The WordPress Themes team is poised to change its guidelines on remote hosting Google Fonts and is once again strongly urging theme authors to host their fonts locally. Yoast-sponsored contributor Ari Stathopoulos published an update today to answer some questions the team has been receiving about fonts in themes:
Google fonts was an exception to this rule because, at the time, there was no reliable way to implement locally-hosted webfonts, and typography is an integral part of a theme’s design.
Google fonts, however, can no longer be considered an exception to this guideline because of the GDPR and privacy implications.
The team is responding to a recent German court case, which fined a website owner for violating the GDPR by using Google-hosted webfonts. This case spurred a few other threats against website owners and many questions for the Themes team.
What was previously a strong recommendation from WordPress.org is now a warning that guidelines will be changing imminently.
“A theme should not be allowed to use external resources,” Stathopoulos said. “The guidelines right now allow for remote Google fonts, but that will probably change soon. If the theme is using external assets, then yes, it should call a privacy function and ensure that these assets don’t get loaded without the user’s explicit consent.”
A ticket for updating WordPress’ default themes to load Google fonts locally has a patch but the milestone is set for WordPress 6.1. This will make all the core themes GDPR compliant but will not arrive until October.
Some theme authors saw the writing on the wall a few weeks ago and have been working to update their themes to load fonts locally.
“I’ve decided to do this too,” Rough Pixels founder André Jutras said. “Although a few themes have a font-choosing option in the Customizer with the full Google selection. This is going to be hard to change with existing users that use it. My new theme will definitely have local fonts.”
Offering font selection for users inside the theme is not as straightforward as simply including one or two fonts bundled with the theme.
“I’ve been trying to do the same with Blockbase,” Automattic developer Jason Crist said. “But Blockbase ships with a LOT of fonts to choose from so it’s been a bit of a unique challenge.”
In 2020, the Themes team created a package that helps theme authors host their webfonts locally. It was created in anticipation of removing Google Fonts as the exception to the rule prohibiting the use of CDNs to load assets.
Bunny Fonts are are an alternative to Google Fonts that some plugin authors have on their radar now that some European jurisdictions are cracking down on Google-hosted fonts. It is an open-source, privacy-first web font platform with no tracking or logging and is fully GDPR compliant. Bunny Fonts is compatible with the Google Fonts CSS v1 API so it can function as a drop-in replacement to Google Fonts by just switching the hostname. If the Themes Team was to add any service to its exception list, Bunny Fonts would be a more privacy respecting option than Google Fonts.
The Themes Team is waiting on core to implement better support for loading local fonts before making a sweeping requirement for themes hosted in the directory. In the meantime, WordPress theme authors have the time to update their themes to load Google Fonts locally before a requirement is put in place.
I understand why the theme team no longer wants to make an exception for Google Fonts.
I can’t understand why Bunny fonts would be any different.
Both claim to not store IPs, but I thought the reason for the court’s ruling was because IPs were sent to a 3rd party.