undefined | Better HN

0 pointsjanoc8y ago0 comments

Then just put that in your privacy policy and you are off the hook.

If Google tracks something, whether it is via their fonts, by putting some cookie on your site or whatever, it is their problem (and they actually said so, in that Github post referring to the font issue). They are the ones collecting and processing the data, not you, so they will have to deal with the GDPR compliance.

0 comments

5 comments · 2 top-level

detaro8y ago· 3 in thread

That's their interpretation, and they don't face consequences if it's wrong. Since I've gotten advice to the contrary from lawyers looking into GDPR, I won't trust it until there's clear feedback from regulators or courts about it. Fonts are easy enough to self-host.

zaroth8y ago

> Fonts are easy enough to self-host

But what’s special about fonts? If I can’t reference an asset outside my own domain because the network request could allow the 3rd party to log an IP address, How is that not antithetical to the foundation of the WWW?

Besides the fact that this goes against the last decade of advice on how to speed up your site...

Spivak8y ago

Nothing says you can't link to those resources, but if the page automatically loads them (hotlinked images, scripts, remote fonts, etc.) then there's an issue.

Is it really that unreasonable that loading a page to x.com should only load resources from x.com and 3rd-party resources compatible with X's privacy policy?

1 more reply

janocOP8y ago

How they "don't face consequences" if it is wrong?! Google (along with Facebook) are very much going to be the first in the line for auditing - and I believe the first complaints against them have been filled on the first day GDPR was in force already. The entire raison d'etre of GDPR is very much Google and Facebook, who were thumbing their noses at EU's privacy regulations so far.

If someone is going to have top-notch legal team on this it is going to be Google. So if Google's legal says that it is alright because they are the data processor/controller as defined by GDPR you can pretty much take them for the word there.

I wonder whether people spreading this sort of panicked disinformation about the fonts and what not have actually read the GDPR text. It is pretty clear about who is considered to be a "data processor" or "controller" - someone who merely uses a resource like fonts is certainly not one if you aren't collecting any information yourself or having someone else do it on your behalf. That Google may be doing it is irrelevant as long as they aren't providing the data to you (which would make you a "data controller").

And if you are neither a data controller nor data processor you aren't concerned by GDPR at all.

It is well explained here: https://www.gdpreu.org/the-regulation/key-concepts/data-cont...

sunir8y ago

Nope. You contracted Google not the end user. You have to go track down all this information and all the providers and then handle the GDPR downstream.

j / k navigate · click thread line to collapse