The website operator is threatened with an administrative fine of 100 to 250,000 euros or, alternatively, an administrative detention of up to six months if the IP address of the plaintiff continues to be passed on to Google when visiting the website.

Solution to the problem

To avoid a possible lawsuit, websites must host content such as fonts, scripts or images themselves. Alternatively, consent to share the IP address could be obtained via a consent banner, but this would be less conducive to user experience.

What exactly happens when I load fonts directly via Google?

By using Google Fonts, which are loaded via Google's CDN, an additional Google Tracking Pixel is set, which forwards tracking information in the form of IP addresses to Google without consent.

You don't feel like reading, have already integrated Google Fonts on a WordPress website, and want to protect your website from any lawsuits as soon as possible?

Then take a look at my video tutorial below.

If you want to know more details about the Google Fonts API problem, please read on, I have compiled all the important information for you.

If you can't solve your Google Fonts problem with the method shown in the video, I also recommend reading this article.

Who is affected?

1. all websites that use Google fonts and have been embedded using the standard embed method (CDN Embed) and therefore retrieve the font directly from the Google server
2. all websites that use YouTube video embeds
3. all websites which do not technically block these external calls via a cookie-banner explicitly before the consent of the user.

The consequence if a reported violation occurs: Variable fines will be currently imposed in the range between 100 and €1.000, but they can also be higher in some specific cases. (Updated in October 2022)

Who sues and profits:

Often, it is law firms, commercial or private persons who send a series of collective warnings to several website operators.

There are several ways to avoid a possible warning and at the same time to ensure a sensible usability for website visitors.

1. do not use Google fonts or YouTube video embedding
2. make sure that Google fonts are loaded locally without the regular CDN integration
3. if YouTube videos are used, make sure that a consent is given for the playback of the video before the video is loaded.

How do I know if I am affected?

There are two ways to quickly identify this. (this also works for all websites, regardless if this is a WordPress or non-WordPress Website)

1. you can use the following "Google Fonts Checker" web app to scan your website for Google Fonts. (easiest method, relatively reliable, but no guarantee).

2. alternatively, you can check in your browser's network monitor whether connections to Google (gstatic) are taking place, if so, this indicates that Google fonts are loaded via the CDN and a violation of the DSGVO is taking place (advanced method, very reliable if you check it on each subpage of your Website) - I'll also explain how this works in detail in the video tutorial.

FAQ's regarding: Embed Google Fonts locally

Preface:

If you have already integrated Google Fonts into one of your websites or your clients websites, you have two possibilities to proceed here:

The quickest and easiest solution is to use a plug-in that blocks all requests to the Google Fonts API and downloads the fonts requested from Google to store them locally on your web server. This will bypass any connection to the Google Web server.

Is that legal? Of course, because the entire font library is subject to the Open-source license.

Is a plug-in solution method reliable?

Another advantage of using the plug-in is that additional fonts caused by various other plug-ins are also intercepted and stored locally. So yes, but be careful: this requires that the developers of the theme and the plug-ins have integrated the Google Fonts implementation cleanly via the intended methods provided by WordPress. Loading CSS imports, so-called antipatterns, does not work with the method of the plug-in that is supposed to prevent you from this, as these requests are not recognized to filter them correctly by the plug-in. The same applies if Google Fonts are loaded via an added meta tag (e.g. within your header.php).

⚠️ So please do not forget:

Never blindly rely on plug and play solutions: After activating the plug-in of your choice, you should double-check whether the loading of Google fonts is actually prevented by the Google server. You should also check whether there are any additional embeddings of YouTube videos or fonts on your subpages to be really sure.

4 simple steps to a local Google Web Font embedding

1. I recommend you to download the plug-in "OMGF" from the official WordPress Plug-in Store
2. activate the plug-in and navigate to the settings
3. from here, accept the default settings and click on "Save and optimize".
4. if you are using a caching plug-in, make sure you clear the cache for your changes to take effect.

How do I check if all Google Fonts are loaded locally and not via the Google API?

As mentioned above, you can use your trusted web app (e.g. "Google Fonts Checker") to check your website to make sure that the fonts are actually loaded locally.

Using your browser's network monitor to examine the fonts.

In the following example, I'll show you how you can use the Google Chrome console to quickly filter network requests for Google fonts to identify them and their origin:

1. right-click in your web page and click on "Inspect".
2. navigate to the tab "Network" and click on the sub-tab "Fonts"
3. use the keyword "gstatic" in the search field of the console and reload the page.

Now you will see a list of all font requests that are loaded via your website. If you don't find anything here, congratulations, from now on, all fonts will be loaded via your local web server. If Google Fonts are still loaded via a YouTube Video iFrame, you would also find them here.

⚠️ At this point, I would like to mention again that you must check the network monitor on all subpages of your website to really make sure that no more fonts are loaded from the Google server.

You don't manage to deactivate the Google Web Fonts API despite this article? Then leave me a comment in this article.

Why do we need user roles at all?

Everybody knows the problem: Several users with admin or editor rights use a WordPress site, but your customer, or you want the possibility to restrict the access rights of some specific users individually.

Advanced user roles access management can help

One problem I've often faced in real-world use is that downgrading specific user roles doesn't directly solve the problem, and quickly you realize that the default WordPress user roles aren't enough or can't be properly restricted individually. The downgrading of a user in the role "Admin" to "Editor" has as desired the consequence that the respective user cannot edit plug-ins or basic base website settings, but it may well be that the user is also no longer able to access certain settings of certain plug-ins, which are maybe needed for the everyday use of the content manager.

An easy to use, very well-known and useful plug-in that helps with this problem already exists and is called: "Adminimize". Adminimize is a great plug-in that can help you easily restrict or extend access rights to various functions and features for any specific role in WordPress. The reviews of the plug-in alone speak for themselves. Even though the plug-in hasn't been adjusted for a few major releases, it serves its purpose perfectly and is also more than adequate due to its simplicity in user experience. I must also note that "Adminimize" is for me one of the standard plug-ins that I use on every website of my customers.

The standard user roles are often not sufficient for larger teams

But let’s come to the next problem: If you have ever worked with a larger content team on a WordPress site, you have certainly already made the experience that the default user roles are not always sufficient. Here you might have the role of the "Editor" optimally individualized in the access rights, but other users who may need similar access corrections, too much restricted or given too many options in the WordPress admin menu. Now, before you configure more default roles, which are also limited, in their access permissions, this may already be the moment when you realize or wish: **I would like to have more custom user roles to create a custom admin menu and optimize the security of the entire WordPress site.

The plug-in solution to solve the problem

Of course, you can install another plug-in that can help you simplify the process of creating new user roles. The plug-in "User Role Editor" or similar solutions can be very helpful, but they can also lead to the fact that your database is quickly inflated and that the distribution of rights, individually created user roles, of individual users quickly become confusing when deactivating these plug-ins later.

(Recommended method)

Create a user role in 2 simple steps 🏆

My personal best practice is that we first duplicate / clone the admin user role using a custom code within functions.php. Following that, we use the "Adminimize" plugin mentioned above to restrict the rights of the newly created admin user role.

Step 1: Cloning the admin user role

To do this, we simply open our functions.php in our WordPress project and add the following function as an action call:

// CLONE ADMIN ROLE AND RENAME THIS NEW ROLE "MARKETER"
add_action('init', 'cloneExistingRole');

function cloneExistingRole()
{
    global $wp_roles;
    if ( ! isset( $wp_roles ) )
        $wp_roles = new WP_Roles();

    $admx = $wp_roles->get_role('administrator');
    $wp_roles->add_role('new_role', 'Marketer', $admx->capabilities);
}

This code creates a new administrator role named "Marketer". If you want the role to be named differently, simply rename the string named "Marketer" directly in the code.

⚠️ Once you have added the code to "functions.php", you will need to call your website once in the web browser, as this function will be executed via a WordPress add_action "init" hook and after a pageload. Once you have done this, the newly created role will already be available to you in the WordPress backend. The above code, you should remove after the execution of the page reload again from the "functions.php" because this does not need to be re-executed.

Step 2: Restrict the newly created admin role with "Adminimize

Install and activate the "Adminimize" plug-in. Navigate directly to the settings of the plug-in under "Settings > Adminimize". From here you can easily customize and restrict the rights of your newly created "Marketer" user role. This is very straightforward and convenient.

You want to delete your created user role again? 🗑

Nothing is simpler than this: if you would like to remove the user role you created, of course you can undo it.

To remove a role called "Marketer", copy the following code again into your "functions.php" and then call your website in the web browser again.

⚠️ Attention: If you want to delete another role you created, please change the following "Marketer" string to your desired role name:

// DELETE CREATED ROLE
add_action('init', 'killExistingRole');

function killExistingRole()
{
    global $wp_roles;
    if ( ! isset( $wp_roles ) )
        $wp_roles = new WP_Roles();

    $admx = $wp_roles->get_role('administrator');
    $wp_roles->remove_role('new_role', 'Marketer', $adm->capabilities);
}

After the reload (simple page load in the browser) of your WordPress website, I recommend you to delete the code renewed from the "functions.php" so that it is not executed renewed.

Did you like this post?

Then feel free to leave me a comment or like.

This article is also available in German language 🇩🇪, you can download it here.