Website owner fined for Google Fonts use that violated GDPR

A German court has fined a website owner for violating data protection laws by leaking visitor IP address to Google through Google Fonts.

Google Fonts use and GDPR violation case ruling

The court ruled that the website owner violated the right to informational self-determination of the website visitor by disclosing his IP address to Google without permission. The right to informational self-determination requires that personal data (as defined in Art. 4 GDPR) should be used or disclosed according to the wishes of the owner (website visitor).

The court indicated that a dynamic IP is described as being personal because an IP address could be used to identify the person behind the address.

The court also ruled that the automatic transmission of the website visitor’s IP address to Google was encroachment to his personal rights under data protection law and Art. 6 (1) a ) GDPR.

The court further stated the website owner had the option to prevent IP leaks to Google by using Google Fonts without necessarily connecting to Google Server.

Lastly, the court ruled that the website visitor was not obliged to encrypt or hide his IP address before accessing the website. Asking website visitors to hide or encrypt their IP by either using a VPN or any other means would run counter to the purpose of the data protection law.

The website owner was asked to stop using Google Fonts in a way that discloses the IP address of site visitors to Google. He was also fined €100.00 plus interest of 5% points above the base interest rate since the case was filed.

NOTE: We have omitted and added some information to make the ruling easy to understand. If you want to read the original transcribed ruling in German then go to this page.

Important:  For GDPR compliance, you might be interested in this tutorial on how to host Google Fonts locally or use a free WordPress plugin called OMGF to host Google Fonts Locally.