Court orders websites to stop embedding Google Fonts for GDPR violation

A German Court from Munich has ordered a website owner to pay a penalty of €100 for migrating personal data of users. The owner has leveraged the IP address of the users via Google Fonts library without the user’s consent.

As per the ruling, unauthorized disclosure of the plaintiff’s IP address by anonymous website to Google is a contravention of user’s privacy, which allows the website owner to collaborate with the third-party to identify the person behind the IP address.

Google Fonts is being questioned by German Court

The ruling reads exactly like this,

Dynamic IP addresses represent personal data for the operator of a website because, in the abstract, he has the legal means that could reasonably be used to, with the help of third parties, namely the competent authority and the Internet access provider, identify the person concerned based on the stored IP – to have addresses determined

Google fonts is a embedding service from Google library, that allows developers to include the Google fonts into Android apps and Websites by just referencing the same from the stylesheet.

GDPR violation by Google Fonts

As per GDPR, anything that narrows down to an individual including IP addresses, advertising IDs, Cookies, Location data and so are considered to be a PII, thus making businesses collecting these data to be made aware to users and get their consents for collecting the same.

Furthermore, the ruling also said that Google Fonts can also be used even if there isn’t a connection to Google server but still the IP address can be transmitted to Google. And this is why the Fonts have to be hosted locally instead of embedding and including Google in their operation.

The court also ordered the website owner to share the data that has been collected, stored and processed so far. The website owner has to share these details with the users directly. This ruling was made weeks after the Austrian Data Protection Authority (DSB) ruled that Google Analytics used by NetDoktor, a health-focused website violates the GDPR regulation as it exports visitors data to Google servers in the US, thus paving the way for US surveillance.

Also the recent lawsuits filed by four attorney generals of US against Google’s location tracking service is further scrutiny on Google’s privacy. Considering the tech giant has already been in the limelight of GPDR few times, this Google Font case could be just a beginning.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.