A regional court in the German city of Munich has ordered a website operator to pay EUR100 in damages for transferring a user’s personal data — i.e., IP address — to Google via the search giant’s Fonts library without the individual’s consent.
The unauthorized disclosure of the plaintiff’s IP address by the unnamed website to Google constitutes a contravention of the user’s privacy rights, the court said, adding the website operator could theoretically combine the gathered information with other third-party data to identify the “persons behind the IP address. “
The violation amounts to “plaintiff losing control over personal data to Google”, the ruling was .
Google Fonts allows developers to embed fonts in their Android apps or websites by simply referencing a stylesheet. As of January 2022, Google Fonts is a repository for 1,358 font families.
Under EU’s General Data Protection Regulations (GDPR), personal identifiable information (PII) includes data such as advertising IDs and IP addresses. Businesses operating within the country must ask for the consent of users before they process such information.
In addition, the court noted that “Google Fonts can also be used by the defendant without a connection to a Google server is established and the IP address of the website user is transmitted to Google,” effectively requiring websites to host the fonts locally.
Aside from ordering the website to stop disclosing the IP address by embedding the font library, the court also urged the company running the website to share with the affected party information about the kind of personal data that it stores and is being processed.
The decision comes weeks after the Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics by a health-focused website called NetDoktor violates the GDPR regulation by exporting visitors’ data to Google servers in the U.S., thereby opening the door for potential surveillance by the U.S. intelligence services.