Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Fonts is a free font hosting service from Google. When loaded from the Google Fonts CDN, visitor IP addresses are transmitted to Google's US servers — a data transfer ruled unlawful by the Munich Regional Court in January 2022. The solution is simple: download the font files and self-host them on your own server. Self-hosted Google Fonts have zero GDPR implications. Tools like google-webfonts-helper make the download and CSS setup trivial.
Google Fonts is a free library of open-source fonts that can be used on websites either by loading from Google''s CDN or by downloading and self-hosting the font files. The library contains over 1,400 font families including widely-used fonts like Roboto, Open Sans, Lato, Montserrat, Poppins, and Oswald. Fonts loaded from the CDN are served from fonts.googleapis.com (CSS) and fonts.gstatic.com (font files).
On 20 January 2022, the Landgericht München I (Munich Regional Court, case 3 O 17493/20) ruled that a website operator violated GDPR by dynamically loading Google Fonts from the CDN. The court found that transmitting the visitor''s IP address to Google''s US servers without a lawful basis constituted unlawful processing. The court awarded 100 EUR in damages to the plaintiff and ordered the website to stop dynamic Google Fonts loading. This ruling established a clear precedent applicable across Germany and influenced DPA guidance in other EU member states.
Self-hosting Google Fonts is simple and completely resolves the GDPR issue: download the font files from fonts.google.com or use google-webfonts-helper (gwfh.mranftl.com) which generates the complete @font-face CSS and provides a zip of the font files. Host the files on your own server or CDN. Replace the Google Fonts link tags with @font-face CSS declarations. Verify in browser developer tools that no requests go to fonts.googleapis.com or fonts.gstatic.com.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Beyond GDPR compliance, self-hosting fonts often improves page load performance by eliminating cross-origin DNS lookups and TLS handshakes to Google''s servers. Combine with font-display: swap, woff2 format, and preload hints for optimal loading. Self-hosting is both the compliant and the performant choice.
Download font files and host on your own server. Replace link tags pointing to fonts.googleapis.com with self-hosted @font-face CSS. Remove preconnect tags for Google Fonts CDN. Verify no Google Fonts CDN requests in browser developer tools. This single action resolves the GDPR font issue entirely with no ongoing maintenance.
Websites using Google Fonts must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for self-hosted Google Fonts. For CDN-loaded Google Fonts, the Munich court ruling indicates non-compliance without consent — self-hosting is the recommended resolution.
Sample consent text
This website loads fonts from Google Fonts CDN. Google may process your IP address on US servers when loading these fonts. Accept functional cookies to load Google Fonts, or the website will use system fonts instead.
Third-party domains contacted
fonts.googleapis.comfonts.gstatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | persistent | 6 months | Google NID cookie set when loading fonts from Google Fonts CDN — eliminated by self-hosting fonts |
Google Fonts is an essential service, but transparency matters. Manage all your consent with FlowConsent.
No, according to the January 2022 Munich Regional Court ruling and multiple German DPA guidance documents. Loading Google Fonts from the CDN transmits visitor IP addresses to Google's US servers without a lawful basis. Self-hosting is the compliant solution.
The Landgericht München I ruled on 20 January 2022 (case 3 O 17493/20) that dynamically loading Google Fonts from Google's CDN violates GDPR. The court found that the IP address transmission constituted unlawful personal data transfer and awarded 100 EUR in damages. The ruling has prompted tens of thousands of European websites to switch to self-hosted fonts.
1) Visit google-webfonts-helper.herokuapp.com, select your fonts and weights, download the zip file, 2) Upload font files to your server (e.g. /fonts/ directory), 3) Copy the generated @font-face CSS into your stylesheet, 4) Remove the Google Fonts link tags and preconnect tags from your HTML, 5) Verify no requests to fonts.googleapis.com or fonts.gstatic.com in browser developer tools.
Self-hosted fonts typically load faster or equally to CDN fonts because they eliminate cross-origin DNS lookup and TLS handshake to Google's servers. Use woff2 format (best compression), font-display: swap (prevents invisible text during load), and rel=preload for critical fonts. The performance argument for using the CDN is largely a myth.
CDN-loaded Google Fonts do not set cookies but do transmit IP addresses to Google. The GDPR issue is the IP address transfer to Google's US servers, not cookie placement. Self-hosted fonts have zero data transmission to Google.
Technically, loading Google Fonts after functional consent is given makes it compliant. However, this creates a poor UX (fonts flash or don't load until consent) and is operationally complex. Self-hosting is far simpler and provides the same visual result.
The Munich ruling is a German court decision but reflects GDPR principles applicable across the EU. German DPAs have issued guidance consistent with the ruling. French (CNIL), Dutch (AP), and Austrian (DSB) guidance on third-party font CDNs reaches similar conclusions. Self-hosting is recommended regardless of jurisdiction.
Yes. Any font loaded from a third-party CDN that logs IP addresses creates a similar GDPR issue: Adobe Fonts (Typekit), Font Awesome CDN, Bunny Fonts (privacy-focused EU alternative), and others. Bunny Fonts provides a drop-in Google Fonts replacement without IP logging as a CDN alternative. Self-hosting remains the cleanest solution.