Bunny Fonts bills itself as the “privacy-first web font platform designed to put privacy back into the internet.” According to its FAQ:
With a zero-tracking and no-logging policy, Bunny Fonts helps you stay fully GDPR compliant and puts your user’s personal data into their own hands.
Hard for my mind not to go straight to Google Fonts. Bunny Fonts even says they are a drop-in replacement for Google Fonts. It offers the same open source fonts and holds the same API structure used by Google Fonts.
Now, I’m no GDPR expert but the possibility of Google collecting data through its Fonts API is hardly unsurprising or even unexpected. I was curious to check out Google’s privacy statement for Fonts:
The Google Fonts API logs the details of the HTTP request, which includes the timestamp, requested URL, and all HTTP headers (including referrer and user agent string) provided in connection with the use of our CSS API.
IP addresses are not logged.
Comparing that to what Bunny Fonts says in its FAQ:
When using Bunny Fonts, no personal data or logs are stored. All the requests are processed completely anonymously.
Or perhaps more thoroughly explained on the bunny.net GDPR statement:
In most cases, the data held and collected by bunny.net does not contain any user identifiable data. In some cases, which depend on how you are using bunny.net and how your website is structured, personal data may be collected from your users. Such information includes hosting user uploaded content as well as personal data that might be transmitted in the URL, User-Agent or Referer headers of the HTTP protocol.
Sounds pretty similar, right? Well, it may not have been that similar earlier this year when a German court ruled that embedded Google Fonts violated GDPR compliance. It appears that one line in the Google Fonts privacy statement about IP addresses came after the ruling, once the API scrubbed them from collected data.
So, do you need to ditch Google Fonts to be GDPR compliant? I would imagine not if IP addresses were the sole concern, but I’ll leave that for folks who know the rules to comment on that.
But if you are concerned about Google Font’s GDPR compliance, I guess Bunny Fonts is worth a look! And seeing that it’s powered by bunny.net’s CDN services, you should get pretty comparable performance marks.
… and I wrote about it
“when you visit such a site, that sends your IP address to Google.”
Well… yes? Whenever your browser requests data from a server, the server gets to know the IP address of the client that requests the resource. (Unless it’s hidden behind proxies.) That’s how the server knows where to send the data, it’s a technical necessity.
It’s a bit unfortunate that GDPR considers IP addresses personal data on par with mail addresses or names, because that makes embedding anything from a different server a bureaucratic nightmare. Now you have to mention this in your privacy statement, you have to consider whether this is a permitted use because of justified interest or if you have to get consent from the user, you have to put it in your internal Records of Processing Activities and maybe you’ll need a Data Processing Agreement with that service. And this is exactly the same whether you use Google Fonts or Bunny Fonts, just because you are invoking a request from a different server that will at least give that server the IP address of your visitor.
the best option is always not using webfonts at all, no tricks can hide all the costs of loading extra data
but if you absolutely have to (or you’ll lose the bad job you have and kids will starve) serve them yourself or from the CDN you use for everything else, no point in using font-CDN
In my opinion, it makes much more sense just to self-host the font. Maximum privacy achieved + control over how the fonts are loaded.
But it’s nice to see sites like these which offer more privacy-concious alternatives to Google services.
It’s especially nice for all those quick one-off demos where dropping in a Google Font is merely a matter of convenience.