German Court Fines Website Owner for Violating the GDPR by Using Google-Hosted Fonts

In late January, a Munich regional court ruled that a plaintiff was entitled to injunctive relief and damages of 100 € from an undisclosed website owner for passing on the visitor’s IP address to Google through the use of Google Fonts.

Since it is possible to use the fonts without connecting to Google, the court deemed this a violation of Europe’s GDPR (General Data Protection Regulation) because Google Fonts exposes the visitor’s IP address:

The defendant violated the plaintiff’s right to informational self-determination by forwarding the dynamic IP address to Google when the plaintiff accessed the defendant’s website.7

The automatic transmission of the IP address by the defendant to Google was an inadmissible encroachment on the plaintiff’s general personality rights under data protection law, since the plaintiff in this encroachment was undisputedly not in accordance with Section 13 (2) TMG old version, Art. 6 (1) a ) GDPR has consented.

Google Fonts FAQ discloses the data collection under a section about user privacy and states that it caches responses to minimize requests and serve the fonts faster. It does not specify exactly what data is collected but seems to imply that the information it collects is necessary to serve the fonts:

The Google Fonts API is designed to limit the collection, storage, and use of end-user data to only what is needed to serve fonts efficiently.

The German court’s ruling threatens a fine of €250,000.00 for each case of infringement or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through their use of Google Fonts.

More than 50 million websites use the Google Fonts API. Many site owners may not even know they are using them.

In consideration of those who may be subject to European courts, WordPress plugins and themes that use Google Fonts should offer a user-friendly option to self-host the fonts. If you want to continue using Google Fonts in a more privacy respecting way, there are many tutorials for self-hosting the fonts instead.

28 responses to “German Court Fines Website Owner for Violating the GDPR by Using Google-Hosted Fonts”

    • By self-hosting these fonts it’s possible you’ll miss out on ongoing improvements that are automatically delivered when using the Google Fonts API. It’s still preferable to self-host but it may be a better idea to download fonts directly from Google Fonts, to at least ensure the font is the most recent release. The webfont-helper-tool appears to offer slightly different versions (based on differences in file sizes I’ve observed) but it’s not obvious why. Interested whether anyone can shed some light on this.

  1. Whenever a E.U. citizen visits a website, GDPR applies, so the rule applies wherever is “located” the website …
    The beauty of extraterritoriality just like the C.L.O.U.D. act (Clarifying Lawful Overseas Use of Data Act).

  2. Madness. And the person who has taken the website to court needs to give their head a wobble. Far too much time on their hands. The 100 euro fine reflects that the court was forced to find in favour of the plaintiff but thinks it was a waste of court time.

    If you’re worried about privacy, then use a VPN at all times. But this smacks of the sort of people who’ll sit through a TV show they find offensive in some way and then complain about it, instead of just switching the TV off.

    • There are ways around the ruling in Austria. Cloudflare will soon be roling out Zaraz for Enterprise customers, which allows you to basically use Google Analytics, anonymize the data, and keep it within the EU.

      There’s also CAOS Pro (a –much!– cheaper alternative for WordPress), which basically does the same, but without the fancy CDN part. It just reroutes all requests to google-analytics.com, etc. to your own server, then erases all sensitive data, and passes it to Google.

      What I’m wondering is what online marketeers will do in the near future. Because the GDPR is starting to make their pool for data driven decision making much smaller.

      • Sounds interesting. I can live without GA (and even convince customers to a more privacy-oriented alternative), but probably not without GTM – as this easily enables marketers to do their own work.

        Are the alternatives you spoken of also working for GTM?

        Are there (reputable) sources that can confirm the claims you make for CAOS Pro? (Btw you have a typo “Austra’s” -> “Austria’s” in the CAOS Pro page.)

        • I don’t GTM will work when using a proxy, it’s too dependent on external resources. I’ve tested it a few years back and didn’t get it to work. It might, though, depending on your use case.

          As for the reputable sources; I get this question a lot, that’s why I’ve written up a piece about it in CAOS Pro’s documentation. In short, Cloudflare and the University of Oslo are working on a similar approach. However, Cloudflare’s approach is f-in expensive and the university’s approach requires NodeJS knowledge and isn’t fully anonymous (it still passes the UUID stored in everyone’s cookies).

          If you (or anyone) have any questions about CAOS Pro, feel free to contact me!

    • The problem is most free services/websites like Gmail, Facebook, Twitter, etc…it’s free because people provide their data.

      Google and Facebook sort of rely on advertisement but so many people have adblockers.

      Twitter recently started a PRO version, I think they call it blue or something like that.

  3. So, I wonder if Google will make any changes because of this. Do they stop collecting IP addresses? Do they put up a big warning message about GDPR?

    In reality, they’ll probably do very little (or nothing). But this is so troubling for web designers and website owners.

    • I’m not sure there’s anything they can do. Even if they promise to no longer collect any data, there’s no way we can verify this.

      • I mean really there’s no way Google can’t collect the end-user’s IP address if they’re going to serve the fonts. Self-hosting fonts is an option, of course — as long as the font license allows it, which it does in the case of all of the fonts on Google Fonts.

        But honestly, the GDPR covers both the reasonable and the ridiculous, and it’s left to the courts to assess where a given complaint falls. (Fortunately in this instance it seems like the court got it right.) I’m based in the U.S. but a lot (possibly the majority) of the users of my plugins are based in Europe, so I’m paying attention.

      • You can’t not collect IP addresses when a browser connects to your server. Every server keeps an access.log, at least. Sure, you can empty that once in a while, but you’ll need it to, if something goes wrong.

        The only solution here is self-hosting the fonts, and while we’re on the subject: download OMGF 🙂

    • Don’t most sites now a days do the whole cookie warning thing? I am in Canada and I get those messages.

      They could do a type of “this is what will be collected when you enter the site, if do not agree then leave” type of message.

      There should be something that will fit GDPR, California thing and every other future type of law.

  4. Oh, my…

    Agree on controlling what Google traces about users, but this kind of measures… As always, blame on us, not on the big ones. Problem is not Google gathering everything about everyone, problem is me importing Google Fonts for a cake shop’s web…

  5. If Google Fonts are a no-no, then by the same logic, some Jetpack modules are also a no-no? For example image optimization, which hosts and pulls the images from wp.com.
    Thoughts?

    • Yes, I think many will soon follow. In theory, basically any CDN could be in breach of GDPR. Unless have some sort of virtual walls in between each region to make sure access data (which includes IP addresses) isn’t shared.

    • Jetpack modules are also a no-no?

      Correct. They have been a no-no since day 1 of GDPR.

  6. just for legal monitoring :

    the looming cost of a patchwork of state privacy law :

    Need for a DPA :
    https://gillibrandny.medium.com/the-u-s-needs-a-data-protection-agency-98a054f7b6bf

  7. I can’t help thinking that the plaintiff probably found the site by googling it.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: