30th August 2022
Note: the below is not written by a legal expert and does not constitute legal advice.
The register has recently reported that a court in Germany has fined an unidentified website €100 for violating EU privacy law by importing a Google-hosted web font.
As with any new laws and legislation, defining what is and isn’t allowed very much gets shaken out in the case law that follows. Both of the above rulings are only a matter of months old but could have a big impact on millions of existing web sites.
UK, and other non-european companies may think this has no impact on them. However GDPR is about restricting the collection of data from European citizens (at the time of writing also those in the UK). So if your site can be visited from anyone in the GDPR zone you need to comply.
The Google Fonts ruling above mentions the personal information being collected as an IP address. As all web services receive the ip address when requesting any content, it is logical to assume this means embedding any third party scripts, images fonts or other data, without first getting explicit consent is a violation of GDPR.
Follow these steps below
Right click on a page within your website (try to right clicking on the page background )
Select Inspect from the drop down menu - this will open the web browsers developer tools
Select the Network tab
In the filter input type domain: followed by your web domain eg
Tick the invert tickbox and hide data urls tickbox, just to the right of the input
If you have anything listed below that box you are loading 3rd party content. See example from our site below
For some things eg Google Fonts, it’s possible for us to copy them to your site, so you’re no longer passing any data to Google.
For things like Google Analytics, Maps, reCaptcha, Youtube and Vimeo content, which can’t easily be hosted locally you should really be asking for explicit consent before anything is loaded from those providers. It’s worth noting that those who decline will impact on the number of site visitors recorded by Google Analytics.
We have updated our standard cookie consent banner to allow us to block third party code until users opt in.
We have updated the latest version of DuoCMS8 to make it possible for us to replace the embedded content with placeholders so users who have opted out of the consent banner can still access the content by linking through to the various services. Eg, YouTube video embeds get replaced with a locally hosted image of the video, which once clicked opens it on the youtube website.
If you’re on DuoCMS7, we plan to retrospectively add similar tools to that version of the CMS. As earlier versions of the cms are no longer supported we suggest discussing a CMS upgrade.
We have now updated DuoCMS7 to allow us to update the cookie banner and filter out embedded content. If you are one of our DuoCMS7 customers, please contact us if you would like to proceed with this.
Contacts us via our web form or on 0161 883 1856