Check your Fonts - immediately
On January 20, 2022, the Munich I Regional Court determined that Google Fonts on websites are contrary to data protection and not covered by the legitimate interest under Article 6(1f) DSGVO.
Will the wave of warning letters now overtake us?
What are Google Fonts?
The US Internet giant Google has been providing around 1,300 well-programmed, free and freely usable fonts for a wide variety of languages for about 20 years.
Programmers and website operators like to use these fonts to add value to websites. In addition, the fonts are optimized for Google’s search engine, where they are considered a positive criterion for ranking.
Google Fonts: What's the problem?
If these fonts are dynamically integrated via a source code snippet (“code snippet”) with a link to the Google server, then user data is transmitted to two domains of Google LLC each time the website is called up. This is in any case the IP address of the requesting computer, in some cases also other information. According to the ECJ, the dynamic IP address belongs to personal data. This means that the use of Google Fonts via integration is subject to the DSGVO and requires a legal basis. Without prior information and consent of the users, such data transfer to a third country may not take place (Article 7 DSGVO).
In the case of an online integration of the font, however, the website cannot be displayed with the advance information without the font already being used and the data transfer already taking place before consent is given. Google also does not disclose which data is processed for which purpose by whom, whether it is combined with other data and how long it is stored – especially if a Google account is logged in (Android operating systems!). However, this information is mandatory for a legally valid user consent – as well as an opt-out option, which the font integration does not offer. Thus, no DSGVO-compliant use of Google Fonts in the form of an embedded link is possible.
The Munich Regional Court did not accept the convenience of the programmers, who save a lot of time and costs by linking Google Fonts, as a legitimate interest under Article 6(1f) DSGVO. And also by the typical cookie banner this consent is not “included”, because the fonts usually do not use cookies. Thus, the user must explicitly consent to the use of Google Fonts and the associated data transfer to the USA, which is not required according to the court, in order to create a legal basis.
Check your Website Compliance
Take the test with our free quick scanner!
Wave of warnings? Is Google Fonts the trigger?
At present, a number of private individuals and law firms are issuing warning notices to website operators with a link integration of Google Fonts. The basis for this is the aforementioned ruling from Munich. The plaintiff was not only granted injunctive relief, but also damages in the amount of 100 euros, because his rights to informational self-determination were violated and his data was unauthorizedly transferred to the third country USA, where there is no adequate level of data protection.
For the “discomfort” caused and the loss of control over personal data, crafty warning letters are now demanding 100 euros from other website operators who use online fonts. The law firms go even further and additionally demand a cease-and-desist declaration – including attorney’s fees of mostly 367.23 euros.
What are the consequences of the court's ruling?
The ruling of the Munich Regional Court applies not only to Google Fonts, but to any US service that is dynamically integrated into a website. This is not only any US alternative to Fonts (such as Adobe, MyFonts, FontAwesome), but also other tool or element suppliers for websites.
All link solutions through which US vendor calls are embedded into the website are likely to be affected. Whether cookie consent banners provide a sufficient basis for such non-controllable embedding is highly questionable.
Caution! This is how you react correctly:
In many cases, the letters from private individuals are probably a rip-off.
Solution: We recommend that you immediately switch to local Google font hosting and otherwise ignore the letter. In addition, you could check whether the IP address of the website visitor was encrypted during transmission to Google in the USA – then there is probably no violation of data protection law.
The lawyer sends a warning.
Warning letters from lawyers should generally be taken more seriously and an IT lawyer should be called in as a follow-up step. Here, too, it is advisable to say goodbye to Google online fonts immediately.
How can Google Fonts be used in a GDPR-compliant manner?
In order to use the fonts and still refrain from data transfer to the USA, there is a relatively simple way: the font must be hosted on your own website.
The unlawful data transfer only takes place if the font is requested by the Google servers in the code of the website. If, on the other hand, the font is downloaded and hosted locally on one’s own server (and also integrated into the CSS accordingly from there), no data transfer to the USA takes place and the data transfer is minimized (Article 5(1) DSGVO). In this case, the connection to Google’s servers must be manually cut and redirected to your own font copy.
Is this legal?
Absolutely! On top of that, Google doesn’t even have to allow it. There even exists a utility, Google Webfonts Helper, for downloading the fonts and capping the server connection to Google (example for WordPress).
Important to know:
An entry in your privacy policy is mandatory (if you collect personal data yourself via Google Fonts). Local hosting could have an effect on search engine optimization and also on the initial page load times. However, tests have not found any major effect. Also, the whole kapp process has to be repeated if there is an update of the font – but this is rather rare.
The Font-Check
- Does my website use Google Fonts at all?
- If so, is the usage configured to be purely local, with no retrieval from the US?
- If the link binding cannot be changed: Can I replace the font with a similar font without privacy issues, preferably locally?
If no replacement is possible, you need to add a custom Consent tool that asks for consent to use Google Fonts and transfer data to a third country, upstream of this.
Goodie: Important Cookie Box Note
If other licensed fonts are to be used as replacement fonts, always check the license terms beforehand to see whether they permit use on websites at all. In some cases this is excluded or the license must be extended accordingly.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics: