Just when you think it can't get any more perfidious, you are surprised by the ingenuity of some black hat lawyers.
In the last few days, two law firms (one lawyer with a Düsseldorf address and one from Berlin) have sent several warnings to website operators for not integrating Google Fonts on websites in a way that complies with data protection laws.
In these warnings, we represent clients who feel that their data protection rights have been violated because they have allegedly visited your website and feel that their privacy rights have been violated by the forwarding of their IP address to Google via Google Fonts.
Even if you should stay calm at first: These cover letters are unpleasant, especially if you as the recipient are only bombarded with technical details at first. It is already difficult enough for people in the trade to anticipate all the pitfalls that arise from many changes in the law and judgements. Here is a rough explanation of how this wave of warning letters came about:
How can the warning be possible?
Google Fonts are fonts with free software licences that Google makes available in a large directory with over 1400 fonts. (https://fonts.google.com/). Standardmäßig bietet Google an, dass die Schriften, die man auf seiner Website benutzen möchte, über deren Server auf Ihre Website ausgeliefert werden. Das ist einfach wartbar, da zentral und schnell. Nehmen wir an, Sie haben eine Website mit der häufig benutzten Google Schriftart “Open-Sans”.
When a visitor visits your website, your website server reports "Hey, es gibt tatsächlich jemanden, der unsere Seite anschauen will. Alarm! Google Server, bitte gib mir mal schnell die Schriftart “Open Sans”, so dass ich die komplette Seite dem Besucher zeigen kann". In the HTML world, a request looks like this:
<link href="https://fonts.googleapis.com/css2?family=Open+Sans" rel="stylesheet">
How does the "violation of personality" come into play?
To enable communication between different nodes on the internet, each node needs an IP address. This is how the internet is structured in principle.
A visitor to your website has an IP address (e.g. from Telekom) with which she or he surfs around in the history of the world. The computer that runs your website, also called the server, also has an IP address. And the Google computer, i.e. the type server, also has an IP address.
According to a ruling of the European Court of Justice, your IP address, which you use to surf the internet, is part of your personal data and should therefore be specially protected by other participants on the net. In Germany, among other countries, this is regulated by the DSGVO.
Data protectionists argue that the visitor's IP address can leave the EU via this communication and end up in the USA with Google. They could store it and that is not OK without the consent of the visitor.
This is what the lawyers are now referring to.
A member of the "Interessengemeinschaft Datenschutz" has now allegedly visited your website and it happened that the IP address was passed on to Google by delivering the font.
They argue with screenshots of the source file of their website and other evidence. With claims for damages of between 170 and 250 euros, they offer to settle all claims.
The sum of the compensation payments is just so high or low that many recipients would rather pay than go through the stress of finding a lawyer and filing an objection. If you send this out en masse and only a small percentage of those warned pay, the lawyers and the clients in question make a lot of money.
What can be done to prepare for this?
First check whether your website is affected at all with regard to Google Fonts:
https://www.e-recht24.de/google-fonts-scanner
Falls der Check einen Alarm liefert, sollten Sie den letzten Knoten, also den Schriftserver von Google ausschalten, indem Sie die Schriftarten direkt auf den Rechner Ihrer Website herunterladen und von dort an den Besucher ausliefern. Das nennt sich dann “Google Schriftart lokal einbinden”. Es gibt verschiedene Möglichkeiten, die je nach Website variieren. In WordPress liefert das PlugIn “OMGF” durchaus brauchbare Resultate. Manchmal muss man dem Ganzen aber manuell zu Leibe rücken. Please contact us for a review.
What to do if you have received a warning or a settlement?
Of course, we cannot and must not give legal advice here. But at this point a few food for thought 😉
- Surely no one is going to call up hundreds of thousands of websites on the net, check the source files and take screenshots. So behind this is probably a programme that fishes the websites concerned. This process alone is not permissible. A lawyer can lose his licence if he misuses it.
- If it appears to be a mass warning letter (which you can quickly find out by doing a search), the question arises. Among hundreds of thousands of letters - what is the likelihood that a law firm will bother to sue you exactly if you simply do nothing at all?
- Another point is that Google points out that no IP addresses are logged at all when fonts are delivered. See here https://developers.google.com/fonts/faq.
- Lässt man es zum Verfahren kommen wäre auf jeden Fall auch ein interessanter Aspekt, dass die Schriftarten-Server von Google in einem so genannten CDN (Content Delivery Network) liegen. Das ist ein Verbund mit lauter gespiegelten Servern, damit man jeweils die Daten aus dem nächstgelegenen Knotenpunkt im Internet abruft. Und in diesem Falle wäre der nächst gelegene Server des CDN in Europa. Eventuell hat also die IP-Adresse des “Mandanten” die Grenzen nie verlassen. Dies kann man aus einem einfachen Screenshot nicht ablesen.
You can also find some more tips at e-recht...
Cases with us and conclusion
We have now rechecked all our client sites that run on our systems and found no websites that reload fonts from the Google server.
Unfortunately, 3 clients whose websites we maintain have reported that they have received letters to this effect, although we had already started to integrate fonts locally in February. Investigations then revealed that there was a WordPress plug-in that caused the fonts to be reloaded. In the meantime, we have fixed this error, but of course something like this is annoying.
Together with one of our clients, we will now take action against this kind of warning. If it is possible, we will keep you updated here on the blog.
One good thing has come out of all this: we are now dealing even more intensively with the topic of the GDPR and can give you further advice in this regard. In addition, I am finally writing newsletters again 🙂
If you have any questions, please do not hesitate to contact us!
