blueredix logo
SCAN On-demand vulnerability scans from €149
high gdpr-google-fonts-embedded

Google Fonts loaded from Google's servers

Loading Google Fonts directly from Google sends your visitors' IP addresses to Google before any consent. The Munich I court ordered €100 in damages for a single request. Self-host the fonts instead.

What this means in plain English

Your site links to Google Fonts the way Google’s documentation suggests:

<link href="https://fonts.googleapis.com/css?family=Inter" rel="stylesheet">

Or via @import url('https://fonts.googleapis.com/css...') in CSS. Either way, every visitor’s browser fetches the stylesheet and the matching font files from Google’s servers. Their IP address, user agent, and referring URL all reach Google before any consent has been given.

Why it matters

This is the most-cited GDPR finding in German civil litigation of the last few years. The reference case is LG München I, 3 O 17493/20 (20 January 2022). The court ordered a website operator to pay €100 in damages plus an injunction and the visitor’s legal costs for a single visit during which Google Fonts loaded from Google’s servers.

The court’s reasoning:

  • Loading the font transmits the visitor’s IP to Google, a third party in the US.
  • The IP is personal data (settled in Breyer).
  • Without consent, there is no lawful basis for the transmission.
  • “Anonymisation by Google after receipt” is irrelevant to whether the transmission itself was lawful.
  • The visitor suffered a non-material damage compensable under GDPR Article 82.

Wave-of-warning-letter campaigns followed almost immediately. Most were rejected as abusive once they reached court, but the underlying legal theory has held in follow-up rulings.

How to fix it

Self-host the fonts. It takes ten minutes.

  1. Go to google-webfonts-helper or the Bunny.net mirror at fonts.bunny.net.
  2. Pick the font family and weights you actually use.
  3. Download the .zip of the WOFF2 files.
  4. Copy them into /public/fonts/ (or wherever you serve static assets).
  5. In your CSS, replace the @import with @font-face declarations pointing at the local files.

A typical block:

@font-face {
  font-family: 'Inter';
  font-style: normal;
  font-weight: 400;
  src: url('/fonts/Inter-Regular.woff2') format('woff2');
  font-display: swap;
}

Or use Bunny Fonts as a drop-in. If you really don’t want to self-host, the Bunny.net Fonts CDN at fonts.bunnycdn.com serves the same Google Fonts library from EU infrastructure with no logging and a public privacy commitment. Replace fonts.googleapis.com with fonts.bunny.net in your URLs and the German legal exposure goes away.

WordPress users on Avada, Divi, Astra, GeneratePress, or OceanWP should toggle the theme’s “load fonts locally” or “self-host Google Fonts” option. Every recent version of these themes ships with the toggle.

Further reading