Google Fonts and Data Protection – What Belongs in Your Privacy Policy

If a website operator embeds Google Fonts online via Google's servers, they process web server log data – in particular the IP address – for the purpose of delivering web fonts, regularly on the basis of third-party content consent. This page explains Google Fonts data protection, summarises the consequences of the Munich Regional Court I ruling of 20 Jan 2022 and shows what mandatory information website operators should include in their privacy policy.

A. Purpose and Functionality of Google Fonts

Google Fonts is a free web font service by Google. Website operators can embed around 1,500 font families via <link> tag or @import directive. When a page is loaded, the visitor's browser establishes a direct connection to Google servers (typically fonts.googleapis.com and fonts.gstatic.com) and fetches the required font files.

This article focuses on this integration function, namely dynamic embedding via Google servers. Google also offers font files for download that can be self-hosted locally on the operator's own server – with self-hosting, no data is transmitted to Google. Web font delivery via Google servers takes centre stage here because, from a data protection perspective, that is where the decisive difference lies.

B. Mandatory Information in the Privacy Policy When Using Google Fonts

The GDPR requires website operators to inform visitors transparently about data processing. In addition to general information on the controller, data subject rights and the supervisory authority, the following items are mandatory when using a tool such as Google Fonts:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• and – where data is not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR).

These items are broken down for Google Fonts in the following sections.

In practice, it is not necessary to list every individual tool – including Google Fonts – with its own text block. The widespread "text-block-per-tool" approach has become bad practice: it produces long, formulaic texts that repeat themselves and make the document hard to maintain. A topic-oriented approach that describes processing operations across categories (server operation, third-party content, tracking, newsletter, etc.) and names specific providers in a recipient list in the appendix is more appropriate. The matterius generator implements this method.

C. Provider of Google Fonts

According to publicly available information from Google, the contracting party for website operators in the EEA is

Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland

The parent company is Google LLC, based in Mountain View, California, USA. Group-internal processing may involve data flows to the USA. According to the DPF list (https://www.dataprivacyframework.gov/s/participant-search), Google LLC is certified under the EU-US Data Privacy Framework (DPF); website operators should verify the current status. Where DPF protection does not apply, Standard Contractual Clauses (SCC) come into consideration as a safeguard.

Google's privacy notices are available at https://policies.google.com/privacy; specific information on Google Fonts can be found in the documentation at https://developers.google.com/fonts/faq/privacy.

D. Google Fonts Data Processing – Step by Step

1. Collection: when a page with Google Fonts embedded is loaded, the browser establishes a direct connection to Google servers. Google receives the IP address, user agent, referrer (calling website) and technical request metadata.
2. Storage: in its Google Fonts FAQ, Google states that Google Fonts does not set cookies and that requests are designed not to forward personal data to Google's advertising services. Requests are stored in web server logs; server locations may be outside the EU/EEA.
3. Use: Google uses the data to deliver the font files, ensure operations, protect against abuse and – by its own account – for aggregated usage statistics per font family.
4. Disclosure: according to Google, no commercial disclosure to independent third parties occurs for Google Fonts; group-internal recipients and technical sub-processors (e.g. cloud infrastructure) are possible.
5. Deletion: retention periods for server logs are set out in Google's general privacy notices. The website operator cannot access this data; they control processing through the choice of integration type (online vs. self-hosted).

E. Data Collected When Using Google Fonts

When loading a website with Google Fonts embedded, the following data, in particular, is transmitted to Google servers: IP address, date and time of the request, URL of the requested font style, referrer URL, user agent (browser name, browser version, operating system, device type) and additional technical metadata.

This data falls into the following standardised data categories:

• Web server log data: data the third party's web server receives with each request – IP address, date, time, URL of the requested content, referrer, browser/OS/device information, and additional technical metadata such as response status code and data volume.
• Device data: information about the user's device, e.g. device type and operating system.
• Browser information: information about the browser used, e.g. browser name and version.
• Coarse location data: approximate location of the user (city or municipality level) derivable from the IP address.
• Technical telemetry data: technical request data, e.g. response status code and data volume.

F. Purposes When Using Google Fonts

The website operator primarily uses Google Fonts to deliver the website with the desired typography, ensuring a consistent appearance and good readability. The integration also serves efficient delivery via Google's infrastructure and reduces the operator's own hosting and maintenance effort.

The purposes fall into the following standardised categories:

• Functionality provision: providing the website's functionality, in particular displaying text in the intended font, including error detection, error avoidance and the display of interactive content.
• Security and abuse protection: ensuring the operation of the delivery infrastructure, detecting and stopping attacks, as well as bot and abuse defence by Google.
• General product improvement: non-user-individual adjustments to delivery, e.g. optimisation based on frequently requested font styles.

G. Legal Bases for Using Google Fonts

Google Fonts falls into the third-party content category (web font delivery via third-party servers).

Possible legal bases include:

• Consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG: with online embedding via Google servers, the IP address is transmitted to a third party with every page request. Against the background of the Munich Regional Court I ruling (case no. 3 O 17493/20 of 20 Jan 2022) – which classified the unsolicited IP transmission to Google without consent as an interference with the general right of personality and awarded damages – obtaining prior third-party content consent via the consent banner is generally regarded as the appropriate basis.
• Legitimate interest under Art. 6(1)(f) GDPR: with local self-hosting no data is transferred to Google; processing can rely on legitimate interests in functionality provision, efficiency and security. For online embedding without consent, reliance on legitimate interest is significantly risky given the case law cited above.

The legal basis is case-specific and must be assessed by the website operator on the merits, particularly depending on the type of integration.

H. Special Considerations and Notes on Google Fonts

• Munich Regional Court I, case no. 3 O 17493/20, judgement of 20 Jan 2022: the court classified the unsolicited transmission of the IP address to Google during dynamic embedding of Google Fonts without consent as an interference with the general right of personality and a GDPR violation, awarding damages of EUR 100. The decision triggered a wave of cease-and-desist letters and shapes practice on integration.
• Local self-hosting alternative: Google provides the font files for download. With self-hosting, the font files are served from the operator's own server and no transmission to Google takes place. This option is generally the lowest-risk from a data protection perspective.
• Third-country transfers / DPF: according to publicly available information, Google LLC (USA) is listed under the EU-US Data Privacy Framework. The DPF status should be verified at https://www.dataprivacyframework.gov/s/participant-search. Where DPF protection does not apply, SCCs come into consideration.
• DPA: according to publicly available information, Google does not provide a classic data processing agreement for the free Google Fonts web service without a Google account; for this service, Google generally acts as an independent controller for the server logs generated by delivery. The classification must be assessed in each case.
• Cookies: according to the provider, Google Fonts sets no cookies.
• Settings for the website operator: either control online embedding via consent banner (third-party content consent) or switch permanently to self-hosting.

This presentation is based on publicly available information from Google, the case law cited and other publicly available sources; it does not replace a case-by-case assessment.

I. FAQ on Google Fonts Data Protection

J. Conclusion on Google Fonts Data Protection and Next Step

Google Fonts greatly simplifies the use of high-quality fonts. From a data protection perspective, however, it is decisive that online embedding via Google servers transmits the visitor's IP address to Google with every page request. Munich Regional Court I has classified an unsolicited IP transmission as unlawful (case no. 3 O 17493/20). Website operators should therefore either use self-hosting or control online embedding via third-party content consent in the consent banner – and present purposes, data categories, recipients, third-country transfer and legal basis transparently in the privacy policy.

For the privacy policy itself, it is generally not useful to maintain a separate text block for Google Fonts. Doing so makes the privacy policy long, unwieldy and hard to maintain and conflicts with the transparency principle in Art. 12(1) GDPR. A topic-oriented approach that describes third-party content across the board and only lists specific providers such as Google in a "Recipients" appendix is more appropriate. This is exactly what the matterius generator delivers.

K. Curator