasco’ back in the day on Android devices.
That story deserves an article on itself but a few years ago App Permissions in Android were approved only once on installation and were ‘hidden’ within the settings menu. This caused the emergence of simple applications that requested all possible permissions in order to steal data or scam users.
Enough chitty chat and let’s try to implement a cookie consent feature. I will be using CookieHub as it is speedy to integrate, has high customizability, and smooth developer experience.
First add your website’s domain, select the Free plan or Premium if you have more than 25k monthly sessions, and follow the steps shown.
Next up I always love to customize and add the branding before embedding the scripts so extract your brand colors and make the cookie consent popup feel at home on your website.
In order to integrate the cookie consent feature, we have 2 options (or 3 if using WordPress). If you are using Google Analytics the best way would be to move the GA4 config to Google Tag Manager and follow the steps shown in the tutorial.
Google Tag Manager may be overwhelming at first with all the extra menus but following step by step the example and you will be ready to launch GDPR compliant in minutes.
If you are integrating with Next.js you can easily append the scripts to the document by creating a custom _document.jsx file.
Hope you liked this short “legal” story, don’t forget to clap and follow for more software-related content 🚀.
Subscribe to my newsletter
Get email from me about my ideas, frontend development resources and tips as well as exclusive previews of upcoming articles.
Ideas are hard to come by, great ideas are rare but it doesn’t have to be like that. AI, the utterly abstract black box of endless creativity and wisdom can sometimes be of great aid at building the…Read more
April Fool’s is a time where companies like Stack Overflow pull out all the stops to show off their ‘latest and greatest’ features. But it’s also a time where we can look back and see some of the funniest, and most clever, April Fool’s Day jokes from tech giants. Let’s admire a decade of unicorns and tech pranks on Stack Overflow.Read more
Blog images are essential in driving traffic to your blog and increasing your articles reach and performance. However, it’s not always easy to find blog images that are both engaging, unique and…Read more