Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Poppins is a popular open-source typeface distributed via Google Fonts. When loaded from the Google Fonts CDN, visitor IP addresses are transmitted to Google's US servers — a transfer of personal data that German courts have ruled violates GDPR without a lawful basis. The GDPR-compliant solution is to self-host the Poppins font files on your own server, eliminating the Google transfer entirely while maintaining the same visual appearance.
Poppins is a geometric sans-serif typeface designed by Indian Type Foundry and Jonny Pinhorn, published as open-source under the SIL Open Font License. It is one of the most popular fonts on Google Fonts. When web designers reference Poppins via a Google Fonts link tag in HTML, the browser makes a request to Google''s CDN servers to download the font files, transmitting the visitor''s IP address in the process.
In January 2022, the Landgericht München I (Munich Regional Court) issued a landmark ruling finding that loading Google Fonts via the CDN violates GDPR because it transmits visitor IP addresses to Google''s US servers without a lawful basis. The court awarded a symbolic 100 EUR fine to the plaintiff and ordered the website to stop using Google Fonts via CDN. Multiple German data protection authorities have since confirmed that dynamic Google Fonts loading requires either consent or self-hosting as the compliant approach.
Self-hosting Poppins is straightforward and eliminates all Google Fonts GDPR concerns. Download the Poppins font files from Google Fonts or fonts.google.com, host them on your own server or CDN, and reference them in your CSS with @font-face declarations. Tools like google-webfonts-helper (gwfh.mranftl.com) automate this process. Once self-hosted, no data is sent to Google and no GDPR issues arise from font loading.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
If self-hosting is not feasible, loading Google Fonts dynamically after explicit consent is an alternative, though it degrades the user experience as the site will display a fallback font until consent is given and the font loads. A cookie consent banner option for fonts specifically is unusual and creates user experience complexity. Self-hosting remains the recommended approach.
Download Poppins font files and host on your own infrastructure. Replace the Google Fonts link tag with @font-face CSS rules pointing to your hosted files. Remove the Google Fonts preconnect link tags. Verify no Google Fonts requests appear in browser developer tools. This single change resolves the GDPR font loading issue entirely.
Websites using Poppins (Google Font) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for self-hosted Poppins. For CDN-loaded Google Fonts, the German court ruling and data protection authority guidance suggest the transfer is not compliant without consent, making self-hosting the recommended approach.
Sample consent text
This website loads the Poppins font from Google Fonts CDN. Google may process your IP address on US servers when loading this font. Please accept to load the font from Google's servers, or we will use a system font instead.
Third-party domains contacted
fonts.googleapis.comfonts.gstatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | persistent | 6 months | Google NID cookie set when loading fonts from Google Fonts CDN — eliminated by self-hosting Poppins |
Poppins (Google Font) places tracking cookies for advertising — comply with GDPR using FlowConsent.
According to a January 2022 Munich Regional Court ruling and guidance from German data protection authorities, yes. Loading Google Fonts via the CDN transmits visitor IP addresses to Google's US servers without a lawful basis, violating GDPR.
Self-host the Poppins font files on your own server. Download the font from fonts.google.com or use a tool like google-webfonts-helper, and serve the files from your own domain using @font-face CSS rules.
Technically yes, but it creates a poor user experience as the font will not load until consent is given, causing a font flash. Self-hosting is far simpler and provides the same visual result with no compliance concerns.
No. The font design is an artistic work. GDPR implications arise only from how the font files are delivered, specifically from loading via Google's CDN which transmits IP addresses to Google.
Download font files from fonts.google.com. Add @font-face declarations in your CSS pointing to the hosted files. Remove the Google Fonts link tag and preconnect tags from your HTML. Verify in browser developer tools that no requests go to fonts.googleapis.com or fonts.gstatic.com.
With proper implementation, self-hosted fonts can actually load faster than CDN fonts because they are served from your own server without a cross-origin request. Use font-display: swap in @font-face to ensure text is visible during loading.
No. Once self-hosted, no data is sent to Google. There is nothing to disclose in your privacy policy regarding the font. If you previously disclosed Google Fonts usage, you can remove that entry after self-hosting.
All fonts loaded from the Google Fonts CDN (fonts.googleapis.com) have the same issue. The solution is the same for all: self-host the font files. Popular Google Fonts like Roboto, Inter, Lato, and Open Sans all need to be self-hosted for GDPR compliance.