Matthias Bathke Avatar


Reading time: 6 minutes

GDPR ruling: Google Fonts integration

Many companies use symbolic measures such as cookie consent banners to feign DSGVO compliance. However, experts stress the need for concrete measures and stricter penalties, especially since such violations can put customers and their data at risk.

Every website visitor can issue a warning.

GDPR violations as an economic risk for companies

We have been pointing out for some time that violations of the General Data Protection Regulation (GDPR) can pose significant economic risks for companies. The main rules are clear:

Data may not be disclosed to third parties unless absolutely necessary or with the explicit consent of the user.

This data includes, in particular, the disclosure of a website visitor’s IP address if the site uses external services such as Google Fonts, which does not anonymize this data in a DSGVO-compliant manner.

Embedding Google Fonts directly from Google servers may be convenient, but from the perspective of the GDPR, this is a violation unless the user is informed about this and has a choice.

Tip: Companies should always stay up-to-date with the latest GDPR regulations and ensure that their web presences are compliant to minimize potential legal risks.

Munich Regional Court Judgment

Google Fonts integration not DSGVO compliant

The Munich Regional Court recently ruled in a concise case that should be of importance to all website operators. The focus was on the defendant’s use of Google servers to integrate fonts, a practice that many websites currently engage in. Criticism was voiced, however, that no consent was obtained from users via a cookie consent banner. As a result, the IP address and numerous other tracking-related information of each visitor is directly forwarded to Google.

The consequences for the defendant were serious: she was ordered to pay damages of €100 plus interest and received a cease-and-desist order. In the event of infringement, the company may be fined up to €250,000 or, alternatively, be imprisoned for up to six months. Moreover, the plaintiff was granted a right of access to the data collected and processed.

But this is only the tip of the iceberg. Google Fonts are just an example. Many websites use content delivery networks (CDNs) to integrate external libraries such as jQuery or Bootstrap. From a technical perspective, however, this is superfluous nowadays.

Every website operator should keep an eye on the latest data protection developments and court decisions in order to legally secure their own web presence.

GDPR violations

Why higher penalties are necessary

It is disappointing that the penalties for GDPR violations are not more consistent and severe.

The majority of violations of the General Data Protection Regulation (GDPR) are not only avoidable, but also easy to correct. In the current case, for example, Google Fonts could easily have been provided from the company’s own server.

Undoubtedly, damages of €100 per website visitor for the unlawful disclosure of the IP address seem reasonable. Nevertheless, this problem affects every user of the website – it’s just that most of them have not taken legal action. We may soon be facing a class action lawsuit in which a consumer protection association is seeking damages for thousands of users.

Unfortunately, the GDPR has proven to be too cautious so far. Many companies only use token measures like cookie consent banners, which often don’t even work properly. Despite theoretical possibilities of fines of up to 4% of annual worldwide turnover, actual penalties are usually low. Even a fine of €65,000 for a compromised online store seems insufficient when measured against the sensitivity of customer data.

Our tip: Don’t rely on cookie banners alone. Third-party cookies are becoming increasingly irrelevant.