General Data Protection Regulation (GDPR, DSGVO) - google fonts and forms

Hi!

1.) It seams as if it is not allowed to load google fonts from the google server (https://fonts.googleapis.com …) anymore. I know there are different opinions about this topic, but some of my clients want to be on the safe side.
So the only way I see at the moment is to store the fonts locally and change the path on every site after export. Is there an easier way?

2.) In forms checkbox can not be set required. Here also I have to change this in the code after export, because users have to accept the privacy policies before they are able to send the form.

I’ve heard different opinions on Google fonts, but there are a number of web designers saying this is going to be a problem, unless they are self-hosted. When I look online at one of my Blocs sites there is a font folder with two items. One from font awesome is hosted locally, but the other links to fonts.gstatic.com which turns out to be Google fonts. Could @Norm please clarify how Blocs handles this and whether it is compliant with GDPR? If it isn’t we have a bit a problem.

On the contact form, wouldn’t that checkbox only be needed if your handling of the data was in breach of GDPR? If somebody sends you an email they have consented by default to your reading it and answering their enquiry. If you are a small company not passing around emails that should be sufficient.

Why can’t google fonts be used?

The checkbox issue is fixed in 2.5.3

3 Likes

From what I’ve been reading, as soon as the browser loads jQuery or a Google Font or a Google map it sends the IP address of the visitor to Google’s servers without any option to ask for their consent beforehand.

A key problem is that every country is treating this differently, but Germany is saying that under GDPR, IP addresses are considered personal data, so If we could store the fonts on our own servers there is no IP number transfer and therefore it sidesteps that particular issue.

I believe Google complies with the US Privacy Shield, which should be adequate in theory, but it seems that is irrelevant, because it still requires visitor consent and the owner of the website is held accountable. Web hosts are also walking on egg shells here and I’m very glad I never became a reseller.

From what I can tell it’s just a very badly written law, created by people who have no understanding of the internet or how it works, which is then being interpreted differently in every country. As always there are people who get a kick out of making it as complicated and expensive as possible, just like they did with EU VAT on digital downloads.

My inbox has been full of emails from a small number of clients fussing over GDPR and they are treating me like a legal consultant, but worse still framing the discussion as though I will be personally accountable if they experience any issues.

Reading on the internet, I’ve seen various software developers for web apps scrambling to find away around these points and issuing updates. For example the developer of the Stacks plugin for Rapidweaver issued an update so that jQuery access to a CDN can be controlled.

My wife works at a local college and they have been furiously shredding papers there for the last month in preparation for all of this, so the hysteria is not just limited to websites, but it seems like the penalties for non compliance can be pretty harsh.

1 Like

I think it would be a great addition to Blocs if there was an easy way to add font files to a folder and then access those fonts with ease in Blocs. This would give a solution for GDPR concerns and also be a damn good feature. Maybe this could be a 3rd party bric?

1 Like

A very simplified version of Font Pro found in Rapidweaver would hopefully do the trick if we could host the fonts locally and just link to them on the server. All my other websites done outside of Blocs work this way.

There is no way on earth they will be able to police this. What an utter waste of money and time.

Im glad I didn’t include CDN links now, pretty much everything aside from Google fonts is stored locally.

What about Google analytics?

Great question!

I agree it’s a complete mess and a huge waste of everybody’s time. In theory it mainly applies to businesses with 250+ employees, but there is enough vagueness in there to effectively include everybody on the planet that has any dealings with people living inside the EU. I don’t use Google analytics myself, but I think that will open up a whole new can of worms.

It’s not just that we have to comply with GDPR. We also have to prove how we are complying and keep records, but hey, none of us are in business to make money or keep roof over our head. What really gets us motivated is filling in pointless records to keep bureaucrats happy.

You are absolutely right that it will be very difficult to police all of this and I imagine that 95% of websites will theoretically be be operating illegally on the 25th of May. I suspect this will generate a lot of spurious claims though and it’s all good business for lawyers. If you send out newsletters you’ll probably need to seek fresh consent and it will have to be limited within a fairly tight scope.

What Analytics do you use?

Yes it will affect Google Analytics and all analytics AFAIK. The big issue I see is that if you are building commercial web sites, that customers will demand GDPR compliance for a while until common sense prevails at some point in the future.

Web sales and £££ in my bank account. I believe my web host has a few options inside cPanel, but these are largely redundant if you use CloudFlare.

According to what I’ve read we - developers etc. - can still use third party tracking and analytics services, like Google Analytics, Adobe Analytics and MixPanel. These organisations are our Data Processor, and they have obligations to confirm to the new EU GDPR laws so that IP address aren’t transmitted. However, collecting Personal Identifiable Information (PII) is against the Terms of Service for these Data Processors, so an article I read suggested as individuals we turn on IP Anonymization in Google Analytics etc., to ensure that we are water-tight. This GDPR thing is a minefield!

I’m currently working on a website for a local carpenter, who creates handmade doors & windows and he’s the least technical person in the world, but even he is now battling with GDPR and frightened that he’ll get in trouble for something.

In theory we should all be contacting anybody we’ve ever been in touch with to say that we still have a copy of that email etc, explain why we want to keep it, then ask for their consent. The chances of me trawling through thousands of emails going back more than a decade and performing the required audit are precisely zero.

1 Like

Hi!

Google and other processors of our information for statistical and tracking issues are modifying their software to comply with the GDPR regulations.
As @DerekDigital says the IP address has to be “anonymized” (see this link: IP masking in Universal Analytics - Analytics Help) but also have to make available to its users (in this case the administrators of the websites) an expiration system for the stored data.
That’s why Google has just announced that it is finalizing this development. It has already made available to the developers of web pages a new Google Analytics code that can be seen in these links (কুকিজ এবং ব্যবহারকারী সনাক্তকরণ  |  Analytics for Web (analytics.js)  |  Google Developers)

(Data privacy and security - Analytics Help)

1 Like

With reference to Google fonts, it may be worth keeping an eye on this thread. GDPR compliance · Issue #1495 · google/fonts · GitHub

1 Like

There is always a reason things are “free” …they never really are…or at least very rarely…privacy …getting persona profiles of users…retargeting ads…lots more.

For those that may be concerned about their responsibilities to clients who rely on you for website development,(web designers etc), You may like to draft a letter to your clients on the lines in the attached PDF. This one was drafted by our (expensive) lawyers as a blanket letter for use by our own company. It effectively shifts the responsibility of compliance squarely in the lap of the website business owner. It also makes it very clear that as a website development company, we cannot give specific legal advice.

If anyone is in the business of making websites for other people, they should send such a letter to customers as soon as possible.

gdprLetter.pdf 2.zip (30.8 KB)

By the way…for some of you (under EU-LAW) this guide could be one solution for the first time:

google-webfonts-helper
A Hassle-Free Way to Self-Host Google Fonts

http://google-webfonts-helper.herokuapp.com/fonts

Therefore my question would be if I’m able to disconnect blocs completely from the google server? Or is it sufficient to simply remove the font from the preferences?