German Court Rules Websites Embedding Google Fonts Violates GDPR


A regional court in the German city of Munich has ordered a website operator to pay €100 in damages for transferring a user’s personal data — i.e., IP address — to Google via the search giant’s Fonts library without the individual’s consent.

The unauthorized disclosure of the plaintiff’s IP address by the unnamed website to Google constitutes a contravention of the user’s privacy rights, the court said, adding the website operator could theoretically combine the gathered information with other third-party data to identify the “persons behind the IP address.”

The violation amounts to the “plaintiff’s loss of control over a personal data to Google,” the ruling read.

Automatic GitHub Backups

Google Fonts is a font embedding service library from Google, allowing developers to add fonts to their Android apps and websites simply by referencing a stylesheet. As of January 2022, Google Fonts is a repository for 1,358 font families.

Google Fonts Violates GDPR

Under the European Union’s General Data Protection Regulation (GDPR), data points such as IP addresses, advertising IDs, and cookies are counted as personal identifiable information (PII), making it mandatory for businesses operating in the country to seek users’ explicit permission before processing such information.

In addition, the court noted that “Google Fonts can also be used by the defendant without a connection to a Google server is established and the IP address of the website user is transmitted to Google,” effectively requiring websites to host the fonts locally.

Prevent Data Breaches

Aside from ordering the website to stop disclosing the IP address by embedding the font library, the court also urged the company running the website to share with the affected party information about the kind of personal data that it stores and is being processed.

The decision comes weeks after the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics by a health-focused website called NetDoktor violates the GDPR regulation by exporting visitors’ data to Google servers in the U.S., opening the door for potential surveillance by the U.S. intelligence services.

Products You May Like

Articles You May Like

Ascension Attack Caused by Employee Downloading Malicious File
Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan
Microsoft Admits Security Failings Allowed China to Access US Government Emails
Arid Viper poisons Android apps with AridSpy
Phishing Attacks Targeting US and European Organizations Double

Leave a Reply

Your email address will not be published. Required fields are marked *