Google Fonts warning wave: Massive warnings and claims for damages due to alleged DSGVO violation

For several weeks now, reports from affected companies have been piling up about warnings and demand letters from private individuals and lawyers due to the allegedly illegal use of Google Fonts on websites. All of these letters are based on the claimants’ allegation that the companies have unlawfully interfered with their general right of privacy by using Google Fonts and have violated the General Data Protection Regulation (GDPR). The claims for damages range from EUR 100 to EUR 500. In cases of letters from lawyers, the request to issue a cease-and-desist declaration and to reimburse the lawyer’s fees are regularly added. The latter can additionally amount to several hundred euros. In individual cases, this may not be much, but there are potentially millions of claimants per website – and the business with mass warnings is easily scalable for professional warning agents.

But what are “Google Fonts” and how can fonts interfere with privacy rights?

Google Fonts

The Google Fonts service contains a directory of hundreds of freely available fonts that website owners can use free of charge. There are two ways to integrate the fonts. In the case of local integration, the fonts are downloaded by the website operator(s), stored on their own server and played out from there when the website is called up. Alternatively, Google Fonts can also be integrated “dynamically”. In this process, the fonts are stored on Google servers and played out by the Google servers when the website is called up. The advantages of dynamic integration are faster website retrieval times due to the power of Google’s servers and the saving of using your own server capacity. The disadvantage: When the fonts are retrieved from Google’s servers, personal data, such as the IP address in particular, is transmitted from the user to Google in the USA – and in the opinion of the LG München, this constitutes a violation of the GDPR.

LG Munich: DSGVO violation in case of dynamic integration of Google Fonts

The current wave of warning letters originated in the decision of the Munich Regional Court of January 20, 2022 (Az. 3 O 17493/20). The court found that the automated forwarding of users’ IP addresses to Google without their prior consent constituted a data protection violation. On this basis, the court awarded the plaintiff a claim for injunctive relief against the disclosure of his IP address to Google under Section 823 (1 ) in conjunction with Section 1004 BGB analog. § 1004 BGB analogously. In addition, the plaintiff was awarded a claim for damages from Art. 82 par. 1 GDPR in the amount of EUR 100 was awarded. In its reasoning, the court stated that the “interference with the general right of personality is so significant with regard to the plaintiff’s loss of control over a personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the plaintiff as a result that a claim for damages is justified. It must also be taken into account that it is undisputed that the IP address was transmitted to a Google server in the USA, whereby an adequate level of data protection is not guaranteed there (see ECJ, judgment of 16.7.2020 – C-311/18, NJW 2020, 2613) and the liability arising from Article 82 (1) of the GDPR is intended to prevent further infringements in a preventive manner and to create an incentive for security measures.”

Whether such “discomfort” actually constitutes immaterial damage justifying the award of damages for pain and suffering is still highly controversial – as is the decision of the Munich Regional Court itself. Nevertheless, numerous claimants are now complaining about this “malaise” in their letters of claim against website operators.

The wave of warning letters is rolling – in part fully automatically

There are numerous almost identical warning letters and demands in circulation, which website operators are currently facing and which all refer to the above-mentioned decision of the LG Munich. In it, the website operator is offered the simple settlement of the matter against payment of a corresponding fee. The alternatives to this do not look far-reaching. Among other things, the initiation of official proceedings, the additional assertion of claims for information or the enforcement of the claim by legal action are to be feared. Settlement of the matter by payment of the amount demanded initially appears to be the solution variant with the lowest costs. However, this also harbors the danger of more dubious approaches. In some cases, professional warning agents use web crawlers to detect the use of Google Fonts on websites. If the use is detected, the subsequent creation of the demand letters is fully automatic. With the help of legal tech, contact data is tapped directly from the website and added to pre-written pleadings. In such cases, however, there is probably no entitlement as a rule – due to the lack of website access by a natural person. There are also various starting points for defending against such warnings and demand letters. On the one hand, many of the cease-and-desist letters and claims are likely to be abusive, as claimants specifically search for websites with dynamic integration of Google Fonts and visit them with the intention of later cease-and-desist letters. Secondly, there are doubts as to whether other courts will follow the disputed view of the Munich Regional Court at all. Nevertheless, you should not ignore such letters, but check them carefully. Legal advice is always recommended here.

What now?

Website owners should urgently check whether Google Fonts is dynamically embedded on their websites. If so, a switch to local integration should be made immediately. If the website is created and operated by a service provider, this service provider should be instructed to integrate Google Fonts in accordance with data protection regulations.

Further information on data protection mass proceedings and how we can support you in preventing and managing them can be found here.