What does using the Google Fonts Web API mean for the privacy of my users?
The Google Fonts API is designed to limit the collection, storage, and use of end-user data. The use of the Google Fonts Web API is unauthenticated and the Google Fonts API does not set or log cookies. Requests to the Google Fonts Web API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com. Font requests are separate from and don't contain any credentials sent to google.com while using other Google services that are authenticated, such as Gmail.
When I embed Google Fonts in my website via the Google Fonts Web API, what data does Google receive from my website visitors?
When end users visit a website that embeds Google Fonts, their browsers send HTTP requests to the Google Fonts Web API. The Google Fonts Web API serves the Google Fonts Cascading Style Sheets (CSS) and subsequently the font files specified in the CSS to the users. Such HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) HTTP headers including the user agent describing the website visitors’ Internet browser and operating system versions as well as the referer (i.e. the webpage on which the Google font is to be displayed).
For clarity, Google does not use any information collected by Google Fonts to create profiles of end users or for targeted advertising.
When I embed Google Fonts in my website via the Google Fonts Web API, why does Google receive the IP address of my website visitors?
Google receives the website visitor’s IP address, which it processes to respond to the visitor's request and for security purposes.
The Internet Protocol requires IP addresses to transfer data via the Internet between a given client (i.e. browser) and a given server. This is why every client request to any server contains the client’s IP address so that the server can respond to that IP address. Accordingly, the fact that Google’s servers necessarily receive IP addresses to transmit fonts is not unique to Google and is consistent with how the Internet works.
Can I embed Google Fonts in my website without sending end-user data to Google’s servers?
Instead of fetching fonts from Google servers, a developer may self-host web fonts on their website locally by downloading the fonts and uploading them to their server. When a font is loaded from the website operator’s servers, Google does not receive any kind of data related to the visits to the website. However, there are several drawbacks to self-hosting Google Fonts (see below).
For more information about self-hosting Google Fonts, read Self-host web fonts quick guide.
What are the advantages of embedding Google Fonts in my website via the Google Fonts Web API?
There are several advantages for both developers and end-users to hosting web fonts on Google’s servers. Google Fonts makes it easy to bring personality and performance to websites and other digital products. It has come a long way from its original value proposition—to make the web faster by allowing your browser to cache commonly used fonts across all the websites that used the API. This is no longer true, but the API still provides additional and important optimizations so that websites load quickly and the fonts work well.
Using the code generated by Google Fonts, our servers will automatically send the smallest possible file to every user based on the technologies that their browser supports. For example, we use WOFF 2.0 compression when available. This can reduce font size and makes the web faster for all users—particularly in areas where bandwidth and connectivity are an issue. The icon sets that are delivered by Google Fonts benefit from the same infrastructure.
Notably, there are also several drawbacks to self-hosting Google Fonts. First, the download size of the font file will increase because the developer will download the entire font file, as opposed to pieces of it, which is the case when the Google Fonts Web API delivers fonts. Second, there is no way to ensure a self-hosted font will be compatible with all browsers. In contrast, the Google Fonts Web API automatically delivers fonts tailored to the user’s specific browser and includes fixes for browser specific issues, the optimal font format, and size optimizations specific to the user’s browser. Lastly, developers must manually update self-hosted fonts, as compared to the Google Fonts Web API, which automatically delivers updates to fonts with no action needed by the developer.
For more information about the benefits of using the Google Fonts Web API, read An API for fast beautiful web fonts.