IMO I don't see this as an issue. Google Fonts is unauthenticated and does not set any cookies. Requests go to resource-specific domains, which are separate from google.com and do not contain any credentials from Google services

Please see google/fonts#1495

The same would apply to the usage of any cdn

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/20750

closed for Reason: Comments above.

EDIT: @franz-wohlkoenig was too fast ;-) (thank you for prompt closing). So, ignore my following comment ;-)

As there is a clear statement in the Google FAQs (cited by ciar4n above) one should not follow the illogical conspiracy theory (just because it's a Google cdn) that came up in the last weeks and one should not remove the use of Google Fonts (or any other cdn) if a template designer wants it.

Any hyperlink or directly embedded image of Wikipedia and so on provides an IP (and referrer) to the linked page/content.

Maybe a hint for paranoid people could be nice ("This template uses Google Fonts. There are tools out there to disable them or use the com_csp to block the cdn requests...").

@ReLater sorry for beeing too fast / too slow *g

Privacy regulations or not, IMO, no remote resources should be loaded out of the box. There's also no reason to bloat the default template with this ugly (IMO) font.

@SharkyKZ you do realise that the default template in joomla 3 also uses a googlefont

I actually disagree with @ReLater in the sense that the Google FAQs in fact do not sufficiently explain "why which personal data is processed". It is irelevant whether Google uses an authentication for these API requests and on what subdomain the data is stored. Fact is, the website user is subject to processing of his personal data (at the bare minimum, his IP address - before he even has a chance to consent-or-not).
The most comprehensive approach would indeed be the possibility to anonymizeIP (as with Google Analytics), but that depends on Google's willingness to implement this. In the meantime the removal of Google Fonts API calls in cases where it is not really nessessary, should be a viable option indeed...

@brianteeman thanks for pointing out the respective discussion on github/Google -> I will follow those developments...
and indeed we could also apply this approach to J3 once this is agreed on...

the argument that there are literally thousands of other APIs to be looked at is misleading I belief: one issue after another...

@brianteeman I do. But at least it gives an option to disable it. Ideally, though, it should be disabled by default.

By the same token everyone who visits your web site has their IP address logged by your ISP before they have had a chance to consent or not.

Fact is, the website user is subject to processing of his personal data (at the bare minimum, his IP address - before he even has a chance to consent-or-not).

That's a web problem in general. Do you get a consent box before being shown this GitHub webpage, or before allowing media assets for a page to render (regardless of the source being the same domain or external, such as a CDN)? Your IP address has already been processed by requesting the page before you get the opportunity to consent, or even see the contents of the page.

In the meantime the removal of Google Fonts API calls in cases where it is not really nessessary, should be a viable option indeed...

Use a template without Google Fonts then? Joomla core templates should not be mandated to not make use of external resources where they can provide value (in this case, the choice of certain fonts to fulfill a visual theme).

Google FAQs in fact do not sufficiently explain "why which personal data is processed".

That's not true:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are, and are published on our analytics page. We use data from Google’s web crawler to detect which websites use Google fonts. This data is published and accessible in the Google Fonts BigQuery database.

Together with:

Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com, so that your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.

it's a clear statement.

That's why I said above:

one should not follow the illogical conspiracy theory (just because it's a Google cdn) that came up in the last weeks