Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Font API is a free web typography service by Google that delivers over 1,400 open-source font families via a global CDN. Each font request transmits the visitor's IP address to Google servers in the United States, raising GDPR and ePrivacy obligations. A 2022 German court ruling established that loading Google Fonts without consent violates GDPR. Website owners can achieve compliance by self-hosting fonts locally or loading them only after obtaining explicit user consent.
Google Font API is a free web typography service operated by Google LLC that provides access to over 1,400 open-source font families via a global content delivery network. Website developers include a single stylesheet link pointing to fonts.googleapis.com, and the browser fetches the actual font files from fonts.gstatic.com. The service supports variable fonts, font subsetting, and display optimisation parameters that minimise layout shifts and improve page performance. Its ease of integration has made it one of the most widely deployed third-party resources on the web, present on hundreds of millions of websites worldwide.
Google Font API does not set browser cookies. However, every font request transmits technical metadata to Google servers: the visitor IP address, the requested font family and weight, the browser user-agent string, the HTTP referrer (page URL), and a request timestamp. Under GDPR, IP addresses constitute personal data because they can be used to identify individuals. Google states that IP addresses are not permanently stored, but the transmission itself is sufficient to trigger data protection obligations under European law, as the European Court of Justice has consistently held that transient processing of personal data falls within the scope of GDPR.
In January 2022, the Landgericht Munich I (case ref. 3 O 17493/20) ruled that embedding Google Fonts without consent violated GDPR Article 6, because it caused an unnecessary transfer of the visitor IP address to Google in the United States. The court awarded EUR 100 in non-material damages. This ruling has become a reference point for data protection authorities across Europe. Under the German TTDSG, loading any third-party resource that transmits identifying data requires either consent or a strictly necessary exemption. Several EU supervisory authorities have issued similar guidance, making compliance essential for any website with European visitors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be obtained before the browser makes any request to fonts.googleapis.com or fonts.gstatic.com. Both the stylesheet request and the font file download must be blocked until the visitor actively accepts via a consent management platform. The simplest compliant approach is to define a system font stack as a CSS fallback and only swap in Google Fonts after consent is granted. Relying on legitimate interest is legally risky following the Munich ruling. Consent must be freely given, specific, informed, and unambiguous in accordance with GDPR Article 7.
Every Google Fonts request is routed to Google infrastructure in the United States. Google relies on Standard Contractual Clauses under the EU-US Data Privacy Framework to legitimise these transfers. However, the adequacy of SCCs for Google services is subject to ongoing scrutiny by national supervisory authorities, and several EU data protection authorities have found certain Google transfers unlawful. Website owners who want complete certainty over data residency should self-host fonts, which eliminates the third-party request entirely and removes the transfer risk.
Option 1 is self-hosting: download font files, host them on your own server, and serve them without any request to Google. Option 2 is consent-gated loading: block all requests to fonts.googleapis.com and fonts.gstatic.com by default, define a system font fallback, and inject the font stylesheet only after the user grants consent. Option 3 is to replace Google Fonts with a privacy-respecting CDN such as Bunny Fonts, which replicates the same catalogue without logging IP addresses. Whichever approach you choose, update your cookie policy and privacy notice to accurately reflect your font loading strategy.
Websites using Google Font API must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should evaluate: (1) the necessity of the US data transfer given that self-hosting is a readily available alternative, (2) lawfulness of legitimate interest vs. consent following the LG Munich 2022 ruling, (3) TTDSG implications for German visitors, (4) whether Standard Contractual Clauses adequately protect EU resident data.
Sample consent text
I agree to web fonts being loaded from Google servers. This transfers my IP address to the United States. I can withdraw consent at any time via the cookie settings.
Third-party domains contacted
fonts.googleapis.comfonts.googleapis.comfonts.gstatic.comfonts.gstatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies | none | n/a | Google Fonts does not set cookies on the visitor browser. The privacy concern is the connection to fonts.googleapis.com and fonts.gstatic.com, which transmits the IP address to Google in the United States. The German Munich court ruling of January 2022 considers this a personal data transfer that requires consent or a self hosted alternative. |
Google Font API is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Google Fonts does not set cookies directly. However, when your website loads fonts from Google's servers, the visitor's IP address and browser information are transmitted to Google. This constitutes personal data processing under the GDPR, even without cookies.
Yes. According to the GDPR and the 2022 Munich Regional Court ruling, loading Google Fonts via an external CDN without consent is unlawful. You must either obtain prior consent through a CMP or self-host the fonts on your own server.
When fonts are loaded from Google's CDN, the visitor's IP address, browser user-agent, and referrer URL are sent to Google's servers in the United States. IP addresses are considered personal data under the GDPR, making this a reportable data processing activity.
Yes. Google servers hosting the Font API are located in the United States. This constitutes an international data transfer subject to Chapter V of the GDPR. Google relies on Standard Contractual Clauses and its Data Processing Addendum to legitimise these transfers, but supplementary measures should be assessed.
In January 2022, the Munich Regional Court (LG München I, Az. 3 O 17493/20) ruled that embedding Google Fonts via an external CDN without consent violates the GDPR by disclosing visitor IP addresses to Google in the US. The court awarded EUR 100 in damages and required the operator to self-host fonts or obtain consent.
The safest approach is to download the font files and self-host them on your own domain. This eliminates the data transfer to Google entirely. Alternatively, you can load Google Fonts only after obtaining valid user consent through a compliant CMP, blocking the external request until consent is given.
Yes. Bunny Fonts (bunny.net/fonts) is a GDPR-compliant alternative hosted in the EU that mirrors the Google Fonts library without sending data to Google. You can also use system fonts or self-hosted open-source fonts from sources like Font Squirrel, eliminating any third-party data transfer.
Yes. Even though Google Fonts does not set cookies, your privacy policy must disclose the processing of IP addresses and the transfer of data to the United States. List Google Font API as a third-party service, describe the data transmitted, the legal basis used, and the safeguards applied to US transfers.