Post
My new blog post might of interest to anyone running websites / developing apps for people in the UK:
# An overview of the UK's updated laws on storing information in someone's terminal equipment, and accessing information stored in someone's terminal equipment
Catchy. But useful (I hope).
I must admit that - as you'll see towards the end - some of this baffles me.
This is useful, and confusing.
Another wrinkle, CSS and especially fonts, can come from other third parties.
> Another wrinkle, CSS and especially fonts, can come from other third parties.
The blogpost expressly addresses third party fonts!
@neil so somehow we're supposed to magically avoid gaining access to things like browser user agent strings, which are automatically sent with the request?
Given that makes it impossible to actually run any form of web server, we may as well just geoblock the whole of the UK, I guess 🤷
> we're supposed to magically avoid gaining access to things like browser user agent strings, which are automatically sent with the request?
Unless an exemption applies, yes...
But an exemption may well apply, depending on use case.
You might be interested, in particular, in the ICO's examples relating to:
* third-party hosted fonts; and
* CSS (and other technologies) which adjust a site based on a user's preferences
which, the ICO asserts, require notice and the chance to object / opt-out.
@neil Note the CSS thing explicitly says 'Detecting preferences on the subscriber's or user's operating system' - not about your choice within your webpage; so it's saying you can't detect that the preferences for the system are dark mode/huge font/big monitor and transmit that data to you as a provider without permission.
@penguin42 That is one possible interpretation, but not the only one.
@penguin42 I say this because "detecting" does not appear in the legislation, but the legislation covers both storage and access to information stored.
Put another way, the ICO could be a lot clear in its example :)
@neil over here (Germany specifically) third-party hosted fonts have been a regular topic, a few years back a court awarded someone damages for a site using Google Fonts without informing them.
The "adjust based on user preferences" part I would have thought the intent would be something like "you can store the preference (e.g. if the user uses an option on your site to increase font size), and if doing so leads to more stuff being loaded tell them" but it isn't really clear
> over here (Germany specifically) third-party hosted fonts have been a regular topic, a few years back a court awarded someone damages for a site using Google Fonts without informing them.
And indeed that case is linked from the blogpost :)
@neil What the hell?
That raises a *lot* of questions.
Third party fonts - so you are OK if the fonts are on the same web site as the html? Yes? How is it being third party a factor in the decision?
Also, if I ran my site though a CSS tool to make all the styles on all the elements explicit style="" tags, which I assume is quite possible to do, is that still covered? OK some things are tricky for anything dynamic. What of just inline <style> for the css, is that OK as in the page?
@revk @neil if the third party website loads the fonts from an external source, like google fonts, then Google see the referrer header in the web request to download them. The entire reason they provide these fonts online is for this purpose - they can then track activity even if Google Analytics not installed.
If the font provider does this, then it is expressly outside the scope of the exemption though, according to the ICO:
> You should ensure the font provider uses this information for the purposes of serving the font that you’ve selected and not for other purposes (eg advertising and profiling).
In other words, that cannot, in itself, be the reason why third party fonts are in scope.
@khleedril @rachel @revk A reasonable enough reason :)
