Every website visitor can issue a warning.
We have been warning for some time that GDPR violations are increasingly becoming an economic threat to companies. The basic rules are clear:
No data transfer to third parties, unless absolutely necessary and without consensus.
This includes, among other things, the IP address of a website visitor if the website uses functional third-party services. Google Fonts can be integrated very conveniently directly from the Google servers – from the GDPR point of view a clear violation, if the user is not allowed to decide.
Judgment of the Regional Court of Munich
Perhaps the last warning shot
This is also the view of the Regional Court of Munich, which had to rule in such a case. The defendant uses – like currently countless websites – Google servers for the integration of fonts. However, permission is not obtained via a cookie consensus banner. Thus, the IP address and, of course, numerous other tracking-relevant data of each website visitor is transmitted to Google.
The defendant was awarded €100 in damages plus VAT. Interest sentenced and sentenced to cease and desist, otherwise a fine of up to € 250,000.00 threatens, alternatively imprisonment up to 6 months. In addition, the plaintiff receives information about the stored and processed data.
Google Fonts are just one example: Content Delivery Networks (CDNs) are used in countless web projects to integrate external libraries and scripts, such as jQuery or Bootstrap. From a technical point of view, this no longer makes sense.
GDPR violations should be punished more severely
It is downright annoying that the penalty was not much higher.
Most GDPR violations are not only completely unnecessary, but very easy to fix. In this case, the Google Fonts could also have been delivered from your own server.
Certainly, the damage of a single website visitor with 100 € for the illegal disclosure of the IP address is appropriate. But the damage has also occurred with every other user of the website – only they have not sued. Perhaps it is only a matter of time before a class action in the form of a model declaratory action by a consumer protection association claims damages for thousands of users at the same time.
The GDPR still proves to be too lazy tigers, because most companies only pursue symbolic politics through cookie consensus banners without or with only incomplete function – high penalties are usually absent.
Theoretically, fines of up to 4% of the global annual turnover would be possible, individual data protection authorities have recently issued more frequent warnings, but the real fines have so far been too low. Even a €65,000 fine for a hacked online shop seems far too low considering how sensitive shopping data can be for customers.