Google Fonts and GDPR: What German Courts Ruled and What You Need to Do

The Munich Ruling

In January 2022, the Munich Regional Court (Landgericht München, case reference Az. 3 O 17493/20) ruled that a website operator had violated GDPR by embedding Google Fonts via the standard CDN method. The violation was not about cookies, consent banners, or analytics. It was about a single HTTP request.

When a visitor loads a page that uses Google Fonts via the standard <link> tag pointing at fonts.googleapis.com, the visitor's browser makes a direct request to Google's servers to download the font files. That request automatically includes the visitor's IP address — it has to, because that is how HTTP works. The IP address was transmitted to Google without the visitor's knowledge or consent, and without a legal basis under GDPR Article 6.

The court awarded the plaintiff €100 in damages for the distress caused by their IP address being transmitted to a US-based server without consent. The website operator was also ordered to stop using Google Fonts via CDN.

Why This Applies Beyond Germany

The Munich ruling was issued under German law, but the underlying regulation is the same across the entire EU and EEA: GDPR. The court's reasoning applies equally to any website that serves visitors in EU member states, regardless of where the website operator is based.

If your website is visited by people in Germany, France, Spain, the Netherlands, or any other EU country, and you are loading Google Fonts from Google's CDN, you are in the same position as the defendant in that case. The ruling established that no consent banner or privacy policy clause can retroactively make the transmission lawful — the transmission happens before any consent is obtained, on the initial page load.

Several privacy-focused organizations and law firms began sending automated warning letters to German website operators after the ruling. The fines in individual cases have been modest, but the legal obligation is clear.

What Exactly Triggers the Violation

The violation is triggered by this pattern in your HTML:

<link rel="preconnect" href="https://fonts.googleapis.com">
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;700&display=swap" rel="stylesheet">

Or equivalently, any @import in your CSS that points at fonts.googleapis.com.

Both cause the visitor's browser to make a request to Google's infrastructure on page load. That request carries the IP address. That transmission is the violation.

What does not trigger the violation: font files served from your own domain or hosting infrastructure. If the WOFF2 files live on yourdomain.com/fonts/, the request never leaves your infrastructure, and no IP address is transmitted to Google.

The Fix: Self-Host the Font Files

The solution is to download the WOFF2 files and the @font-face CSS, place them on your own server, and remove the Google CDN link entirely.

The manual way to do this is tedious. You need to call the Google Fonts CSS2 API, parse the src: URLs out of the response, download each binary file, write the @font-face blocks by hand with correct font-weight, font-style, and unicode-range values, and then organize the files and CSS together consistently.

FontSelf automates the entire process. Select your font, choose your weights and subsets, and download a ZIP containing the WOFF2 files and a ready-to-paste fonts.css file. The whole process takes under 60 seconds.

Implementation: Four Steps

Once you have downloaded the ZIP from FontSelf:

Caching: One More Step Worth Doing

Font files are static assets that never change — when Google updates a font, they serve it under a new URL, they do not overwrite the existing file. This means you can serve your self-hosted font files with a very long cache lifetime.

Set the following response header for all files in your /fonts/ directory:

Cache-Control: max-age=31536000, immutable

This tells browsers to cache the font files for one year and never revalidate them. On repeat visits, the font will be served directly from the browser cache with zero network requests. This is a meaningful performance improvement for returning visitors and eliminates the font-related network waterfall on every page load.

In Next.js, add this to your next.config.js headers configuration. In Nginx, add it to the location block for your fonts directory. In Vercel, add it to the headers section of vercel.json.

Does This Apply to Google Analytics Too?

The GDPR concerns around Google Fonts and Google Analytics are related but distinct. Google Analytics transmits user behavior data and identifiers to Google's servers, which raises its own set of GDPR obligations — consent, data processing agreements, and in some jurisdictions, questions about data transfers under Schrems II.

Self-hosting your fonts does not address Google Analytics. If you use Google Analytics, you need a valid legal basis for that separately — typically explicit consent via a cookie banner, or a switch to a privacy-preserving analytics tool.

The Munich ruling was specifically and only about Google Fonts. Fixing Google Fonts does not give you a clean GDPR bill of health if you are also running Google Analytics, Facebook Pixel, or similar third-party scripts that transmit visitor data.

Summary

• The Munich Regional Court ruled in January 2022 that loading Google Fonts via CDN violates GDPR because it transmits visitor IP addresses to Google without consent.
• The ruling applies to any website serving EU visitors, not just German sites.
• The fix is to self-host the font files so the browser never makes a request to Google's infrastructure.
• Self-hosting also eliminates the external DNS lookup and improves LCP performance as a side effect.
• FontSelf generates the WOFF2 files and ready-to-use CSS in one download. Remove the Google CDN link, add the files to your server, and the violation is resolved.