Not GDPR compliant due to including GoogleFonts

[wpaustria]

Google Fonts in Gutenberg-Code

• As you can see, GoogleFonts are included here:

  • gutenberg/lib/client-assets.php

    Line 759 in f966780
• This was highlighted in that tweet:
  • https://twitter.com/praetorim/status/1060609108888424448

Legal Problem - GDPR

• Due to the fact that Google Fonts are loaded directly from Google and there is no opting out in collection user data, Google Fonts are violating GDPR in most cases. This is due to the lack of given consent by the user.
• There is no point in the GDPR where gFonts could fit in to be allowed. Google Fonts are not necessary for operating a website and are loaded upfront. Without the given consent of the user.
• Therefore Gutenberg will be a legal issue in Europe!

Result

• Everyone activating and offering Gutenberg will violate the GDPR.
• So using WordPress with Gutenberg will be a legal risk.

[GlennMartin1]

See conversation at google/fonts#1495

[mcsf]

This is on the radar of the WordPress Core Privacy team, who might be tracking it elsewhere. @allendav, should this issue here be closed in favour of some other one?

[allendav]

I don't think using Google Fonts causes non-compliance, but IANAL. That said, the use of 3rd party fonts should be captured in WordPress core's privacy policy at a minimum.

It isn't immediately clear if this only impacts post editor users or also site visitors.

https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

[aristath]

So far nobody knows what Google actually logs, for how long these logs are kept and how they are later used. There have been many inquiries but there is no official response that says "no we don't log IPs" or anything like that.
Most of us hope that using gfonts is OK, but tbh there's just no sufficient data to support either side.
I understand that Noto is a beautiful font and using it in the editor was a design decision, but it took us years to get rid of Open-Sans in the dashboard, and it was done for very good reasons.
Adding Noto now just adds more assets for users to download, we have no idea if there's a GDPR issue because there's just not enough data, and it ultimately just slows down loading times. That may not be an issue for you and I, but it's certainly an issue for people that are not blessed or privileged with fast connections.
If a theme uses a gfont, then it is the theme's responsibility to add that font in the editor. Otherwise there's no point in forcing an arbitrary font that will not be what is used on the frontend and Gutenberg should use system fonts.

[youknowriad]

Unless, I'm wrong. I think the Core Privacy Team decided that it's ok to use Google Fonts before 5.0. If not let's open a trac ticket as this code is in Core now.

[mundschenk-at]

Unless, I'm wrong. I think the Core Privacy Team decided that it's ok to use Google Fonts before 5.0. If not let's open a trac ticket as this code is in Core now.

As you are closing this issue, will you create the trac ticket? Doing nothing and then simply closing tickets seems a bit disingenuous to me. Why should there be a need for a third-party dependency in a self-hosted WordPress installation?

[mcsf]

Unless, I'm wrong. I think the Core Privacy Team decided that it's ok to use Google Fonts before 5.0. If not let's open a trac ticket as this code is in Core now.

As you are closing this issue, will you create the trac ticket? Doing nothing and then simply closing tickets seems a bit disingenuous to me. Why should there be a need for a third-party dependency in a self-hosted WordPress installation?

The point that @youknowriad is making is that the team in charge of assessing the GDPR-compliance of Gutenberg—and/or the rest of WP core—had approved the use of Google Fonts. That is grounds for considering this issue resolved, and it also means that any appeal of this decision should be made with the Core Privacy Team in a new issue. Moreover, since the code in question has landed in core WordPress as of WP 5.0, the Gutenberg repository is no longer the place for this discussion, but rather Core Trac.

In short, it shouldn't be seen as disingenuous that the issue isn't automatically opened in Core Trac, since opening that issue means appealing a previous decision. You are welcome to do it.

[mundschenk-at]

Well, except I was there for that discussion in Slack and it wasn't at all like you describe. There simply was no consensus to demand immediate removal as a pre-requisite for merging (which would have probably been ignored anyway, but that's a different issue). Certainly no finding of "everything's hunky-dory".

[wpaustria]

FYI:
https://whotracks.me/trackers/google_fonts.html
Only as a humble hint.
So yes, google fonts are not GDPR compliant...
And still you cannot get a contract from google for using google fonts nor do they state anything in their rules of usage, what they do with the gathered data.
Clearly not GDPR compliant.

[garrett-eclipse]

After a recent discussion in #core-privacy I've moved this issue to Core Trac as it not only has Privacy implications but also Performance;
Core Ticket - https://core.trac.wordpress.org/ticket/46169

Discussion - https://wordpress.slack.com/archives/C9695RJBW/p1549043771637800

[youknowriad]

Thanks for the update @garrett-eclipse 👍

[tomjn]

Is it not worth making sure this isn't an issue in the plugin too? Privacy for all except those running the gutenberg plugin is still a problem

[mcsf]

Is it not worth making sure this isn't an issue in the plugin too? Privacy for all except those running the gutenberg plugin is still a problem

Absolutely, but I would defer to the decision-making process in Core. Once core-46169 resolves, which ever resolutions are effected in Core should be so in the plugin as well. Until then, this issue isn't actionable, which is a major criterion for all issues in the Gutenberg repository.

[garrett-eclipse]

Thanks @tomjn & @mcsf
Definitely, the direction core takes here will set the precedent and I'll make sure to follow and update this thread with further information, potentially reopening when core is committed.

[wpaustria]

Für alle, die Interesse an der derzeitigen Rechtslage haben und auf dieses Ticket stoßen:
https://www.datenschutz.rlp.de/fileadmin/lfdi/Dokumente/Orientierungshilfen/OH_TMG.pdf

Kurz:
Einwilligung muss vorab passieren, bevor irgendwelche Daten weitergegeben werden.

[garrett-eclipse]

FYI - I posted an update on the Core ticket here;
https://core.trac.wordpress.org/ticket/46169#comment:11

TLDR; Discussion via make/core points towards bundling fonts or system fonts. Once a discussion and decision is made by Gutenberg design lead(s) this should hopefully move forward.