A court in Munich, Germany has recently found that websites that have embedded Google Fonts violate the General Data Protection Regulation (GDPR). Since over 50 million websites use Google Fonts, this decision exposes millions of websites to GDPR non-compliance fines. In this article, we will break down who GDPR applies to, the Google Fonts decision and what you should do to avoid GDPR non-compliance when using Google Fonts.
Who does GDPR apply to?
GDPR is a broad-reaching privacy law that protects the personal data of residents of the European Union by providing individuals with privacy rights and by imposing certain obligations on businesses. GDPR applies to anyone that:
- Has an establishment in the European Union;
- Offers goods or services to residents of the European Union (regardless of the business’ actual location); or
- Tracks the behavior of European Union residents through technologies such as cookies, pixels, analytics, CCTV, etc. (regardless of the business’ actual location).
Since GDPR can apply to you even if you are not located in the European Union, businesses that meet one of the three factors above should heed this decision.
Google Fonts violates GDPR
The German court found that the embedding of Google Fonts on a website violates GDPR because such use of Google Fonts does not comply with any of the legal bases that can be used for processing personal data. GDPR generally prohibits the collection and use of personal data (such as the IP address collected by Google Fonts) unless a legal basis applies. The following legal bases can be used to process personal data under GDPR:
- The individual has consented to the use of their personal data;
- Processing of personal data is necessary for the performance of a contract or to take steps at the request of the individual prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary in order to protect the vital interests of the individual or another person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business; or
- Processing is necessary for the purposes of the legitimate intersests pursued by the business or by a third party.
From the German court’s decision, it appears that the company was using the legitimate interests basis to process users’ IP addresses when Google Fonts were embedded onto the website. The German court found that the company did not have a legitimate interest to process this data because Google Fonts can be used by the company without ever having to connect to a Google Server and thus collect IP addresses. The decision does not adequately address whether the use of Google Fonts would be in violation of GDPR if the user consented to such use. However, the decision does state that the individual is not obliged to encrypt his own IP address and that the use of Google Fonts is in violation of GDPR.
How to make the use of Google Fonts GDPR compliant
The German court’s decision makes it clear that the use of Google Fonts is possible if such fonts are hosted locally and thus are not connected to Google’s servers. In this case, if fonts are hosted locally, the personal data is not shared with Google and thus would also circumvent the recent decision made by the Austrian Data Protection Authority regarding the use of Google Analytics and such data being shared with Google Analytics in contravention of GDPR.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.