Using Google Fonts in a website violates GDPR: New court decision affects 50 million websites

A couple of weeks ago, a German court imposed a fine of 100 Euros on a website after determining that its administrators violated one of the provisions of the European Union’s General Data Protection Regulation (GDPR). The authorities discovered that the website included a font hosted on Google Fonts, so it was possible to pass the search engine the IP address of a user without prior authorization, affecting the privacy of visitors to the website.

In other words, when a user entered this website, the page code caused the user’s browser to search for a font in Google Fonts to enter text, so the IP address of visitors was filtered. While this behavior is normal in Google Fonts, the website was not requesting the express consent of visitors to obtain this information, something completely avoidable following the appropriate guidelines.

The lawsuit states that the unauthorized disclosure of the plaintiff’s dynamic IP address to Google constitutes a violation of the right to privacy and informational self-determination, a term referring to the ability of citizens to decide what information to share with technology companies.

This case endorses the treatment that GDPR gives to information such as IP addresses, considering that these are personal data because they would allow to find more information about an individual based on this simple data: “The defendant entity violated the plaintiff’s right to informative self-determination by forwarding the dynamic IP address to Google,” the lawsuit states.

In addition to the fine, the court ordered the website’s administrators to stop sharing this information with Google, threatening to impose a fine of 250,000 Euros for each new infringement related to the misuse of Google Fonts.

Google Fonts is used by around 50 million websites and its API allows platforms to design the text with Google fonts stored on remote servers that are obtained as the page loads. Google Fonts can be self-hosted to avoid violating GDPR rules and the ruling explicitly mentions this possibility to claim that trusting Google Fonts hosted on Google is not defensible under the law. So far the company has not commented on the matter.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.