Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Fonts.com is the consumer brand of Monotype Imaging for high quality professional typography served as web fonts. It hosts thousands of typefaces including Helvetica, Frutiger, Univers, Avenir, Centaur, Sabon, Neue Haas Grotesk and FF DIN. Designers embed the fonts on their website with a JavaScript snippet (mtiFontTrackingCode.js) or a CSS link to fast.fonts.net. Each page view that requests a font transmits the visitor IP to Monotype servers, which raises the same kind of GDPR concern as Google Fonts in the famous Bonn Regional Court case.
Fonts.com is the consumer brand of Monotype Imaging Inc., one of the largest type foundries in the world. The service exposes Monotype catalogue typefaces (Helvetica, Frutiger, Univers, Avenir, Sabon, Neue Haas Grotesk, FF DIN, Centaur and many more) for licensed use as web fonts. Designers create projects on fonts.com, copy the resulting snippet, paste a script tag that loads mtiFontTrackingCode.js or a CSS link that fetches the @font-face declarations from fast.fonts.net, and the typeface renders on the website.
Fonts.com tracks usage to honour the page view licensing model. The mtiFontTrackingCode.js script fires a beacon request on every page view, transmitting the project key, the visitor IP, User-Agent, referrer and the requested font families. The CSS only variant transmits the same information without the beacon. The service does not store marketing cookies, but a session identifier may be set on .fonts.net for cache control and abuse detection.
Loading a font from a third party server transmits the visitor IP address to the provider. The Bonn Regional Court ruling on Google Fonts of 20 January 2022 confirmed that this transmission requires a clear legal basis or prior consent. Although the ruling targeted Google, its reasoning applies equally to Fonts.com, Adobe Fonts and any other US hosted web font service. Strict consent is the safer route in Germany, France and Spain.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Monotype Imaging Inc. is a US company certified under the EU-US Data Privacy Framework. The Monotype DPA, available for enterprise customers, includes Standard Contractual Clauses for jurisdictions outside the framework. Fonts.com runs on AWS infrastructure mostly in US regions, with Akamai edge nodes for delivery.
For European websites, the prudent approach is to gather opt-in consent before requesting Fonts.com files, or to self-host the typefaces in the @font-face format after acquiring the appropriate Monotype self-hosting licence. Legitimate interest can be argued for design critical typography, but the lack of user benefit makes the balance hard to defend.
Negotiate a self-hosting Monotype licence, download the WOFF2 files, host them on your own EU origin or an EU CDN, write your own @font-face CSS declarations, and remove the call to mtiFontTrackingCode.js. Where Fonts.com must remain hosted by Monotype, integrate the script tag and the CSS link into the Consent Management Platform so they only fire after explicit opt-in, and add a system font fallback to keep the layout readable when consent is refused.
Websites using Fonts.com (Monotype Web Fonts) must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is rarely needed for typography alone. A focused transfer impact assessment on Monotype Imaging Inc. is recommended, documenting the data exchanged (IP, User-Agent, referrer, font family), the EU-US Data Privacy Framework certification, the option to self-host the font files and the relevant Monotype enterprise DPA.
Sample consent text
This website uses Fonts.com web fonts from Monotype. When your browser loads a font, your IP address, User-Agent and the page URL are transmitted to Monotype servers in the United States under the EU-US Data Privacy Framework. By clicking Accept, you authorise this transfer. You can also Reject and the website will fall back to a system font installed on your device.
Third-party domains contacted
fonts.comfast.fonts.netfonts.netmonotype.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mti_session | HTTP cookie | Session | Session identifier set on .fonts.net for cache control and abuse detection. |
| monotype_unique_id | HTTP cookie | 1 year | Tracks unique users for the page view based licensing model. |
Fonts.com (Monotype Web Fonts) is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Fonts.com primarily sets a session identifier on .fonts.net for cache control and may set monotype_unique_id (1 year) for the page view based licensing model. The main privacy impact is the transmission of the visitor IP to Monotype on every page load, not the cookies themselves.
Yes, the safer path for European websites is to gather opt-in consent before requesting Fonts.com files, given the Bonn Google Fonts ruling logic. Self-hosting the WOFF2 files after a Monotype self-hosting licence avoids the consent question entirely.
Consent under Article 6(1)(a) GDPR is the safer route. Legitimate interest under Article 6(1)(f) is hard to defend because the user gets no specific benefit from the transfer of their IP.
Yes. Monotype Imaging Inc. is a US company, operates Fonts.com on AWS US regions and is certified under the EU-US Data Privacy Framework. Self-hosting the fonts on an EU server eliminates the transfer.
No, typography alone does not justify a full DPIA. A short transfer impact assessment focused on Monotype is enough.
Negotiate a Monotype self-hosting licence, download the WOFF2 files, host them on your EU origin or EU CDN, write your own @font-face declarations and remove the mtiFontTrackingCode.js script. If self-hosting is not possible, integrate the script and CSS link into the Consent Management Platform with a system font fallback.
For free EU friendly fonts: Google Fonts self-hosted, Bunny Fonts (EU mirror of Google Fonts), Fontsource, the European Web Type Initiative. For paid alternatives: Adobe Fonts (similar privacy profile), MyFonts (Monotype subsidiary), self-hosting from a foundry such as Klim, Production Type, Typotheque, Schick Toikka.
List Monotype Imaging Inc. as a processor, describe the IP and User-Agent transmission, mention the EU-US Data Privacy Framework, link to the Monotype privacy policy and explain the optional self-hosting alternative.