Is Google Fonts GDPR Compliant? The IP-Leak Problem and the Fix

Google Fonts is not GDPR compliant when loaded from Google's CDN, because it leaks visitor IP addresses without consent. Learn the fix: self-hosting or consent-gating.


by Riad Us Salehin • 5 July 2026


Google Fonts is not GDPR compliant by default. Loading it directly from Google's servers sends every visitor's IP address to Google without consent. Self-hosting the font files, or blocking the connection until a visitor consents, both fix it.

Below: why the default setup breaks GDPR, the German court ruling that triggered a wave of demand letters, and your real risk. Then the two fixes.

Is Google Fonts GDPR Compliant? The Short Answer

Google Fonts is not GDPR compliant when your site loads it from fonts.googleapis.com or fonts.gstatic.com. That request transmits the visitor's IP address to Google before any consent is given.

Self-hosting the font files removes the connection entirely. Loading fonts only after consent also works, though some visitors never see them.

SetupGDPR status
Loaded from Google's CDN (the default)Not compliant
Self-hosted on your own serverCompliant
Loaded from Google's CDN, but gated behind consentCompliant

Legal to Use vs GDPR-Compliant: Two Different Questions

Using Google Fonts is legal. Google's own FAQ states all Google Fonts are open source and free to use, including commercially. The GDPR problem has nothing to do with font licensing.

It is entirely about delivery. Fetching the font files from Google's servers transmits data Google collects on every request. That transmission needs a legal basis under GDPR.

Why Does Loading Google Fonts Break GDPR?

Loading Google Fonts from Google's CDN breaks GDPR because the browser's request for the font file carries the visitor's IP address to Google. That transfer happens before the visitor makes any consent choice. Google's own privacy FAQ confirms exactly what gets sent on every request.

The IP address used by the respective user to access the Internet, the requested URL on the Google server, and HTTP headers including the user agent.

A typical page load with hotlinked fonts runs through these steps.

  1. The browser parses a <link> tag pointing to fonts.googleapis.com.
  2. The browser sends a GET request to that URL to fetch the CSS.
  3. That request carries the visitor's IP address, requested URL, and user agent as standard HTTP metadata.
  4. A second GET request follows to fonts.gstatic.com to fetch the actual font file, carrying the same data.
  5. Google receives and logs this data, per its own FAQ, before any cookie banner is shown or answered.

This is the detail most cookie banners miss: the transfer happens through a network request, not a cookie. A visitor who rejects every cookie still triggers this request if the font tag loads before the consent decision.

The data also crosses into the US, where Google operates its servers. That adds a third-country transfer question on top of the missing legal basis, which is why German courts treated the disclosure so strictly.

Why Is a Visitor's IP Address "Personal Data"?

A visitor's IP address counts as personal data under GDPR because it can identify an individual. It can do this alone, or combined with other data a controller holds. Transferring it to a third party like Google is processing that needs a valid legal basis.

Two lawful bases could in theory cover it: the visitor's consent, or the site's legitimate interest. Consent is absent, because the font loads before any choice. Legitimate interest fails too, since self-hosting achieves the same result without the transfer. "We needed to display a font" is not a valid basis.

The GDPR's own reference text states plainly that IP addresses count as personal data, the same as a phone number or a home address. The UK's Information Commissioner's Office is equally direct: online identifiers, including IP addresses, may count as personal data.

This holds for dynamic IP addresses too, the kind that change periodically. That is exactly the type of address the Munich court examined. Hashing or truncating an IP address counts as pseudonymization, not anonymization, so the data stays regulated either way.

The German Court Ruling That Started the Panic

In January 2022, the Munich Regional Court (Landgericht Munchen) fined a website 100 euros. The reason: a hotlinked Google Font had sent a visitor's IP address to Google without consent. That single ruling became the template every explainer and demand letter now cites.

The case, number 3 O 17493/20, was decided on 20 January 2022 by the court's third civil chamber. The Register reported the outcome directly. The court fined an unidentified website 100 euros ($110, £84) for violating EU privacy law by importing a Google-hosted web font.

The court's reasoning centered on the visitor's dynamic IP address specifically. It called the unauthorized disclosure of that IP address a violation of the general right of personality. The court held that the IP counted as personal data, whether or not anyone actually identified the visitor.

Beyond the 100-euro award, the ruling carried real teeth for repeat violations. The court also threatened penalties of up to 250,000 euros per violation, per The Register's report. It also threatened up to six months' imprisonment for continued improper use after notice.

The ruling explicitly named self-hosting as the available alternative the defendant had ignored. Nothing about serving Google Fonts required a live connection to Google's servers at all.

Are You Actually at Risk? (Demand Letters, US vs EU, and Small Sites)

Your actual risk from the Munich ruling depends heavily on where your visitors and business sit. A real wave of German and Austrian demand letters followed the case. A US-based small site's exposure runs through different law entirely, and even German courts now question whether some of that letter wave is legitimate.

The ruling triggered exactly the reaction its critics warned about. A wave of cease-and-desist "abmahnung" letters followed across Germany. Each demanded 100 to 170 euros in damages plus lawyer fees, according to the International Network of Privacy Law Professionals.

Austria saw a parallel wave. Demand letters there typically cite around 100 to 190 euros in damages and fees, per Austrian legal commentary. That same commentary notes the German ruling carries no validity in Austria under current status.

One Austrian lawyer disputed the underlying claims outright. He argued that no damage results for the affected party from an IP address reaching Google.

The legitimacy of the mass claims is now genuinely contested, not just by critics. Germany's Federal Court of Justice referred the question to the Court of Justice of the EU in August 2025, case VI ZR 258/24.

A claimant had sought a refund of 170 euros they paid. The defendant law office had reportedly sent over 100,000 warning letters.

The referred questions ask whether abuse of rights can bar compensation. They also ask whether deliberately provoking a violation to manufacture a claim can bar it. As of this writing, the ECJ has not ruled, so the answer remains open.

If your visitors and business are US-based, the Munich ruling carries no direct legal force. It is a German civil court decision under EU and German law.

Your comparable exposure runs through US privacy and wiretap statutes instead. That is part of the same broader wave of cookie and pixel lawsuits over tracking without consent.

It includes claims under the California Invasion of Privacy Act (CIPA), and the same theory driving the Meta Pixel lawsuits against US websites.

A small site with mostly US traffic faces a different legal question than a German or Austrian site does. The technical problem, an unconsented data transfer, still looks identical.

How to Make Google Fonts GDPR Compliant

Two routes fix Google Fonts under GDPR. Self-hosting removes the connection to Google entirely and is the permanent fix. Consent-gating keeps the CDN connection but blocks it until the visitor opts in.

Fix 1: Self-Host Google Fonts (the Permanent Fix)

Self-hosting Google Fonts eliminates the GDPR problem at its source, because your server, not Google's, answers every font request. Google's own FAQ confirms this is fully permitted. A developer may self-host web fonts locally, by downloading them and uploading them to their own server.

To self-host Google Fonts:

  1. Download the WOFF2 files for the font families you use, either directly from Google Fonts or a helper tool such as google-webfonts-helper.
  2. Upload the downloaded font files to your own server or CDN.
  3. Replace the Google <link> tag with a local @font-face rule in your CSS, pointing to the uploaded files.
  4. Remove every reference to fonts.googleapis.com and fonts.gstatic.com, so nothing requests fonts from Google.

WordPress sites can use a self-hosting plugin, such as OMGF, to automate this download-and-swap process. Self-hosting carries a second, unrelated benefit. It removes a third-party connection from every page load, which is a page-speed win too, not just a compliance fix.

Fix 2: Load Fonts Only After Consent

If you need to keep serving fonts from Google's CDN, blocking that request until consent also satisfies GDPR. The transfer no longer happens without a legal basis. A consent management platform can hold third-party resources, including font requests, until the visitor opts in.

This route comes with a real trade-off self-hosting avoids. A visitor who declines consent sees your fallback system font instead, since the request that would fetch the real one stays blocked. Self-hosting sidesteps that trade-off completely, because no consent decision is needed for a font your own server delivers.

How to Check Whether Your Site Is Leaking Data to Google

To check whether your site loads Google Fonts from Google's servers, open your browser's developer tools and go to the Network tab. Reload the page while filtering for fonts.googleapis.com or fonts.gstatic.com.

Any request to either domain means your site still connects to Google for fonts on that page. Free "Google Fonts checker" tools exist that automate this same check across a full site, useful if you manage several domains.

How Consently Blocks Third-Party Resources Until You Have Consent

Consently scans your site for third-party scripts and resources. It blocks non-essential ones, including font requests like a hotlinked Google Fonts connection, until the visitor consents, so nothing fires before opt-in.

Consently's prior-consent banner pairs with automatic scanning that detects scripts, iframes, and other resources across your site. It auto-blocks anything non-essential until the visitor consents.

That auto-blocking is not font-specific. It covers the same class of risk for analytics tags, ad pixels, embedded maps, and any other third-party call your site makes.

For Google Fonts specifically, self-hosting is still the cleanest permanent fix. It removes the Google connection outright, rather than gating it.

A consent management platform earns its place for the dozens of other resources that leak the same way. Analytics, pixels, maps, and embeds cannot all be self-hosted.

Consently's consent log also gives you a timestamped, exportable record of every visitor's choice. That is useful evidence if a demand letter ever arrives referencing your site.

Start a free 14-day trial of Consently, no credit card required. Scan your site for every unconsented connection, not just the ones you already know about.

FAQs

Is it legal to use Google Fonts?

Yes. Google's font license is free, open source, and explicitly permits commercial use. The GDPR issue has nothing to do with the license: it is entirely about how the fonts are delivered, from Google's servers versus self-hosted.

Is it safe to download fonts from Google Fonts?

Yes. Google Fonts are open source, so downloading the font files and self-hosting them is safe and fully permitted by Google's own FAQ. Downloading them is in fact the recommended GDPR fix, since a locally served font never contacts Google.

Does self-hosting Google Fonts make them GDPR compliant?

Yes. Once font files load from your own server, no request ever reaches Google, so no IP address transfers and the GDPR problem disappears entirely.

Can I be fined for using Google Fonts in the US?

The Munich ruling is a German civil court decision with no direct force in the US. A US site's real exposure runs through different law, primarily pixel and wiretap statutes like CIPA, not the German font ruling.

Do I need cookie consent for Google Fonts?

A cookie banner alone does not fix this. Google's own FAQ confirms the Fonts API does not set or log cookies at all. The leak happens through the network request itself, before any cookie banner is shown. You need to either self-host or block the request until consent.

Is Google Fonts the only Google tool that risks GDPR?

No. The same IP-transfer pattern applies to other Google-hosted resources loaded the same way. It is one instance of the broader cookie and pixel lawsuits landscape, not an isolated font-specific problem.

How do I know if my website loads Google Fonts from Google's servers?

Open your browser's Network tab and reload the page, filtering for fonts.googleapis.com or fonts.gstatic.com. Any request to those domains confirms your site is still connecting to Google, or use a free Google Fonts checker tool.

Are Google Maps and reCAPTCHA the same risk as Google Fonts?

Yes, the same mechanism applies: loading either one connects a visitor's browser directly to Google and transfers their IP address before consent. reCAPTCHA raises the same GDPR question for the same reason. Confirm whether you also need a cookie policy that discloses these connections alongside your cookie disclosures.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.