Google Fonts and GDPR: Why Your Website Might Be Leaking Data

Every time someone visits your website, their browser downloads the fonts your site uses. If those fonts come from Google's servers, your visitor's IP address gets sent to Google in the United States.

A German court ruled in January 2022 that this violates GDPR. The website owner was fined 100 euros and ordered to stop.

The fine was small. The precedent was not.

What happened in the German court case

On 20 January 2022, the Landgericht München, the Munich Regional Court, ruled in case Az. 3 O 17493/20 that a website operator violated GDPR by using Google Fonts loaded from Google's CDN at fonts.googleapis.com.

The facts were simple. A visitor loaded the website. The site pulled fonts from Google's servers. Google received the visitor's IP address. The visitor had not given consent for this data transfer.

The court found two violations:

First, the visitor's IP address is personal data under GDPR Article 4. This isn't new. The CJEU established this in the Breyer case C-582/14 back in 2016.

Second, transferring that personal data to Google's US servers without the visitor's consent violates GDPR Article 6. The court specifically rejected the argument that loading Google Fonts serves a "legitimate interest." The operator could have self-hosted the fonts. Choosing not to was a convenience decision, not a necessity.

The fine was 100 euros in damages to the plaintiff, plus the website operator had to pay legal costs. Small numbers. But this case opened the door for mass claims, and thousands of similar letters have been sent to website owners across Germany, Austria and the Netherlands since then.

How Google Fonts works and why it's a problem

When you add Google Fonts to your website the standard way, you include a link tag like this in your HTML:

<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;700" rel="stylesheet">

Here's what happens when a visitor loads your page:

1. The browser sees this tag and sends a request to fonts.googleapis.com
2. Google's server receives the request, including the visitor's IP address, browser type and referring URL
3. Google returns the CSS file, which tells the browser to download the actual font files from fonts.gstatic.com
4. Another request goes to Google, again including the visitor's IP address

Two requests to Google's servers. Two transfers of personal data. No consent asked.

This happens before the visitor does anything on your site. Before they click a button, fill in a form or accept a cookie banner. The data transfer happens just by loading the page.

How many websites are affected

A lot. Google Fonts is used on roughly 50 million websites worldwide. It's the most popular web font service by a wide margin. Most WordPress themes load Google Fonts by default. Many website builders like Wix, Squarespace and Webflow do too.

If you've never specifically checked this, your website probably loads Google Fonts externally. The theme your web designer picked likely included them out of the box.

How to check if your website loads Google Fonts externally

Method 1: Browser Developer Tools

1. Open your website in Chrome
2. Press F12 to open Developer Tools
3. Click the "Network" tab
4. Reload the page
5. In the filter bar, type "fonts.googleapis" or "fonts.gstatic"

If you see any requests to those domains, your site loads Google Fonts from Google's servers.

Method 2: View page source

1. Right-click on your website and select "View Page Source"
2. Press Ctrl+F and search for "fonts.googleapis.com"

If you find it, the fonts are loaded externally.

Method 3: Run a scan

A free compliance scan checks for external Google Fonts connections automatically, along with dozens of other privacy and compliance issues.

How to fix it: self-host your Google Fonts

The fix is straightforward. Instead of loading fonts from Google's servers, you download the font files and host them on your own server. No requests to Google. No IP address transfer. Problem solved.

Step 1: Download the fonts

Go to google-webfonts-helper, a free tool by Mario Ranftl. Search for the font you use. Select the weights and styles you need. Download the zip file.

Step 2: Upload the font files to your server

Unzip the download and upload the font files, usually in .woff2 format, to a folder on your web server. Something like /fonts/ works fine.

Step 3: Add the @font-face CSS

The google-webfonts-helper tool also generates the CSS you need. It looks like this:

@font-face {
  font-family: 'Inter';
  font-style: normal;
  font-weight: 400;
  font-display: swap;
  src: url('/fonts/inter-v12-latin-regular.woff2') format('woff2');
}

@font-face {
  font-family: 'Inter';
  font-style: normal;
  font-weight: 700;
  font-display: swap;
  src: url('/fonts/inter-v12-latin-700.woff2') format('woff2');
}

Add this to your stylesheet.

Step 4: Remove the Google Fonts link tag

Find and delete the <link> tag that references fonts.googleapis.com from your HTML. If it's added by a WordPress theme or plugin, check the theme settings for a "disable Google Fonts" option. Many modern themes have this.

Step 5: Verify it worked

Reload your site and check Developer Tools again. Go to the Network tab and filter for "googleapis." No requests should appear.

WordPress-specific instructions

Most WordPress themes load Google Fonts through the theme's functions.php file or via the WordPress Customizer. Here's how to fix it depending on your setup:

If your theme has a built-in option: Check Appearance > Customize or your theme's settings panel. Look for "Typography" or "Google Fonts" settings. Themes like Astra, GeneratePress and Kadence let you switch to locally hosted fonts with one click.

If you use a plugin: The "OMGF (Optimize My Google Fonts)" plugin automatically downloads Google Fonts, hosts them locally and removes the external references. Install it, run it once and you're done.

If you need to do it manually: Add this to your theme's functions.php file to dequeue Google Fonts:

function remove_google_fonts() {
    wp_deregister_style('google-fonts');
    wp_dequeue_style('google-fonts');
}
add_action('wp_enqueue_scripts', 'remove_google_fonts', 100);

Then add the self-hosted @font-face declarations to your theme's stylesheet.

What about other external font services?

Google Fonts gets the most attention, but the same GDPR logic applies to any external font service that transfers visitor IP addresses to third-party servers. Adobe Fonts, formerly known as Typekit, and Font Awesome's CDN version have the same issue.

The fix is the same in every case: download the files and host them yourself.

Font Awesome offers a self-hosted version you can download directly. Adobe Fonts is trickier since its licensing often requires loading from Adobe's servers. If you use Adobe Fonts, consider switching to a self-hostable alternative or adding it to your cookie consent flow.

Is the 100 euro fine really worth worrying about?

The Munich case involved a single complainant and a 100 euro fine. That sounds trivial. But here's why you should care:

Mass claims are happening. After the Munich ruling, organized groups began sending hundreds of demand letters to website operators across Germany and Austria. Amounts range from 100 to 170 euros per claim. Some website owners received multiple claims from different individuals.

The trend is spreading. Dutch and Belgian privacy advocates have taken note. Similar claims based on the same legal reasoning are appearing in the Netherlands.

It's easy to fix. Self-hosting fonts takes 15 to 30 minutes. Paying even one 100 euro claim costs more than that in time and stress.

It's not just about fonts. If a data protection authority investigates your Google Fonts usage and finds other GDPR issues like missing cookie consent, no privacy policy or no data processing agreements, the fonts complaint becomes the tip of a much bigger problem.

Common questions

Does this apply to websites outside Germany?

The Munich ruling is a German court decision, so it's not directly binding in other EU countries. But it applies the same GDPR rules that exist everywhere in the EU. Dutch, Austrian and Belgian regulators have signaled agreement with the court's reasoning. Treat this as an EU-wide issue.

My website builder loads Google Fonts automatically. What do I do?

Check your platform's settings for a local fonts option. Wix added local font hosting in 2023. Squarespace and Webflow both support custom fonts. If your builder doesn't offer this, contact their support. In the meantime, you can use a Content Security Policy header to block requests to fonts.googleapis.com, though this might break your font display until you add local alternatives.

Can I just add Google Fonts to my cookie consent banner?

Technically, yes. You could block Google Fonts from loading until the visitor consents. But this means your website displays without its intended fonts until consent is given, which looks broken. Self-hosting is a much better solution because your fonts load immediately and no consent is needed.

Will self-hosting fonts slow down my website?

Usually the opposite. Google Fonts requires two extra HTTP connections to googleapis.com and gstatic.com. Self-hosted fonts load from your own server, which the browser is already connected to. Most sites see equal or better performance after switching to self-hosted fonts, especially with proper caching headers.

I use a CDN like Cloudflare. Does that fix the Google Fonts issue?

No. A CDN in front of your own site doesn't change the fact that your HTML tells browsers to fetch fonts from Google's servers. The requests still go to Google. You need to actually replace the external font references with local ones.

---

Wondering what other data your website might be leaking? Run a free scan at trustyourwebsite.nl to check for Google Fonts, external trackers and 30+ other compliance issues.