To answer "track users across different websites", I think they pretty clearly say the opposite:

> The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

> When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. [...] The result is that website visitors send very few requests to Google: We only see 1 CSS request per font family, per day, per browser.

I guess, what would you want to see that would assuage your concerns, beyond what is written in the FAQ?

They do not say the opposite.

Apparently they need to collect and store end-user data for serving fonts efficiently. Wonder what that could be...

And if that information happens to be enough for further tracking then it seems to be fair game!

Couldn’t it just be for edge server location determination?

Not a Google fan, but at their volume of traffic seems like it could be something they’ve optimized for.

Could be!

But they could have said so. And they could also have said that the information is not correlated with anything else.

All we know is that they have, very carefully, written something vague that they could do pretty much anything they wanted with.

And we are left with the question, why would they do that?

Probably to not have to consult the lawyers every single time someone creates a new analytics aggregation.

"Users can be tracked without cookies being sent"

How? Stylesheets can't use fingerprinting or Flash cookies or anything like that, only scripts can.

Stylesheets can fingerprint with the help of a server to track what resources get loaded or skipped, and a few clever media size queries etc.

The Referer header will leak what page you were on and you probably already have connections to Google from the same client IP address. Even if you have Referer blocked, the particular font requested could indicate information about what page you are on when combined with other data.

TLS Session resumption (tickets / caching)

Multiple people (I know as my upvote just now didn't even get you back in the black) downvoted you (and now me ;P), but you are absolutely correct that that quote didn't really have anything to do with the question.