Did you receive a GDPR Violation related to Google fonts? Here's what to do.
Disclaimer: This article doesn’t provide any legal advice.
I recently received an email from a former Website client. She had been contacted by a lawyer because of a GDPR violation and was being asked to pay 170 Euros.
What’s GDPR? The General Data Protection Regulation is an EU law that has to do with data protection and privacy in the European Union and the European Economic Area. So if you do business in the EU, you have to comply with this law. One of the restrictions is that you cannot collect data (emails, IP addresses, names, etc) from people who visit your site without telling them. Usually, a simple Cookies banner/Datenschutz page combo would take care of that.
Well, now it’s not enough, unfortunately.
Recently, a law office has begun hunting down people who use Google fonts on their homepage and threatening to fine them. If you are using Google fonts, whenever a visitor visits your homepage, the visitor’s IP address is sent to Google. Why? Because Google needs the visitor’s IP address to send the Google Fonts files to your visitor. Now, do I think it’s cool that a law office would hunt small business owners who are trying to make a living and threaten to fine them for not complying with GDPR? Not at all, in fact, I think it’s all a bunch of BS.
But that’s not the point of this post. The point of this post is to help you so you don’t get fined.
If you are using Google fonts there are a few things you can do:
You can download the Google fonts locally and then add the local font as CSS. It seems like a long scary process, but I think this website does a good job of breaking it down: https://www.thestyledsquare.com/blog-content/how-to-add-your-own-custom-fonts-to-squarespace-with-css-70-71. If you are using a Wordpress site, you can simply install the OMGF plug-in.
You can select a built-in font pack that uses standard fonts such as Helvetica Neue, Georgia, or Verdana.
You can do nothing and wait it out. If you do get fined, you can hire a lawyer to help you. As it turns out, that client who received a letter did just that. The lawyer she hired sent a letter on her behalf to the threatening authority, basically telling them they were out of bounds and that there was no obvious harm being done. The lawyer also recommended that my client use a VPN that includes an IP address such as Cyber Ghost VPN.
Hope that helps clear up what you can do. If you have further questions, I have compiled a list of questions below that have been answered by Berlin web designers. I received their answers from a Facebook networking group I belong to so I cannot vouch for the legality or accuracy, but perhaps it helps you make more sense of what is happening.
Is a notice on your Datenschutz/Impressum/Imprint page enough?
No. You have to have a cookie plugin that blocks the loading of the fonts until the visitor consents. This applies to Youtube and Maps as well, if you have that on your site. Essentially, the visitor to your homepage doesn’t have a chance to disagree before seeing the Google fonts.
Are the mass letters legal documents?
No. They are threatening to pursue legal action if you don't pay the 170€. The whole thing is not really built on strong legal ground.
Isn’t that extortion?
Not exactly. It isn’t very nice, or best practice, but courts have ruled that people do indeed have to pay fines. Why? Because at the center of these cases is "harm" caused to the plaintiff. In this case, use of his personal data against his will. Now, if you have a bot running that crawls websites, there is no harm to you, because you are not actually doing anything. Frivolous lawsuits because of Impressum were often turned down because you can't just sue - you needed to show that you have a disadvantage/ damages because someone wasn't following a law.
I received a fine, should I pay it?
Here is advice given by the IHK (chamber of commerce in Germany): do NOT pay and instead consult a lawyer. There are legal ways to fight against it as it's obvious that these folks are just trying to make money. Obviously, in the end, this option is 100% YOUR decision and I assume no legal responsibility for the outcome :)