Don’t include GDPR-questionable external resources on your web site

Many web sites, web services, and “modern” web applications use a number of frameworks and packages. This can include Javasript, fonts (“web fonts”), CSS, and images. It is very common that these resources are served from external sources, such as Google, CDN, and so on. Don’t do that.

It is obviously very practical and convenient, for developers, to be able to include all of these resources from an external source. But this isn’t entirely unproblematic from a GDPR perspective.

When a visitor’s web browser retrieves a page from a web site, it will also fetch all external resources referenced by that page, often without informing the visitor that this is taking place. This means that the visitor will effectively be “leaking” or provide the external server(s) with potentially sensitive informations, such as the IP address of the visitor.

Certain frameworks that are included in this manner can also potentially interact with other information about the visitor, depending on how the web site being visited is built and/or configured.

It is not a very complicated procedure to re-build these web sites, web services, and web applications to instead host these resources locally. The developer simply needs to download them and publish them on the web site, together with everything else that is required for the web site to work.

A German court ruled (January 20, 2022) the use of Google web fonts to be in violation of GDPR. And as many of you know, the Austrian DPA earlier ruled Google Analytics to also be in violation of GDPR.


Google-Webfonts-Helper is a good tool to download the Google fonts you want to use and then host them locally.

Gerben van den Broeke (noyb) wrote this: Removing “barnacle trackers”

EDRi, “Guide for ethical website developmet and maintenance” (PDF)

Alexander Hanff wrote an article on LinkedIn about this in 2016, which to a large extent is still applicable.

You can use Matomo, either self-hosted or hosted by a company within the EU, to secure good visitor statistics without handing over your (and your visitors’) data to Google.



Leave a Comment

Notify me of followup comments via e-mail. You can also subscribe without commenting.