Sorry that the plugin suggests you something wrong.
The plugin does not pretend to make your website compliant with the GDPR.
@antonioleutsch So you can simply remove the «DSGVO» tag (which is German for «GDPR») and the issue is resolved.
The problem with Google Fonts is not the tracking, but the transmission of the user’s IP address to a third party. This problem exists with any font hosting service, so this plugin does NOT make your website GDPR compliant..
Thanks @martinsauter for mentioning. The information on the bunny.net website is misleading because they say:
“Prevent your users from being tracked by 3rd party websites and simplify GDPR compliance.”
This statement gives you the idea that using their fonts CDN would be an improvement compared to Google fonts.
If you use already Bunny CDN, it might be an improvement to use their fonts CDN instead of Google (1 domain less to preload).
The Bunny Fonts declaration of use as GDPR / DSGVO compliant is correct. It is correct that the data transmission (such as the IP address) was warned as insecure. However, to third countries such as the USA, where the Google servers are located. Since Bunnyfonts is based in Slovakia (Europe) it is used in accordance with GDPR.
On Bunny.net:
Retake control of your user’s privacy. With a Zero Logging policy and strictly European-based systems, Bunny Fonts keeps your user’s PII data their own and helps you simplify development and achieve GDPR compliance.
German Lawsite (german language):
Andererseits werden Informationen, darunter auch die personenbezogene IP-Adresse, zumindest auch an Google-Server in den USA übertragen. Drittstaatentransfers sind aber datenschutzrechtlich nur nach den strengen Voraussetzungen der Art. 44 ff. DSGVO zulässig und aktuell für das Zielland USA allgemein nicht rechtskonform möglich, weil es wegen weiter Datenzugriffsbefugnisse der US-Geheimdienste an einem hinreichenden Schutzniveau für personenbezogene Daten fehlt.
German Lawsite (english language):
On the other hand, information, including the personal IP address, is at least also transmitted to Google servers in the USA. Third-country transfers are, however, only subject to the strict requirements of Art. 44 et seq.
DSGVO permissible and currently not legally possible for the target country USA, because there is a lack of a sufficient level of protection for personal data due to the US secret services’ broad data access rights.
Source:
https://www.it-recht-kanzlei.de/google-fonts-forderung-schadensersatz-privatperson.html
Maybe this is not the place to discuss GDPR issues in detail. But to leave other readers of this thread with a basic takeaway:
- Embedding fonts from any third-party service will expose the website visitor’s IP address to that third party.
- IP addresses are considered personal data under the GDPR.
- Therefore, you can only embed fonts from a third party after the website visitor has given consent (since fonts are not technically required).
- The mayor difference between Google Fonts and Bunny Fonts is the server location. If you don’t ask for consent, then transmitting IP addresses to a server in the US is a higher risk than to a server in the EU.
- But you have to ask for consent anyway.