Petteri Pyyny
31 Jan 2022 16:34
German regional court just dropped a total bombshell of a ruling today. Court decided that the way how virtually all modern websites function, is actually illegal under the European Union GDPR legislation.
And all this over a 100 euro fee.
Behind all the madness is a court case against an unnamed German website, a lawsuit filed by a single person. And because the website used a specific font.
The website had embedded the Google Webfont to its pages directly from Google Fonts' servers - just like appx. 50 million other sites do.
But how the Internet works, this also meant that the user's browser not only downloaded the website requested, but also the font needed to show the page as intended. And while the user had obviously given the permission to hand out his/her IP address to the website in order to be able to use it in the first place, he/she didn't give the consent to connect to Google servers (in order to get the font).
His browser - as it should - contacted the Google server in the background in order to get the font for the website. And obviously, any connection through the 'net will also reveal the users IP address. And according to the user, he/she had not given explicit permission to do that.
And court agreed.
According to the court, the website in question could have had the font stored locally on its own servers and thus, to avoid the connection to Google servers. And also, according to the ruling, now Google got the users IP address and can potentially do unholy things with it, like build a profile of the user.
Surely, Google's font library can be self-hosted, but it typically isn't, as loading it off Google's servers allows users browsers to find the very same font in cache more often, as different sites tend to use the same fonts (and cache is detected by the entire domain URL address of the font file).
But the ruling also effectively bans all kinds of embedding (without the user's explicit consent): whether it is YouTube videos embedded to news articles or to use CDN-hosted jQuery libraries on your website. Oh, obviously Instagram embeds and stuff like Google Analytics are banned, too.
Few weeks earlier an Austrian court ruled Google Analytics illegal in Europe.