The Bavarian state court in Munich, Germany, on 20 January 2022, decided that using Google fonts in your site breaches the GDPR. This because:

  • it discloses your (dynamic) IP address, a person identifiable datum, to Google when you visit a site that uses their fonts,
  • disclosing your IP address can’t be motivated as necessary as these fonts can be used without establishing a connection between a website visitor and Google’s servers, (and visitor consent wasn’t sought by website owner)
  • as Google is known to actively track users, sending the IP address to Google means a loss of control over personal data by the website visitor,
  • in this case resulting in discomfort for plaintiff such that the website owner as defendant is ordered to
    • stop sending visitor’s IP addresses to Google for their fonts, or face up to 250.000 Euro or 6 months imprisonment for each visit to defendant’s websites by the plaintiff,
    • pay plaintiff 100 Euro compensation plus interest since the filing of the case.

In other words, now is the time to start hosting Google fonts locally on your webserver, and to quit providing your visitor’s IP addresses to Google with each visit to your site. I don’t use G’s fonts on this site, and generally block them in my browser. We are in the process of revamping our company website, and will ensure we will no longer load Google fonts remotely from now on.