Adobe and Google Fonts may violate GDPR

For me, this was a bit of a surprise when I was talking with one of our developers, Caspar Skripkauskas, about how we were going to create a WebGL animation that includes text. For the WebGL animation to work, we needed access to the font, not just fetching it through an API. This led us to investigate how GDPR-compliant it is to fetch fonts via an API from Adobe Fonts. And it quickly turned out that it could violate GDPR. This made me wonder exactly how this violates GDPR, whether it applies to Google Fonts as well, and if there are more disadvantages you might not think about.

This doesn’t mean you suddenly have to stop using fonts from Adobe Fonts and Google Fonts. If used correctly, you can still stay within GDPR regulations, though it may not be as seamless as before.

Neither Adobe Fonts nor Google Fonts place any cookies on your website. However, they are font services that provide an API to deliver font files to you. To provide the fonts to your website, they collect user requests, fetch the files from their servers, and deliver them to the end-user so the fonts can be rendered in the browser. During this process, Adobe’s and Google’s servers register the user's IP address, which may be located outside the EU. And this is where the GDPR issue arises.

Collecting personal information, which could be shared with third-party services, without consent violates GDPR. Since an IP address is considered personal information, you must ask for consent before displaying the fonts to your website visitors.

To use fonts on your website from Adobe or Google, you should choose one of the following options:

• Users must consent to the cookie policy
  Even though neither Adobe nor Google place any “real” cookies on your site, you still need to inform your visitors that data is being collected. This means that the font cannot be fetched from the service until the user has given their consent.

• Download and host fonts locally
  Instead of fetching your fonts via an API, you can download and host them locally. Google Fonts allows you to easily download any font, whereas Adobe Fonts requires you to purchase the font directly from its designer. This is the best option and gives you more flexibility if, for example, you want to use the font in a WebGL animation.

Using fonts from one of these services isn’t uncommon when building visual identities (though it’s not ideal). Agencies often pay for an Adobe license, granting access to all fonts, making it convenient to use them. However, this creates several challenges and issues beyond GDPR, such as:

• Adobe or Google could remove the font you’ve chosen from their library
• You need a paid Adobe subscription to use their fonts
• Fonts from Adobe are installed via the Creative Cloud app, which must be running before you can use the fonts
• If the font isn’t available locally, it limits the creative possibilities for your website

So, if you want to use fonts via Adobe Fonts and want maximum freedom, it’s best to download or purchase them directly from the creators. And if you’re using Google Fonts, download them locally.