Achieving compliance with Switzerland’s New Federal Act on Data Protection (nFADP) can present unexpected challenges. While consent management platforms are frequently discussed, certain third-party services hosted outside Switzerland cannot be blocked without significantly compromising user experience. Font scripts represent a primary example of this dilemma.

What are font scripts?

“Font scripts” generally refer to scripts that install font or emoji libraries on websites. They make it very easy for developers and designers to use a variety of fonts or emojis, often hosted by a third-party service, without needing to include them directly in the project.

Popular font script services include:

  • Google Fonts
  • Adobe Fonts (formerly Typekit)
  • Font Awesome
  • Twemoji (Twitter Emoji)

The problem with font scripts in relation to nFADP

While font scripts such as Google Fonts, Adobe Fonts and others offer advantages such as access to a vast font library and ease of integration, they also present privacy issues that should not be overlooked. When a website uses a Font Script service to load fonts, requests are sent to the servers of the platform hosting the fonts — often hosted in the USA.

In addition to providing the Font Script service, this allows these services to collect data on site visitors, such as their IP address, browser, operating system and other tracking information. This data can then be used to establish browsing profiles, which poses risks in terms of privacy protection.

In some cases, these platforms may also be subject to specific surveillance laws in their country of origin, which could result in data being collected and used for surveillance purposes.

The problem here, in relation to nFADP, is the principle of proportionality. Strict proportionality requires a balance between the public interest and the impact on the user. Does the simple display of fonts or emojis justify such intrusive data collection when there are easy ways around it? The answer is no.

In order to use font scripts in compliance with nFADP, prior consent would have to be sought. But what if the user doesn’t consent? The font script service will not be loaded.

In the case of an emoji service, this wouldn’t necessarily be dramatic. On the other hand, in the case of a font service, not loading fonts can have a major impact on the site’s design, affecting the user experience and the company’s brand image.

For these reasons, the use of font scripts subject to consent is not recommended.

Unfortunately, there’s no quick fix. This is mainly due to the fact that the visitor’s IP address is transmitted to the Font Script service, and nFADP does not allow the use of this type of service hosted outside Switzerland without consent. The only alternative to avoid needing consent is to stop using external Font Script services altogether.

For websites concerned about user privacy and wanting to comply with the nFADP, it is becoming essential to host fonts and emojis locally. Installing font scripts locally is not only good practice for improving user privacy, it has also become a legal requirement. By hosting fonts locally, you eliminate external queries and reduce the risk of transferring personal data to third parties without consent.

Local installation of font scripts is often a quick and easy process, even for those with little technical experience — a good reason to do it as soon as possible to avoid potential legal problems.

See our guide on how to remove Twemoji from your WordPress site.

Does your website comply with nFADP?

This question is often difficult to answer, even for web specialists. That’s why biskoui offers you a free audit of your website. You’ll receive your personalized compliance report within 48 hours.

If you have any further questions about compliance, please do not hesitate to contact support@biskoui.ch.