A new wave of warnings is currently affecting numerous companies. Users of the “Google Fonts” font tool on the company website are the target of the warnings.
What is being warned?
Google Fonts is a font database that is hosted on Google’s servers. Website operators can refer to this database via the code on their website so that the font is reloaded from there for each visitor. However, this means that the IP address of each user is recorded and transmitted to Google. The IP address is a personal date that may only be processed with a legal basis from the GDPR. Since the text content on the page can also be displayed in standard HTML text, this is not technically necessary data processing, so that the consent of the data subject is required for the transmission of the IP address in accordance with Art. 6 para. 1 lit. a) GDPR. This consent must be actively obtained and must be freely revocable at any time. In addition, reference must also be made to this in the privacy policy. If Google Fonts is used without consent, this constitutes a breach of data protection. This is currently being warned.
What amounts are involved?
The cases known to date involve claims of between 150-300 euros. Theoretically, however, each individual infringement can be enforced, which is why it is advisable to act quickly.
What can you do to prevent such a warning? Offline integration of Google Fonts
We have long recommended that our clients integrate Google Fonts in the so-called offline version. The fonts are then loaded on our own servers and integrated from there. It is therefore no longer necessary to transmit the IP address to Google. If you are already using Google Fonts in the offline configuration, you do not need to do anything else! If this is not the case, you should act quickly and contact your website administrator or make the necessary settings yourself.
You have received a warning letter – now what?
If you have already received a cease-and-desist letter, check exactly what it is about and don’t carelessly submit a declaration to cease and desist with a penalty clause. This is because such a declaration carries the risk of consequential damages in the form of contractual penalties. Our colleagues from the Data Protection Competence Team will be happy to answer any questions you may have.
