from Hacker News

Ask HN: What does the GDPR penalty for loading fonts mean for website owners?

by emschlr on 1/31/22, 8:43 AM with 17 comments

Story of GDPR penalty for loading external fonts from Google - https://news.ycombinator.com/item?id=30135264

I was thinking of starting my own blog recently. I like the idea of having comments section in blog powered by Disqus or another service that can be embedded in website with javascript. But this will be violating GDPR? Is it risky move?

From now on we should load all page resources from the same domain? No more using of external javascript to power syntax highlighting for code blocks, commenting section? What do website owners think about this penalty decision? What changes will you do to your websites to protect yourself?

  • by speedgoose on 1/31/22, 11:37 AM

    If you really want to use Disqus, you could load the Disqus code after you obtain explicit consent from the user to be tracked by Disqus.

  • by davidkuennen on 1/31/22, 8:58 AM

    I already switched to hosting everything myself wherever possible for my website [1].

    I think it's becoming increasingly risky to include many different domains without naming them in your terms and explaining what they do with your users data (in this case the IP-Addresses).

    It'd be hard for services like Disqus. In such cases I think you'd need to include them in your terms/privacy policy.

    Disclaimer: I'm no lawyer/expert

    [1]https://stockevents.app/en

  • by tannhaeuser on 1/31/22, 9:35 AM

    IANAL, but it could mean that we're going to see an Abmahnwelle in Germany, ie. where law firms systematically scan websites hosted in DE for violations and demand cash at the threat of sueing. The habit of Abmahnen is a staple in German civil law and is seen as part of Rechtspflege (upholding the law by putting economical interest behind), but its application has been limited in recent years by a high court AFAIK, and I don't know how it could work in this particular case where visitors have individual claims. Which I think is the dangerous thing ie. continuing using Google Fonts and other CDNs without consent could set you up for quite a lot of claims.

    FWIW, yesterday I rushed to change my sites to serve all assets locally.

  • by Habgdnv on 1/31/22, 10:09 AM

    If you have your blog self-hosted in your garage !IN EUROPE!, and your apache use custom log format that do not log IP addresses, and I add an <img> to some image on your site (example - some cool car), I should be OK?

    Now imagine this: Then one day you change the image with something else (example - birds picture). Can I sue you that without my permission you changed MY website?

    My logic is that if in court I am responsible for something that is outside my webserver (it is on your webserver), then you should be responsible too? (it is still your webserver)

    What if one day you decide to start logging IP addresses, and move your blog from your garage server to AWS in USA without notifying me?

  • by BjoernKW on 1/31/22, 2:16 PM

    I think this decision isn't helpful or beneficial - like many other decisions, rules, and provisions related to GDPR (the fundamental idea of which is good, it's just that the implementation and execution is ... less so).

    Decisions like that will only lead to more people and businesses hosting everything themselves when they probably shouldn't. With font files there's probably little that can happen in case one hosts those oneself.

    However, for other aspects such as not being allowed anymore to use any third-party service with any connection to the US whatsoever, it's not quite as simple.

    If everyone now starts hosting everything themselves, we'll end up with less secure systems, worse security, and less user privacy, because most people and most businesses won't be able to maintain the same security standards as companies like Google. For many services, there simply is no EU-based alternative without any affiliation to US-based companies.

    Even if there is, the question remains if those are able to provide the same level of security. Unfortunately, there's this widespread fallacy that a service or provider automatically is "safe" simply by virtue of being EU-based.

    Long story short, it is what it is. Not complying with this decision puts you at risk. If that risk is easily mitigated by loading files from your local server instead of a CDN, there's no reason not to do it.

    As for services such as Disqus it's more complicated, though. Disqus isn't exactly known for being particularly privacy-friendly. So, apart from the hosting question, it might be a good idea to look for alternatives anyway.

    Blogging software products such as WordPress often provide a comment feature out-of-the-box. So, why use a third-party service for that in the first place?

  • by ketz1 on 1/31/22, 1:48 PM

    No contact, no company, njala domain, cloudflare proxy. Problem solved for small sites/blogs

  • by dusted on 1/31/22, 10:24 AM

    It's idiotic beyond reasonable belief. It went wrong with the cookie misunderstanding (users own their browser, they are entirely free to use or not use the cookie feature). Now it just goes more wrong until it's all wrong all the time.