The road to your website’s compliance with nFADP (the new Data Protection Act) may hold a few surprises in store for you. We often talk about consent management platforms, but some services hosted outside Switzerland cannot be blocked without having a major impact on the user experience. In this case, we’re talking mainly about font scripts.
What are font scripts?
Font scripts” generally refer to scripts that install font or emoji libraries on websites. They make it very easy for developers and designers to use a variety of fonts or emojis, often hosted by a third-party service, without needing to include them directly in the project.
Popular font script services include:
- Google Fonts
- Adobe Fonts (formerly Typekit)
- Font Awesome
- Twemoji (Twitter Emoji)
The problem of type scripts in relation to nFADP
While font scripts such as Google Fonts, Adobe Fonts and others offer advantages such as access to a vast font library and ease of integration, they also present privacy issues that should not be overlooked. When a website uses a Font Script service to load fonts, requests are sent to the servers of the platform hosting the fonts, often hosted in the USA.
In addition to providing the Font Script service, this allows these services to collect data on site visitors, such as their IP address, browser, operating system and other tracking information. This data can then be used to establish browsing profiles, which poses risks in terms of privacy protection.
In addition, in some cases, police forces may be subject to specific surveillance laws in their country of origin, which could result in data being collected and used for surveillance purposes.
The problem here, in relation to nFADP, is the principle of proportionality. Strict proportionality requires a balance between the public interest and the impact on the user. So, does the simple display of fonts or emojis justify such intrusive data collection when there are easy ways around it? The answer is no.
Using script fonts with consent? Well...
In order to use script fonts in compliance, prior consent would therefore have to be sought. But what if the user doesn’t consent? The font script service will not be loaded.
In the case of an emoji service, this wouldn’t necessarily be dramatic. On the other hand, in the case of a font service, not loading fonts can have a major impact on the site’s design, affecting the user experience and the company’s brand image.
For these reasons, the use of font scripts subject to consent is not recommended.
How to comply with nFADP without consent?
Unfortunately, there’s no quick fix. This is mainly due to the fact that the visitor’s IP address is transmitted to the Font Script service, and that nFADP does not allow the use of this type of service, which in most cases is hosted outside Switzerland. Unfortunately, there is only one alternative to avoid consent: withdrawing Font Script’s services.
For websites concerned about user privacy and wanting to comply with the nLDP, it’s becoming essential to host fonts and emojis locally.
Installing font scripts locally is not only good practice for improving user confidentiality, it has also become a legal requirement. By hosting policies locally, you eliminate external queries and therefore reduce the risk of transferring personal data to third parties without consent.
Local installation of font scripts is often a quick and easy process, even for those with little technical experience. This is a good reason to do it as soon as possible to avoid potential legal problems.
See our guide on how to remove Twemoji from your WordPress site.
Does your website comply with nFADP?
A question often difficult to answer, even for web specialists. That’s why biskoui offers you a free audit of your website at nFADP. You’ll receive your personalized compliance report within 48 hours.
If you have any further questions about compliance, please do not hesitate to contact support@biskoui.ch.
