Iubenda logo
Start generating


Table of Contents

GDPR Violation: Lack of Transparency in Data Processing via Google Fonts

The Austrian Data Protection Authority (DSB) recently made a significant decision that could have far-reaching implications for how companies handle data processing via Google Fonts. 

On October 19, 2023, the DSB found Google LLC in violation of the General Data Protection Regulation (GDPR) due to a lack of transparency in their data processing practices related to Google Fonts.

Google Fonts


The DSB’s investigation was prompted by inquiries it received concerning warning letters sent to numerous companies. These letters, sent by a lawyer, raised concerns about the integration of Google Fonts on company websites and sought to recognize a claim for damages. Many companies were asked to submit cease and desist declarations.
To get to the bottom of these issues, the DSB initiated an investigation into Google LLC’s data processing methods when it comes to Google Fonts.

Findings of the DSB

The DSB’s investigation into Google Fonts and its data processing practices revealed important findings:

When Google Fonts are (re)loaded through a Google server, data is transmitted to either Google LLC or Google Ireland Limited. However, if the fonts are locally integrated on a server, data transfer does not follow this procedure.

Information Obligation

Google did not fully meet its information obligation under Articles 12(1) and 13 of the GDPR. This is because IP addresses can, depending on the individual case, be considered personal data.

  • Geographical Dependency: Data transfer to Google LLC servers in the US depends on the geographical location of the user or the server of their internet provider. In the event of a dispute, the data flow must be checked on a case-by-case basis.
  • Data Collected: When Google Fonts are integrated into an application, Google LLC or Google Ireland Limited receives at least the user’s IP address, HTTP header (including ‘referrer,’ which is information about the website from which the user came to the current website), and the ‘user agent’ of the internet browser.
  • Separate Data Processing: IP addresses and HTTP headers, including ‘referrer’ and ‘user agent,’ are processed separately.
  • Legitimate Interests: IP addresses are processed for the purpose of detecting, preventing, and combating attacks. To the extent that IP addresses are qualified as personal data, processing for these purposes may be covered by legitimate interests in accordance with Article 6(1)(f) of the GDPR.
  • No Advertising Use: IP addresses, including the ‘referrer’ and ‘user agent’ of the internet browser, are not processed for advertising purposes.

Outcomes and Implications

Based on these findings, the DSB concluded that these observations apply specifically to the Google Fonts product of Google LLC. Any changes to Google Fonts’ data processing practices following the completion of the investigation could potentially alter these conclusions.

This decision by the Austrian DSB serves as a reminder of the importance of transparency and compliance with GDPR regulations in the digital age. It also highlights the need for companies to review their data processing practices, especially when integrating third-party services like Google Fonts, to ensure they are in compliance with data protection laws. Failure to do so can result in legal consequences, as demonstrated by this case. Companies must stay vigilant and up to date with data protection regulations to protect both their users’ privacy and their own legal standing.

Sign up for iubenda’s Privacy and Cookie Policy to Ensure GDPR Compliance!

Are you concerned about the recent GDPR violation related to data processing via Google Fonts? Don’t risk your company’s reputation and legal standing. Ensure transparency and compliance with data protection laws by signing up for iubenda’s Privacy and Cookie Policy generator today.

Key Benefits:

  • Stay GDPR compliant: Avoid costly penalties and legal consequences.
  • Gain user trust: Demonstrate your commitment to transparency and data privacy.
  • Easy customization: Craft policies that align with your unique business operations.
  • Expert guidance: Access a wealth of resources and support to navigate complex legal requirements.
Get Started with iubenda Today!