Caution with the use of Google Fonts: Wave of data protection warning letters due to fonts loaded from other servers
It is nothing new that data protection supervisory authorities look critically at third-party content provided free of charge for integration into websites by companies such as Google. Also the issue of data transfer to the USA must always be taken into account.
Recently, however, a number of law firms have focused specifically on issuing warning letters for the use of fonts which are loaded from other servers, such as Google Fonts. Numerous mainly small and medium-sized companies are being warned about the alleged illegal use of these fonts or other third-party content with reference to infringements of the general right of privacy. The law firms base their arguments mainly on a court decision of the District Court of Munich I, final judgement of 20.01.2022 - 3 O 17493/20. For this specific individual case the court ruled that the plaintiff was entitled to claim compensation. It considered the integration of Google Fonts without consent to be unlawful, as the use of Google Fonts resulted in the transmission of the IP address to Google servers in the USA. In the respective warning letters, one-off payments worth EUR 100-170 are now demanded from the companies concerned.
Google Fonts is a register containing more than 1000 fonts provided free of charge by the American company Google. Website operators can integrate these fonts to display their texts. The fonts can either be hosted locally/on premises on one's own server or on the Google servers (which is the option that is subject to warning letters).
We would like to point out that some of the warning letters not only refer to fonts, but also to the use of third-party content as provided by Cloudflare without the corresponding declarations of consent.
How do I (or a law firm sending the warning letters) find out whether my website uses Google Fonts or other problematic content?
Even if you have not (yet) received a warning letter, you should carefully check which third-party content is integrated on the company's website. The content and third-party connections that are established to servers - such as Google's – are very easy to determine technically. You can either right-click on the desired website in the browser and select the item "show page source text". If you then find information such as "fonts.googleapis.com" or "fonts.gstatic.com" in the source text, the fonts are probably integrated via the Google server and data is transferred to Google. Alternatively, you can also display the "tools for web developers" via the "other tools" in the respective browser. In this way, you can see more details about the embedded content via the corresponding "network analysis" and the "web storage".
Watch out when integrating other Goolge plugins on your website! Sometimes content such as Google Fonts is also hidden in other plugins. For example, when you integrate other Google content such as Google Maps or reCaptcha, it is also possible that components of Google Fonts are integrated.
How do I proceed if I have detected the use of Google Fonts hosted via the Google server on my website?
As described above, any third party - i.e. law firms but also data protection supervisory authorities which can impose severe fines - can see which third-party content is integrated. Therefore, you should not risk making yourself vulnerable in the first place. Against this background, the use of Google Fonts in the version in which data is transferred to a Google server is strongly discouraged. You should either choose the option in which Google Fonts are only integrated locally after a download (numerous instructions can be found online, for example here) or dispense with the integration of external fonts entirely.
What do I do if I receive one of the above mentioned warning letters?
First of all, you should stop the use of the web fonts - if this was happening in the first place. We further advise against hasty payments of the seemingly small amounts. In our view, the waves of data protection warning letters can be considered unlawful behaviour. Please do not hesitate to contact us if you need legal assistance in dealing with these warning letters.