Get rich or die trying – with Google Fonts

​​published on 24 January 2023 | reading time approx. 3 minutes

New business models find few friends if third parties are subsequently asked to pay for no apparent reason. All the greater is the joy when such actions backfire. For example, legal requests for payment due to the incorrect integration of Google Fonts on websites took a surprising turn at the end of 2022.

In January 2022, the Munich Regional Court awarded a plaintiff 100 euros in damages because, when he visited the defendant's website, certain content used there (here: Google font files) was not provided by the defendant's server, but was reloaded by the plaintiff's browser from a third party's server. 

This may constitute a privacy infringement: By transmitting the plaintiff's IP address to the third party at the initiative of the defendant (through the latter's configuration of its website), the third party (Google) may receive personal data of the plaintiff without legal justification. In any case, the technical solution is to provide Google fonts or other content from the website operator's own server.

After isolated private individuals pointed out misconfigured websites to various website operators in May and June 2022 and demanded damages of 100 euros each, citing the judgement, some actors " professionalized" the situation at the beginning of the second half of the year. 

One Berlin lawyer in particular sent out demands for payment on a large scale, claiming damages of 170 euros each for his client, who was always the same. The client had had to realize when calling up the respective website that his IP address had been transmitted to Google when Google Fonts were reloaded and demanded payment to prevent civil litigation.

At the beginning of November 2022, the Berlin Bar Association referred to several tens of thousands of such letters by means of a press release and asked for understanding that it would not provide information in response to requests as to whether and which professional supervisory measures it had taken against the lawyer.

On 21 December 2022, the Berlin Public Prosecutor's Office informed the press about searches at the offices of the two defendants - the busy lawyer and his client. They are accused of (partly attempted) fraud and (partly attempted) extortion in more than 2,400 cases. At the same time, assets amounting to almost 350,000 euros were confiscated.

The prosecution accuses the suspects of using software to identify websites that used Google Fonts. With another software, the website visits of the client, who is also accused, are said to have been automated, i.e. faked. The logged website visits were allegedly the basis for the allegation of data protection violations and the assertion of claims for damages, which could allegedly have been averted by the payment.

The defendants had thus misled about the fact that a person - and not actually a software - had visited the websites. In the absence of a person acting, there was also no violation of personal rights, especially not of the client. In addition, the visits had been made deliberately in order to trigger the transmission of the IP addresses, so that the transmission of the IP addresses had in fact been consented to and there was no longer a data protection violation that could be subject to a warning and claim for damages.

The public prosecutor's office is still busy evaluating the evidence collected, and the criminal prosecution of this mass business will take some time.

Despite any gloating: Website operators should check whether their own websites are configured in a data protection-compliant manner - and whether any warnings, perhaps from other persons or for other reasons, may be justified.