A district court in Munich, Germany, has ordered a website operator to pay €100 in damages for sending a user’s personal data — such as their IP address — to Google without their consent using the search giant’s Fonts collection.
According to the court, the anonymous website’s improper disclosure of the plaintiff’s IP address to Google violates the user’s privacy rights, and the website operator may possibly combine the obtained information with other third-party data to identify the “persons behind the IP address.”
According to the judgment published by Landgericht München’s third civil court in Munich, the violation amounted to the “plaintiff’s loss of control over a personal data to Google.”
The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
Google Fonts is a font embedding service library that allows developers to easily add fonts to their Android apps and webpages by referencing a stylesheet. Google Fonts has 1,358 font families and is used by approximately 50.1 million websites as of January 2022.
Personal identifying information (PII) is defined as data points such as IP addresses, advertising IDs, and cookies under the General Data Protection Regulation (GDPR) of the European Union, which requires firms to obtain explicit permission from consumers before processing such data.
The court also stated that “Google Fonts can be used by the defendant without establishing a connection to a Google server and transmitting the IP address of the website user to Google,” thus requiring websites to host the fonts locally.
Aside from ordering the website to stop publishing IP addresses by embedding the font library, the court also directed the website’s owner to give information about the types of personal data it stores and processes with the impacted party.
The decision comes just weeks after the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics by NetDoktor, a health-focused website, violates the GDPR regulation by exporting visitors’ data to Google servers in the United States, potentially opening the door to US intelligence surveillance.
You certainly do.
Google Fonts users are bound by Google’s general API terms of service; if you have a Google Fonts font embedded on your website, it may track user behavior.
Consider adding Google Ireland Limited as a service provider if you or your users are based in the European Economic Area (EEA) or Switzerland.
If you or your users are located outside of the European Economic Area (EEA), just select Google LLC as the service provider.
If both of the above apply, both service providers should be added.
Although Google Fonts does not utilize cookies, when this service is accessed through API queries, some end-user data (such as IP addresses) is gathered, stored, and may be used for analytical purposes. Furthermore, Google may be able to follow end-users by cross-referencing the user’s browser fingerprint with other Google services they use.
You must advise users of the use of any trackers or other technology that allows them to be tracked on your website, even if they are not strictly speaking cookies (and obtain the consent to use them).
So, in this case, yes you do.
Does it affect me if I’m not registered in Germany?
It’s gray area… if you serve customers from Germany, you should better be safe and serve the fonts locally. If you’re in the European Union, this ruling will most likely soon affect everyone in the EU. So just to be safe – serve the fonts locally.
Other European countries will most likely follow this. There are even talks that this could eventually affect Cloudflare and other CDN systems. Only time will tell. For now, host the font locally.
If you’re not sure how to host your fonts locally, contact us.