GDPR / RM not compliant

Hey folks,

i wanted to open a topic regarding GDPR compliance of RM websites.

It seems, that RM.websites are connecting to google webfonts and googletagmanager automatically and loading scripty even if you dont use a font from the google web library.

As a german court on 20. January 2022 has fined a website owner because of using google webfonts, this problem is huge not only for german users but all EU websiteowners as they also have to follow the GDPR guidelines.

Here is a bit more about this topic: https://blog.runcloud.io/google-fonts-gdpr/

@Readymag could you say somethign about this?

Would be great if you could let the designers choose which services are being loaded!
For many clients it is very important to fullfill all the GDPR rules, otherwise they won´t use RM as a platform!

1 Like

@neueMeta would you kindly reach us over support@readymag.com to continue the conversation over there. Please include links to the projects in which you noticed both google webfonts and GTM loading in the background—we’ll gladly look closer into this for you.

@neueMeta Our dev team discovered that some scripts are indeed getting loaded but without a specific ID. We already have our hands on fixing this. As mentioned earlier, do not hesitate to check directly with us at suppor@readymag.com if you need us to review something in particular.

2 Likes

Well… the communication via the support wasn´t that productive. Regarding the loading of google fonts I was told :

“Google fonts always get loaded by Google itself by default.”

And I dont get this! I mean, then just don´t let it? RM isnt google, or have I didn´t get something? Sorry for pushing this, but I think this is an essantial thing you should deal with!! Let the users choose if there shall be a connection to Google, or not, otherwise we have a huge law uncertainty in the EU if using RM!!

So I´m still waiting on a solution, or plans how you want to deal/solve this!

1 Like

I second this. And it’s not just EU. There are all manner of countries that have data protection requirements. And even individual states in the US, such as the CPRA (California), CDPA (Virginia) and CPA (Colorado). It’s becoming more and more pervasive throughout the world. EU is just leading the way on it where it is already extremely strict.

@Readymag how can we help? What other feedback would you like on this topic?

1 Like

@neueMeta @officialcsi This issue occurs if you use a Google font and then replace it with a custom one. The Google font stays in invisible characters—empty paragraphs, spaces, etc. We continue working on the solution that will allow fixing this problem quickly and will let you know when we release the fix. Sorry for the confusion!

2 Likes

any news / updates on this?
its been a while now…

@officialcsi @neueMeta We released a fix — now, no Google fonts should be loaded unless you are actively using any of their fonts on your project.

4 Likes

hey @Hugo & @Readymag ,

well, I still see a connection to the fonts.googleapis.com source in the dev.tools!!
Even if I have an empty project without any textelements it connects to the fonts.googleapis domain.

This problem is still not solved though and we ar still being at risk on getting sued because of this!

Could you please just add a button to switch off the usage/connection of googlefonts in general? By deactivating it one would also see really fast which elements are using googlefonts because the text is then shown in a default font.

(I´m onto changing all text with googlefonts to a locally uploaded googlefont. With lots of elements I have to go through in desktopmode, I have to do the same in the mobile version - this takes ages!

One solution I tried is to block the connection to the google services with a CSP in the section, but i can only block the connection to “gstatic.com” but it will not block “fonts.googleapis.com”, probably because it gets loaded before my custom code CSP.

ok, I have a solution to block all the connections to google via a CSP header. (also the fonts.googleapis.com source)
This works for me, but is for sure not the best solution for everyone. @Readymag I still would suggest to think about a general switch to block the connection to thirdparty sources individually.

Alternative is perhaps to export code and self host?

@Readymag

Hey your.
Today a client of mine with a RMproject I have designed received a letter by an attorney to pay 170,00 Euro and don´t use googlefonts on the website anymore!

So this is becoming a real threat!

The attorney/lawfirm are those kinda people who just search for websites in a big scale and admonish all using any googlefontservice.

In my case I´m quite lucky as I have blocked the connection to fonts.googleapis.com using a Content-Security-Policy in the “head” section.

They only found the “preload link as stylsheet → googleapis.com” reference in the head section of every RM project and didn´t check further if there is a real connection.

But @Readymag where is the easy solution to this! You are exposing your users to a real financial threat. You need an easy solution to dismiss all google connections!

This is a real shame, clearly a predatory company — still, I agree. There should be more agency relating to turning on/off elements when not in use.

Any possibility to do code export and to host the site independently?

well, hosting it on the own server works, and I can also erase all not neccessary stuff. but this work around isn´t very practical. I don´t want to upload it manualy again everytime I change something. this is not ideal.

1 Like