Hosting Fonts Locally in Themes: Compliance With GDPR

Share on facebook
Share on google
Share on twitter
Share on linkedin

Did you know that fonts made quite a stir in the WordPress community?

Well… Not literally “fonts”. It’s more like Google fonts, specifically, were the center of this recent controversy.

It has something to do with a court fining a website, remote hosting Google Fonts, GDPR violation, and the move to locally-hosted fonts.

What was wrong with remote hosting Google Fonts?

The whole drama started when a German court fined a website because of its violation of Europe’s General Data Protection Regulation (GDPR).

Ari Stathopoulos, an active WordPress Core Contributor at Yoast, said the following in his post in regards to this issue:

Historically, WordPress themes hosted in the w.org themes repository were not allowed to use third-party resources. This included images, javascript files, CSS files, webfonts, and other assets loaded from a remote server.

Unfortunately, Google fonts, as a whole, was an exception because in the past, there was “no reliable” way to host them locally.

As you know, fonts were important in a theme’s design so no author would leave the idea of ignoring typography in a theme.

However, this is a violation of GDPR, as pointed out by a commenter in the original post:

It is true that fonts from external providers are included on your website. It is also true that this is a violation of the GDPR, because through the integration personal data (IP address of the website visitor) is passed on to third parties (the provider of the web font). The violation (as far as I can judge as a non-lawyer) can also not be argued with a “legitimate interest” (Art. 6 para. 1 let. f GDPR), because there are technical possibilities to integrate the web font differently. For example, you can use the (currently not actively maintained) plugin Self-Hosted Google Fonts.

– Bego Mario Garde

This is why Google fonts can’t be an exception anymore. It poses a lot of problems for both WordPress theme authors and website owners.

The move: Hosting fonts locally

Violating GDPR wasn’t the intention of why Google fonts was viewed as an exception. Like what Ari explained:

The exception for Google-fonts as an external resource predates this team’s efforts to locally host webfonts. If a theme saves fonts locally, they are no longer considered an “external resource”.

Ari published a post a few years ago on how to locally host the webfonts — which requires downloading the wptt-webfont-loader.php file from the repository first.

According to Benachi, a WordPress themes author:

The themes team strongly encourages the theme authors to update their themes. We recommend updating by switching to locally hosted webfonts. Luckily Google Fonts can be downloaded and bundled in a theme. Bundled font files allow users to host webfonts locally and comply with GDPR.

Benachi also suggested ways on how to locally host webfont files:

What this means for site owners

Well, the move was designed to protect both theme authors and site owners from violating GDPR and paying fines.

Theme authors are “strongly encouraged” to update their themes and switch to locally hosted webfonts. It’s also likely that new themes will not be permitted to use external resources without exception.

The updates and behind-the-scenes will not really affect site owners. The only thing site owners have to do is update their themes once an update is ready.

How do you feel about this recent controversy? If you have some questions or thoughts on this matter, please share them in the comment section.

Leave a Comment

Your email address will not be published.