Many website operators are currently being asked to pay €100 or more because their website is sharing users' personal data without permission. The reason for this is said to be the Google Fonts used on the website. What are these letters about and are they justified? What can you do? We have done the research for you!
This article is written for website providers from Germany and the EU. Please also see the note below.
Google offers countless free usable fonts, which website owners can use for their site. This is basically an offer that you can use completely legally. Google Fonts are therefore basically just an element that can support you in website design.
There are several ways that Google fonts get onto your website. The simplest variant: they were simply used directly when the website was created - i.e. embedded in the website in such a way that they are loaded by Google. Possibly this was also forgotten after some time, so that those who currently maintain the website did not know and pay attention to it until now.
The second variant: You use a content management system such as Wordpress and a design template - a so-called "theme" - which contains Google Fonts. If you use such a theme, you may simply be using Google Fonts unknowingly.
If you use other Google elements such as a Captcha query, YouTube, etc. on your page, Google Fonts may also be included here (cf. techniknews.net). In this case, too, you may have unknowingly included the font by including another element.
There are two options for embedding the fonts on websites. The fonts can be downloaded and integrated on your own web server (local integration) - or they can be integrated directly online ("remote"). In the second case, the fonts are located on Google servers and are loaded from these when the page is used. In this case, personal data - namely IP addresses - of the website users are passed on to Google (cf. Heise.de).
If the users have not voluntarily and expressly consented to the use of their data, this results in a DSGVO violation.
You can find out more about the legal background, for example, on the page of attorney Solmecke:
Below are links to other useful articles.
In a ruling that now serves as a benchmark for dealing with Google Fonts in connection with the GDPR, the Munich Regional Court had granted users of the websites a claim for damages of €100 (cf. Heise.de).
The originators of the wave of warning letters are taking advantage of this case - visiting websites that embed Google Fonts and then demanding a corresponding sum as "compensation for pain and suffering".
In addition, corresponding letters are now also coming from lawyers who, in addition to damages, are also demanding cease-and-desist declarations and attorney's fees (cf. Heise.de).
There are already some providers that provide tools for testing the website with regard to Google Fonts - for example https://www.e-recht24.de/google-fonts-scanner.
When using such a tool, you trust the provider. However, there is always a risk that tools do not provide correct results (This is not a review of the above tool).
Alternatively, you can search the source code of your page for Google Fonts yourself. For this, use the developer tools of your browser (to open via F12).
You should pay special attention to the mention of "fonts.gstatic.com" and "fonts.googleapis.com".
It can be doubted that the above-mentioned warning letters are legal, since the allegedly injured parties may have merely visited the websites to initiate this process. In the case of a letter from a lawyer, it still makes sense to seek advice on your specific case from your own lawyer (cf. Heise.de).
No matter if you already had problems due to Google Fonts or not - you should take the topic seriously! You definitely have to adhere to the EU GDPR as a website operator in Germany and the EU.
If you want to play it completely safe: Simply avoid using Google Fonts. However, it is important that you also check all plug-ins and embeddings for the use of Google Fonts.
If you would like to use content management systems and also not do without the beautiful themes, you also have the option of installing a plug-in that blocks the Google fonts. However, inform yourself thoroughly about the alternatives beforehand, so that you can also trust the correct functionality.
If you would like to use the Google Fonts gladly - i.e. not block them either - then it is important that you embed them directly on your server. This way, the users' personal data is no longer transferred to Google and the DSGVO violation does not take place in this regard
If you use Google Fonts and do not want to embed them on your server, you have another option:
You mention the use of Google Fonts and the transmission of data to the USA in the privacy statement and only let it load after the user has pressed the cookie banner (and thus the use of the fonts).
Basically, the desired fonts must be downloaded and uploaded to your own server. The appropriate settings must then be made on the content management system and then you should check that no more fonts are loaded from Google either.
How to integrate Google Fonts locally in Wordpress is described by Finn Hildebrandt from Blogmojo in this article https://www.blogmojo.de/google-fonts-lokal-einbinden/. Helpful plug-ins are also named here.
We are happy to offer support to our customers with the integration on your server.
Note: This article is not legal advice. We do not take responsibility for the legal correctness of this article. It is the results of our extensive research and the conveyance of our knowledge from an IT perspective. If in doubt, please always consult an expert on legal topics.
Here you will also receive detailed legal information: https://www.heise.de/news/DSGVO-Abmahnwelle-wegen-Google-Fonts-7206364.html