We zitten in een publieke testfase — kijk gerust rond, maar bestellen kan nog niet. Bestellen kan vanaf 1 oktober 2026.
Blog / Your Fonts Are Snitching on Your Visitors

Your Fonts Are Snitching on Your Visitors

A German court fined a website for loading Google Fonts. Most sites still do it. Here's what actually happens when a page loads a font from a US CDN, and why we decided our stack would never do that.

Article

Overview

A practical look at how legitimate email infrastructure can be abused, why it slips past normal expectations, and what SMEs can do to reduce backscatter and inbox noise.

In January 2022, a Munich court ordered a website owner to pay €100 in damages because their site loaded a font from Google's servers. One hundred euros. Barely worth the paperwork. But the reasoning behind it should make anyone running a European website sit up. The court found that shipping a visitor's IP address to Google, which is what happens automatically every time a page requests a font from fonts.googleapis.com, was a GDPR violation. The visitor never agreed to it.

The font didn't matter. The IP address did.

What a font request actually contains

When your page includes a stylesheet from a font CDN, the visitor's browser opens a connection to that CDN before your content renders. That request carries the visitor's IP address, their browser fingerprint via the user-agent string, and a referer header telling the CDN exactly which page they were reading. It happens for every visitor, on every page load, whether or not you have a cookie banner, and whether or not they clicked "reject all".

Cookie banners have trained everyone to think of tracking as something you can decline. But a font request isn't a cookie. There's nothing to decline. The data has left the building before the banner even paints.

Google has said it doesn't use Fonts data for profiling, and maybe that's true. It's also beside the point. The legal question isn't what the recipient promises to do with the data — it's whether you had a lawful basis for sending it at all. The Munich ruling said no. And since the request goes to a US company, you're also in transfer-mechanism territory, which post-Schrems II is a place nobody enjoys being.

The fix is almost embarrassingly simple

Download the font files. Put them on your own server. Serve them from your own domain.

That's it. That's the whole fix. Fonts are static files; there is nothing about them that needs a CDN run by an advertising company. The performance argument for shared font CDNs died years ago anyway — browsers stopped sharing cached fonts across sites in 2020 (cache partitioning, look it up), so the "your visitor probably already has it cached" story hasn't been true for six years.

We did this for veldhost.eu itself. Two variable-weight WOFF2 files, self-hosted, preloaded in the page head. Total cost: about 90 kilobytes served from infrastructure we already run, and one less third party in the privacy policy. If you check the network tab on our site, you won't find a single request leaving for a font, an analytics script, or a tag manager. The page you're reading came from one origin.

Where else the same leak hides

Fonts are the classic example because of the court case, but the pattern repeats:

  • Icon libraries loaded from cdnjs or unpkg
  • JavaScript frameworks pulled from a CDN "for convenience"
  • Embedded maps and videos that phone home on page load rather than on click
  • Avatar services that fetch profile images from a third party by email hash

Each one is a pre-consent connection to a server you don't control, carrying data you're responsible for. Most of them can be self-hosted in an afternoon.

Does anyone actually get fined for this?

Rarely, and the amounts are small — that's the honest answer. If you're making a pure risk-calculation, a Google Fonts embed probably never costs you real money. German websites did see a wave of copycat demand letters after the Munich ruling, which was mostly opportunists — but the fact that the letters worked at all tells you where the law stands.

We'd argue the better reason isn't the fine. If your privacy policy says you respect your visitors and then your homepage ships their IP to three ad-tech companies to render a headline, the policy is fiction. Making it true is mostly a matter of downloading some files.

If you host with us, the platform side of this is already handled — no fonts, scripts or images on our infrastructure ever load from a US CDN. What you put inside your own pages is up to you. But now you know what to look for in the network tab.