02/02/2022

Google Fonts on your website? Do not share IP addresses with Google because of GDPR

Reading time: 8 minutes

We have to admit that we ourselves were a bit surprised when we read a recent German judgment.  It taught us an unexpected lesson: if you’re using Google Fonts on your website, you should urgently check how this is technically set up. As it turns out, if the fonts library is not hosted locally on your domain, a connection is made to Google servers with every web visit and the IP address of your web visitor is shared with Google.  

This means that you share personal data with Google under GDPR and according to a recent German decision, that sharing of personal data violates GDPR.The same logic applies by analogy to many other tools and plug-ins that share IP addresses with third parties, such as Google Recaptcha, for example. We immediately consulted our own web agency Okappi ourselves, because the font on our website is Heebo and that is also a Google Font…

Google Fonts?

Web builders and online marketers are of course familiar with Google Fonts, but for those who are not familiar with the world of web design, we can briefly say that Google Fonts is an extensive database of fonts, that web or app developers can use on websites or Android apps by simply referencing to a standard stylesheet. 

The nice thing about Google Fonts is that all fonts are open source, which means that websites can use them for free. Google Fonts contains over 1,300 different fonts and is used by over 50 million websites worldwide.

Share data with Google?

You can host the Google Fonts that you use locally on your website or you can have them hosted externally on a Google server, where they will be (automatically) remotely accessed by the browser of your website visitors when first landing on your web pages.  

We won’t go into the technical details and the consequences for the page load speed of your website of choosing one or the other. There are many online resources that are technically better educated than we are and that explain the advantages and disadvantages of local hosting, whether or not combined with a Content Delivery Network or CDN such as Cloudflare. Our own web developer Okappi assures us that, as things stand today, from a technical perspective, there are few or no reasons not to host fonts locally. If local hosting is set up properly, the impact on the loading speed of web pages (and therefore indirectly also the SEO score) should even be positive.

However, the choice to host Google Fonts locally also appears to have legal implications. The reason for that is that if the fonts are not hosted locally, Google servers will be contacted every time someone visits the web to request the required font.  

During that request, the IP address of the web visitor is also sent to Google. That was sufficient reason for a German court to order a (small) German website to pay a (limited) damage compensation of 100 euros to one of the visitors to its website, who had complaint and held that the website in question had infringed on GDPR and had unlawfully shared his personal data (in particular his IP address, so) with Google.According to the competent court in Munich, the consent of the data subject was required to share his personal data with Google. There was no such permission and the unauthorized disclosure of the plaintiff’s IP address by the website to Google therefore constitutes an infringement of the user’s privacy rights, according to the court. The violation amounts to “the plaintiff’s loss of control over personal data to Google,” the court said.

Why is this a GDPR problem?

Under GDPR, IP addresses, advertising IDs and cookies are protected personal data. These may only be processed if all the conditions set by the GDPR are met.  

One of the first and most important conditions is that the data controller always needs an appropriate “legal ground” for the processing. GDPR has six legal grounds that can justify the processing of personal data. Consent is the most well-known and the most obvious.  

But data controllers can often also process personal data without permission. This is possible if the law necessitates or obliges the processing of certain data, for example because of mandatory accounting legislation. Processing without consent is also possible if that processing is strictly necessary to perform or enable an agreement. 

In certain cases, data processing without consent is possible under so called “legitimate interest”, but in that case a series of conditions called the “three-step test” have to be met. In very simple terms, the processing must be strictly necessary and justified and the data subject must be able to reasonably expect that the controller will process his or her data.

The problem with the processing of IP addresses by Google for the display of Google Fonts is that such processing is not strictly necessary, because websites can perfectly avoid that transfer to Google by hosting the fonts locally.   

The same reasoning also applies to many other tools such as Google Recaptcha, which share data with Google or other third parties. De facto, the only valid “legal ground” that allows for the processing of personal data in the context of Google Fonts or Google Recaptcha is the prior, free and informed consent of the data subject…

How can you resolve this? 

The above means that data controllers should actually show website visitorsa pop-up in which they ask for permission to share IP addresses with Google in the context of the use of Google Fonts, Google Recaptcha or other services (similar to a cookie pop-up).  The main problem with this, is that consent must be given “freely” under GDPR, which means that people must also be able to visit the website without giving permission for the processing of their data by Google (and therefore without Google Fonts or Google Recaptcha)…  

All of this is of course a pure legal fiction. In practice, controllers cannot ask for such permission. If it were technically feasible, it would undoubtedly collapse the traffic numbers on a website or your website will be displayed with an Arial font that will have to serve as a backup. 

There is therefore only one possible conclusion: websites should avoid sharing the IP addresses of their web visitors in the context of Google Fonts (or Google Recaptcha) with Google or other third parties. For Google Fonts, this means local hosting. For Google Recaptcha, frankly, our technical knowledge lets us down. Perhaps another recaptcha tool that doesn’t send IP addresses to external servers will be the only solution there…We are currently investigating this further with our own developer. 

Incidentally, the question remains whether these kinds of discussions do much good for the image of GDPR and the general level of data protection in the EU. There are undoubtedly much more pressing privacy issues than Google processing IP addresses in order to display a correct font on a website… 

On the other hand, this is a topic about which Google could perhaps communicate more openly, so that marketers and web builders would be more aware of the fact that even choosing a font on a website can have GDPR implications. 

Caution for Web developers

Web developers had better be careful about the projects they deliver. It is true that the owner of the website – ie the customer – will in principle be addressed as the person responsible for the processing of personal data by the supervisory authority in the context of checks or fines or by users in the context of a claim for compensation.  

But web developers do have the contractual obligation to deliver a properly functioning and legally compliant website, in accordance with the prevailing standards and practices within the sector. If they don’t, their customer may come knocking on the door to request compensation for the damage he or she would suffer. In this particular case, there was only one web visitor who submitted a compensation claim and was awarded 100 euros in compensation. Everyone reading this can calculate for themselves what the cost would be if 10,000 or 100,000 website visitors were to unite in a class action claim…

Is this linked to the Google Analytics decision from Austria earlier this month?

Earlier this month, an Austrian court ruled that the use of Google Analytics violates GDPR. However, the reason for this was not primarily the fact that data is shared with Google (that fact in itself was not really discussed in the dispute), but rather the observation that Google exports and processes that data in the context of Google Analytics on servers in the US without being able to provide the security guarantees imposed by the GDPR following the Schrems II judgment.

So the legal approach is different, but the consequences for web developers and online marketers are exactly the same: be careful with the tools and plug-ins in use on customers’ websites. 

And then we woke up one morning and someone had decided that using Google Analytics violates GDPR …

Minimal GDPR reflexes for web developers and online marketers

  • Do a GDPR compliance check on all tools and plugins
  • Check where data is processed, whether it leaves the EU and with whom it is shared
  • Choose European tools where possible
  • Check the technical security of all tools and plug-ins
  • Warn your customer and inform him/her about GDPR compliance
  • Check whether your customer has a well-substantiated data register and a clear and complete privacy policy
  • Check whether an appropriate legal basis can be found for each processing and communicate this to the customer , so that he/she can update his/her data registers
  • Make sure that the Privacy Policy is online
  • Make sure you have good processor agreements that cover your relationship with your customer and limit your liability where possible
  • Make sure you have a good professional liability insurance

Want to know more? 

Feel free to contact Sirius Legal for a first introduction via bart@siriuslegal.be or simply book an online introduction via the link next to this article.

Questions about this article or GDPR in general?

About the author

Bart
Van den Brande

I am the founder and Managing Partner of Sirius Legal. In 2010, I decided to leave the Brussels big city law scene behind me to start practi...