Update (June 21, 2022):
As Sarah Gooding reports at WP Tavern, there is movement toward treating a recent German court decision as a hard-and-fast rule. The court basically says CDN-hosted fonts are illegal.
As far as I can tell, this is one “regional” judge issuing a symbolic 100-euro fine. I don’t think this is “settled law” in any way. It could easily be appealed or go another way in a future similar case.
If the WordPress Themes team started banning themes for including references to the Google Fonts CDN, they’d be endorsing one (in my opinion, highly questionable) ruling in one jurisdiction and applying it to everyone. This would directly harm many companies that sell themes.
And if you take this to the next level, you could argue that all CDNs are illegal in Germany (at least without proper opt-in). Many WP companies sell a variety of CDN-like services. Are we banning all of those too?
Even the “strong recommendation” seems too strong to me — but at least it doesn’t harm anyone. If themes start getting “banned,” it’s seriously harmful to the ecosystem.
And if we’re banning themes for “violating” German law, how about other local laws? There are lots of bad ones and I’m glad we don’t try to incorporate them all into theme moderation.
Or on the good-for-society side, perhaps we could delist all themes whose developers don’t comply with the Colorado Equal Pay for Equal Work Act?
Obviously it would be silly for the Theme directory to suddenly adopt individual Texas and Colorado laws, especially when they’re new, untested and clearly don’t apply internationally. So why would we adopt this questionable interpretation of GDPR?
Banning CDNs hurts more than it helps, and we should focus our resources and clout on actual privacy improvements. WordPress shouldn’t allow itself to be sucked down this nonsensical regulatory rabbit hole.
Join the conversation on Twitter:
Original Post (Feb. 24, 2022):
As Alex discussed here on MasterWP a few weeks back, a German court recently ruled that it was illegal for a website owner to include Google Fonts on their site. The basis for this was that, by including code hosted on a Google server, the site was sending the visitor’s IP address to Google without the visitor’s consent.
By this standard, pretty much every web site on the Internet is illegal.
Although the 100-euro fine was “symbolic,” I think this is a good opportunity to consider whether Europe’s privacy law, GDPR (General Data Protection Regulation), is actually helping make the Internet a better place, and whether this ruling is even correctly following the spirit of the law.
While the web site itself is anonymous in the court ruling, the most problematic element of this in my eyes is that this type of sanction could be levied against any small web site operator. In the past, GDPR fines against Facebook and Google at least made strategic sense, since regulators could imagine that they were disincentivizing those large companies from doing sketchy things with user data. (In practice, the fines are probably too small to make a dent in company decision-making, but they do force the companies to be a bit more accountable.)
In this case, the “strategy” seems nonsensical – are we going to fine everyone €100 until the everyone in the world collectively stops using Roboto and switches back to Verdana?
If this type of ruling happened in the U.S., it would lead to a flood of frivolous threatening letters being sent to everyone who’s ever operated a web site – like the ones we get periodically from people who claim they patented the drop-down menu. I’m not sure if that same risk exists in Germany, but I would challenge the judge and litigants to explain how this ruling actually protects anyone’s privacy. Instead, to me it seems like it attempts to cut off one of the key building blocks of the Internet – sharing free and useful software. I understand that Google has an “ulterior motive” in that sharing attractive and easy-to-install fonts makes people engage with its brand and creates a general positive vibe… but that seems like a public good we would want to encourage rather than punish.
If you’re never allowed to use any sort of code from any top-level domain other than your own without explicit consent (which appears to be the letter of the GDPR law), that seems like it’s a boon for people who make “Accept Terms” pop-ups and a loss for everyone who wants to read or publish information online. You could still download a Google Font and self-host it, but that extra layer of dev work removes a lot of the utility that Google Fonts provides. In fact, lots of WordPress themes trumpet the fact that they allow you to easily switch between fonts using this method of referencing Google’s domain for a quick font swap. It makes the web more beautiful and makes life easier for everyone.
Likewise, I suspect the court does not realize how widely and freely your IP address is shared, no matter what you do and what “consent” buttons you click on. Your IP address gets shared with every server you touch, regardless of whether it uses cookies or other client-side tracking. And since Google and Amazon run a huge network of cloud hosting services, many web sites that appear to have no relationship and don’t explicitly reference a Google-hosted code snippet are transmitting user IP addresses to Google and Amazon at all times. This is just a baseline component of all web server technology; if a court compels us to eliminate IP-address transmission, we’ll need to rebuild the entire Internet.
I’m far from the first person to note the inconsistencies and magical thinking in GDPR, but this latest ruling seems particularly silly and unhelpful.
Instead of creating a nuisance for small web site operators and visitors, GDPR regulators should focus on the big guys. The government could work harder to force transparency from Google and its peers, making them operate more like utilities than purely private companies. They could implement some basic rules that only allow GDPR litigation against companies of a certain size, making lawsuits against small businesses a non-issue.
There are plenty of major privacy issues on the Internet that deserve our attention and resources, as evidenced by the fact Facebook expects to lose $10 billion in revenue due to some pretty basic new privacy settings on Apple devices. Everyone should get a good ad blocker and lock down their privacy, ad-sharing and location-sharing settings on their phone and social media. We should be creating more simple, honest software and building companies that prioritize customers and employees over shareholders and investors.
This ruling, however, accomplishes none of those goals. Instead, it’s another step toward a frivolous and unenforceable set of nuisance laws, allowing the tech behemoths to run wild while creating cruel and needless costs and embarrassment for the little guys.
