A wave of warnings and Google Fonts – what do you need to watch out for? Munich Regional Court, judgement of 30.03.2023, Ref. 4 O 13063/22
What is Google Fonts?
Google Fonts is an extensive library of free and easy-to-use web fonts provided by Google. It can be seamlessly integrated into any website. By adding a simple link in the HTML code of the website, web developers can use any font from the library. This accessibility makes it possible for websites to customise the appearance of their texts without much effort or additional software.
All fonts in the Google Fonts library are open source and can be used free of charge. Google Fonts are optimised for fast loading times. In this way, they help to optimise the overall performance of the website and improve the user experience.
Google Fonts and Data Protection
Despite their many advantages, there is one big catch with Google Fonts: Data protection. There are two options for integrating Google Fonts into your own website: Dynamic or local.
However, the latter option slows down the loading speed of the website. The dynamic integration of Google Fonts establishes a connection to Google servers via a link. This results in a data transfer to the USA. This includes transmitting information about the browser, the device and the IP addresses of visitors to the website. This is personal data. Beyond this, Google does not provide any comprehensive information about which data is processed for what purpose or how long it is stored.
In accordance with the General Data Protection Regulation (GDPR ), the data subjects must be informed of the data processing in advance. The website operator would also have to obtain the corresponding consent from the visitors that they agree to the data being passed on. The website operator can only deviate from this if it has an alternative legal basis for the data processing, in particular an overriding legitimate interest in the data processing. However, the latter is only given under certain conditions. If the website operator cannot rely on effective consent to the data processing it has carried out or another legal basis, data subjects have the right to assert claims under the GDPR.
Waves of warnings and judgements of the Munich I Regional Court on Google Fonts
In practice, this has developed into a niche for warning letters, sometimes with fraudulent tendencies. The warning letters are sent en masse to website operators. In these, they demand payment of high warning fees and/or claims for damages for GDPR violations. The reason: the dynamic integration of Google Fonts.
The background to the warnings was a legal dispute in the past. The Munich Regional Court ruled in favour of the plaintiff at the time (Munich Regional Court, judgement of 20.01.2022, ref. 3 O 17493/20). This was the basis for the infringements alleged by the warning letters. In this case, the Munich Regional Court had upheld the action against a website operator to cease and desist from passing on IP addresses to Google via Google Fonts. It also awarded the plaintiff damages of 100.00 euros due to a ‘loss of control’ cited by the plaintiff and the individual ‘discomfort’ felt by the plaintiff as a result.
However, the Munich Regional Court put a stop to the commercial exploitation of this individual decision in its judgement of 30 March 2023, case no. 4 O 13063/22. The background to this judgement was that the defendant used a so-called web crawler to automatically track down websites that dynamically integrate Google Fonts. These website operators then received a warning letter threatening to take the matter to court. In these letters, the fraudsters offered to refrain from taking legal action. The conditions: the website operators were to transfer 170 euros to them. In this judgement, a victim defended themselves against this scam and received approval from the court.
The Munich Regional Court initially confirmed its original decision that the dynamic integration of Google fonts without the user’s consent can constitute a violation of the right to informational self-determination.
At the same time, however, it stated that such an infringement must also involve personal data. Only those whose data actually ends up on Google’s servers unintentionally can assert claims under the GDPR. Anyone who has not personally visited the websites is not eligible for protection. The same applies to anyone who only visited them in order to provoke a GDPR violation in the first place. In the specific case, the defendant sent over 100,000 such warning letters. Therefore, the court did not assume that the defendant had visited every single one of these warning letters themselves.
How do I protect myself from warnings?
Instead of loading the fonts directly from the Google servers, you can download the fonts and host them directly on your own server. This will prevent any data from being transferred to Google when the website is loaded. Also make sure that your privacy policy contains information about how and why you use Google Fonts. You should also specify how long you store the data and explain to users how they can object to data collection.
If you decide to continue integrating Google Fonts directly via the Google servers, you should ensure that you obtain explicit consent from users before personal data is sent. This can be done via a cookie banner or a consent management tool that gives users the choice of accepting or rejecting certain cookies and external services such as Google Fonts.
Regularly review the integration of the tools, plugins and similar data processing components included on your website and the associated data protection practices to ensure that they continue to comply with current data protection laws. Data protection regulations and practices can change, so it is important that your methods and information texts remain up to date.
Please contact our attorneys at LLP Law|Patent for detailed information on GDPR-compliant integration of Google Fonts and other solutions integrated on the website. We will check the data protection compliance of your website to protect you comprehensively against data protection violations and warnings.
Richard Metz | Rechtsanwalt (Lawyer), Authorized External Data Protection Officer (TÜV Certified)
Mr. Metz is your point of contact for legal issues concerning data protection. He will support you, in particular, with the appropriate data protection when introducing new products, with the preparation and examination of the appropriate data protection of contracts and documents or the legal examination and evaluation of data processing procedures or cross-border data protection issues. A further focus of his work is on copyright law and competition law.
Mr. Metz is also an external data protection officer (TÜV-certified) for nationally and internationally operating medium-sized IT companies and start-ups.
