Warning letters because of Google Fonts
Warning letters because of Google Fonts
Background
Currently, many website operators are receiving warnings accusing them of violations of the General Data Protection Regulation (GDPR) due to the use of Google Fonts. Google Fonts are fonts provided by Google on their servers for texts on websites.
In the complaint, the lawyers claim to represent private individuals who have previously visited the website. They refer to a ruling issued at the beginning of this year by the LG München I, final ruling v. 20.01.2022 – 3 O 17493/20, according to which website visitors may be entitled to claim damages from the website operator under Art. 82 DSGVO if the provider has not integrated Google Fonts locally, but transmits the user’s dynamic IP to the USA for the page setup.
Consents obtained through cookie boxes for the use of such technologies change little legally, even if they are linked to the privacy policy of the website and the processing of data in connection with Google Fonts is referred to there. In contrast to the other Google services such as Maps, Analytics, Ads, etc., it is the case with Google Fonts that the fonts are loaded immediately for the initial display of the website and the required prior consent from the visitor for the transmission of the IP to the USA may not be given.
Sometimes, additional claims for information of the visitor according to Art. 15 GDPR are asserted, which are waived if the demanded – usually low 3-digit – amount is paid in full and in due time.
Defense options
However, the decision comes only from a district court, other courts do not have to see it that way, so there could be a legitimate interest of the site operator to use Google Fonts remotely after all. In addition, the mass assertion of such claims for damages could be classified as an abuse of rights and unlawful. Finally, immaterial damage to the website user could also be denied if he specifically searches for such pages on the net.
Recommendations
It is recommended not only because of the wave of warnings, but also because of the requirements of the DSGVO to do without Google Fonts or at least not to store it remotely, but locally on the servers. Of course, one should not pay in any case. If a claim for information has been asserted at the same time, which is not also to be regarded as an abuse of rights, one can first request proof of identity of the website user concerned. If no IP of the user has been communicated in the letter, negative information on the name communicated would also be conceivable if an abuse of rights cannot be safely assumed with regard to the information claim and one would like to comply with the obligation to provide information in due time according to the GDPR.