Google Fonts Violates GDPR

A regional court in the German city of Munich has ordered a website operator to pay €100 in damages for transferring a user's personal data — i.e., IP address — to Google via the search giant's Fonts library without the individual's consent.

The unauthorized disclosure of the plaintiff's IP address by the unnamed website to Google constitutes a contravention of the user's privacy rights, the court said, adding the website operator could theoretically combine the gathered information with other third-party data to identify the "persons behind the IP address."

The violation amounts to the "plaintiff's loss of control over a personal data to Google," the ruling issued by Landgericht München's third civil chamber in Munich read.

Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

Google Fonts is a font embedding service library from Google, allowing developers to add fonts to their Android apps and websites simply by referencing a stylesheet. As of January 2022, Google Fonts is a repository for 1,358 font families and is used by over 50.1 million websites.

Google Fonts Violates GDPR

Under the European Union's General Data Protection Regulation (GDPR), data points such as IP addresses, advertising IDs, and cookies are counted as personal identifiable information (PII), making it mandatory for businesses to seek users' explicit permission before processing such information.

In addition, the court noted that "Google Fonts can also be used by the defendant without a connection to a Google server is established and the IP address of the website user is transmitted to Google," effectively requiring websites to host the fonts locally.


Aside from ordering the website to stop disclosing the IP address by embedding the font library, the court also urged the company running the website to share with the affected party information about the kind of personal data that it stores and is being processed.

The decision comes weeks after the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics by a health-focused website called NetDoktor violates the GDPR regulation by exporting visitors' data to Google servers in the U.S., thereby opening the door for potential surveillance by the U.S. intelligence services.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.