Your Fonts Are Snitching on Your Visitors
A German court fined a website for loading Google Fonts. Most sites still do it. Here's what actually happens when a page loads a font from a US CDN, and why we decided our stack would never do that.
A German court fined a website for loading Google Fonts. Most sites still do it. Here's what actually happens when a page loads a font from a US CDN, and why we decided our stack would never do that.
A practical look at how legitimate email infrastructure can be abused, why it slips past normal expectations, and what SMEs can do to reduce backscatter and inbox noise.
In January 2022, a Munich court ordered a website owner to pay €100 in damages because their site loaded a font from Google's servers. One hundred euros. Barely worth the paperwork. But the reasoning behind it should make anyone running a European website sit up. The court found that shipping a visitor's IP address to Google, which is what happens automatically every time a page requests a font from fonts.googleapis.com, was a GDPR violation. The visitor never agreed to it.
The font didn't matter. The IP address did.
When your page includes a stylesheet from a font CDN, the visitor's browser opens a connection to that CDN before your content renders. That request carries the visitor's IP address, their browser fingerprint via the user-agent string, and a referer header telling the CDN exactly which page they were reading. It happens for every visitor, on every page load, whether or not you have a cookie banner, and whether or not they clicked "reject all".
Cookie banners have trained everyone to think of tracking as something you can decline. But a font request isn't a cookie. There's nothing to decline. The data has left the building before the banner even paints.
Google has said it doesn't use Fonts data for profiling, and maybe that's true. It's also beside the point. The legal question isn't what the recipient promises to do with the data — it's whether you had a lawful basis for sending it at all. The Munich ruling said no. And since the request goes to a US company, you're also in transfer-mechanism territory, which post-Schrems II is a place nobody enjoys being.
Download the font files. Put them on your own server. Serve them from your own domain.
That's it. That's the whole fix. Fonts are static files; there is nothing about them that needs a CDN run by an advertising company. The performance argument for shared font CDNs died years ago anyway — browsers stopped sharing cached fonts across sites in 2020 (cache partitioning, look it up), so the "your visitor probably already has it cached" story hasn't been true for six years.
We did this for veldhost.eu itself. Two variable-weight WOFF2 files, self-hosted, preloaded in the page head. Total cost: about 90 kilobytes served from infrastructure we already run, and one less third party in the privacy policy. If you check the network tab on our site, you won't find a single request leaving for a font, an analytics script, or a tag manager. The page you're reading came from one origin.
Fonts are the classic example because of the court case, but the pattern repeats:
Each one is a pre-consent connection to a server you don't control, carrying data you're responsible for. Most of them can be self-hosted in an afternoon.
Rarely, and the amounts are small — that's the honest answer. If you're making a pure risk-calculation, a Google Fonts embed probably never costs you real money. German websites did see a wave of copycat demand letters after the Munich ruling, which was mostly opportunists — but the fact that the letters worked at all tells you where the law stands.
We'd argue the better reason isn't the fine. If your privacy policy says you respect your visitors and then your homepage ships their IP to three ad-tech companies to render a headline, the policy is fiction. Making it true is mostly a matter of downloading some files.
If you host with us, the platform side of this is already handled — no fonts, scripts or images on our infrastructure ever load from a US CDN. What you put inside your own pages is up to you. But now you know what to look for in the network tab.