German Court Fines Website Owner for Violating the GDPR by Using Google-Hosted Fonts
In late January, a Munich regional court ruled that a plaintiff was entitled to injunctive relief and damages of 100 € from an undisclosed website owner for passing on the visitor’s IP address to Google through the use of Google Fonts.
Since it is possible to use the fonts without connecting to Google, the court deemed this a violation of Europe’s GDPR (General Data Protection Regulation) because Google Fonts exposes the visitor’s IP address:
The defendant violated the plaintiff’s right to informational self-determination by forwarding the dynamic IP address to Google when the plaintiff accessed the defendant’s website.7
The automatic transmission of the IP address by the defendant to Google was an inadmissible encroachment on the plaintiff’s general personality rights under data protection law, since the plaintiff in this encroachment was undisputedly not in accordance with Section 13 (2) TMG old version, Art. 6 (1) a ) GDPR has consented.
Google Fonts FAQ discloses the data collection under a section about user privacy and states that it caches responses to minimize requests and serve the fonts faster. It does not specify exactly what data is collected but seems to imply that the information it collects is necessary to serve the fonts:
The Google Fonts API is designed to limit the collection, storage, and use of end-user data to only what is needed to serve fonts efficiently.
The German court’s ruling threatens a fine of €250,000.00 for each case of infringement or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through their use of Google Fonts.
More than 50 million websites use the Google Fonts API. Many site owners may not even know they are using them.
In consideration of those who may be subject to European courts, WordPress plugins and themes that use Google Fonts should offer a user-friendly option to self-host the fonts. If you want to continue using Google Fonts in a more privacy respecting way, there are many tutorials for self-hosting the fonts instead.