The Bavarian state court in Munich, Germany, on 20 January 2022, decided that using Google fonts in your site breaches the GDPR. This because:

  • it discloses your (dynamic) IP address, a person identifiable datum, to Google when you visit a site that uses their fonts,
  • disclosing your IP address can’t be motivated as necessary as these fonts can be used without establishing a connection between a website visitor and Google’s servers, (and visitor consent wasn’t sought by website owner)
  • as Google is known to actively track users, sending the IP address to Google means a loss of control over personal data by the website visitor,
  • in this case resulting in discomfort for plaintiff such that the website owner as defendant is ordered to
    • stop sending visitor’s IP addresses to Google for their fonts, or face up to 250.000 Euro or 6 months imprisonment for each visit to defendant’s websites by the plaintiff,
    • pay plaintiff 100 Euro compensation plus interest since the filing of the case.

In other words, now is the time to start hosting Google fonts locally on your webserver, and to quit providing your visitor’s IP addresses to Google with each visit to your site. I don’t use G’s fonts on this site, and generally block them in my browser. We are in the process of revamping our company website, and will ensure we will no longer load Google fonts remotely from now on.

55 reactions on “Using Google Fonts Breaches GDPR

  1. @djoerd yeah, that happens sometimes, I jus thad it too. I think it happens while the server is trying to send messages to Mastodon and Twitter at the same time. Reload should fix it. There is ample HD storage and memory in the hosting package.

  2. I stopped using Google Fonts hosted by Google for this very reason some years ago.

    At the same time, it seems absurd that locally-hosted fonts need to be served out to every new visitor to my site, at least the first visit (after which they might be cached), when it’s likely that many readers might already have had the fonts cached from visiting other websites. Which is the problem that Google “solves.”

    Not sure what a larger privacy-protecting solution is.

    • One overall solution is using web browser’s font defaults and other fonts available on the device of the site visitor. It will mean stale designs though, like in the early 90’s.

    • What other sites have cached doesn’t matter anymore. All browsers have implemented cache partitioning, which means that resources (images, scripts, fonts, etc) loaded and cached for one site will always be re-loaded and re-cached for another.

    • Andrew’s comment is the correct answer. As of October 2020, the remaining benefit of Google’s CDN disappeared. Chrome moved to HTTP cache partitioning. As a result, Google Fonts are now redownloaded for every website, regardless of it already being cached in a user’s browser. Safari and Firefox already do this.

      Therefore, it’s better to host them locally, or better yet, on your own CDN along with all of your other assets.

      I actually use system fonts on all of my websites these days. San Francisco (macOS Safari, iOS), BlinkMacSystemFont (macOS Chrome), Segoe UI (Windows), Roboto (Android) all look pretty good in my opinion. Gone are the days of Arial, Times New Roman, etc. But again, I’m not a designer. 🙂

    • I just tried it like many other plugins too
      Too bad it is not working in most cases and wp sites still contacts google servers for fonts.

      The only secure solution I found is (if you have an local nginx running) proxy and cache fonts with a nginx proxy and rewrite the urls to the cached local store for all your websites. The was no WP plugin what so ever that can do that.

Comments are closed.