Just when you think it can't get any more perfidious, you are surprised by the ingenuity of some black hat lawyers.
In the last few days, two law firms (one lawyer with a Düsseldorf address and one from Berlin) have sent several warnings to website operators for not integrating Google Fonts on websites in a way that complies with data protection laws.
In these cease-and-desist letters, clients are represented who feel that their rights regarding data protection have been violated because they have allegedly visited your website and feel that their personal rights have been violated by the forwarding of the IP address to Google via Google Fonts.
Even if you should stay calm at first: These cover letters are unpleasant, especially if you as the recipient are only bombarded with technical details at first. It is already difficult enough for people in the trade to anticipate all the pitfalls that arise from many changes in the law and judgements. Here is a rough explanation of how this wave of warning letters came about:
How can the warning be possible?
Google Fonts are fonts with free software licences that Google makes available in a large directory with over 1400 fonts. (https://fonts.google.com/). By default, Google offers that the fonts you want to use on your website are delivered to your website via their server. This is easy to maintain because it is centralised and fast. Let's say you have a website with the frequently used Google font "Open-Sans".
When a visitor visits your website, your website server reports "Hey, there's actually someone who wants to look at our site. Alert! Google Server, please give me the font "Open Sans" quickly, so that I can show the complete page to the visitor.". In the HTML world, a request looks like this:
<link href="https://fonts.googleapis.com/css2?family=Open+Sans" rel="stylesheet">
How does the "violation of personality" come into play?
To enable communication between different nodes on the internet, each node needs an IP address. This is how the internet is structured in principle.
A visitor to your website has an IP address (e.g. from Telekom) with which she or he surfs around in the history of the world. The computer that runs your website, also called the server, also has an IP address. And the Google computer, i.e. the type server, also has an IP address.
According to a ruling of the European Court of Justice, your IP address, which you use to surf the internet, is part of your personal data and should therefore be specially protected by other participants on the net. In Germany, among other countries, this is regulated by the DSGVO.
Data protectionists argue that the visitor's IP address can leave the EU via this communication and end up in the USA with Google. They could store it and that is not OK without the consent of the visitor.
This is what the lawyers are now referring to.
A member of the "Interessengemeinschaft Datenschutz" has now allegedly visited your website and it happened that the IP address was passed on to Google by delivering the font.
They argue with screenshots of the source file of their website and other evidence. With claims for damages of between 170 and 250 euros, they offer to settle all claims.
The sum of the compensation payments is just so high or low that many recipients would rather pay than go through the stress of finding a lawyer and filing an objection. If you send this out en masse and only a small percentage of those warned pay, the lawyers and the clients in question make a lot of money.
What can be done to prepare for this?
First check whether your website is affected at all with regard to Google Fonts:
https://www.e-recht24.de/google-fonts-scanner
If the check returns an alarm, you should switch off the last node, i.e. Google's font server, by downloading the fonts directly to your website's computer and delivering them to the visitor from there. This is then called "embed Google font locally". There are various possibilities, which vary depending on the website. In WordPress, the plug-in "OMGF"can produce quite useful results. Sometimes, however, you have to get to grips with it manually. Please contact us for a review.
What to do if you have received a warning or a settlement?
Of course, we cannot and must not give legal advice here. But at this point a few food for thought 😉
- Surely no one is going to call up hundreds of thousands of websites on the net, check the source files and take screenshots. So behind this is probably a programme that fishes the websites concerned. This process alone is not permissible. A lawyer can lose his licence if he misuses it.
- If it appears to be a mass warning letter (which you can quickly find out by doing a search), the question arises. Among hundreds of thousands of letters - what is the likelihood that a law firm will bother to sue you exactly if you simply do nothing at all?
- Another point is that Google points out that no IP addresses are logged at all when fonts are delivered. See here https://developers.google.com/fonts/faq.
- If it is allowed to proceed, another interesting aspect is that Google's font servers are located in a so-called CDN (Content Delivery Network). This is a network of mirrored servers so that the data can be retrieved from the nearest node on the internet. And in this case, the nearest server of the CDN would be in Europe. So possibly the IP address of the "client" has never left the borders. This cannot be read from a simple screenshot.
You can also find some more tips at e-recht...
Cases with us and conclusion
We have now rechecked all our client sites that run on our systems and found no websites that reload fonts from the Google server.
Unfortunately, 3 clients whose websites we maintain have reported that they have received letters to this effect, although we had already started to integrate fonts locally in February. Investigations then revealed that there was a WordPress plug-in that caused the fonts to be reloaded. In the meantime, we have fixed this error, but of course something like this is annoying.
Together with one of our clients, we will now take action against this kind of warning. If it is possible, we will keep you updated here on the blog.
One good thing has come out of all this: we are now dealing even more intensively with the topic of the GDPR and can give you further advice in this regard. In addition, I am finally writing newsletters again 🙂
If you have any questions, please do not hesitate to contact us!
