In 2022, a warning letter from a Berlin lawyer on the subject of “Google Fonts” caused great irritation among website operators. This letter even prompted some of them to pay an ominous settlement sum.
Find out here about the latest developments in this case, which is now being prosecuted.
✓ Everything you need to know about the wave of warnings.
✓ What you should know about Google Fonts.
✓ Information on the known facts.
✓ What you can do now.
Suspected fraud and attempted extortion in Google Fonts warning letter
Attempted warning fraud and attempted blackmail – Berlin lawyer Kilian Lenard and his client Martin I will probably soon be accused of this in court. On behalf of the Berlin public prosecutor’s office, search warrants were executed in Berlin, Hanover, Ratzeburg and Baden-Baden. The background to this is the wave of warnings carried out by the lawyer, which spread through the business world of mainly private individuals and small traders in 2022.
The ominous Google Fonts warning letter
In a letter in which the lawyer Kilian Lenard referred to a court ruling from January 2022 (case no. 3 O 17493/20), he accused those affected of having violated applicable data protection law. The initial alleged infringement concerned the use of Google Fonts on the websites of the respective “defendants”, which were obtained from an external server: The site operators would violate the “general right of personality” of its client with this form of Google Fonts usage. The site operators were demanded to cease and desist and to pay a settlement sum.
What are "Google Fonts" and what is the problem with using them?
Google Fonts are fonts provided by Google, which are stored in a directory on its servers for free use. In order to display the fonts as required, they are loaded directly from the Google servers in the browser of the website visitor. However, the user’s IP address must be transmitted so that the Google fonts can be displayed at all.
The catch with this approach – and this was also confirmed by the aforementioned court ruling from January 2022 – is that the consent of the website visitor must always be obtained BEFORE any data is transmitted to a server. The site visitor gives this consent at the earliest when he or she agrees to or accepts the data protection settings of the site. This means that, in addition to cookies etc., no externally integrated Google fonts may be loaded before consent is given, as this would mean that the IP address of the site visitor would be passed on without their consent.
As the IP/Internet Protocol address is actually a personal data record that may only be queried or transmitted with the consent of the person concerned, a website operator is in breach of the law if it transmits this to a server without consent. The above-mentioned court ruling could therefore be repeatable, as nothing has changed since then with regard to the characteristic “personal”. However, before there would be any legal consequences for the website operators concerned, the respective cases would first have to be dealt with in court.
What is "personal" data?
According to European law and the German Federal Data Protection Act (BDSG), personal data provides information about the natural person to whom it relates. This data cannot ensure that a person remains completely anonymous or that it can be traced back to a person. At this point, natural persons have absolute sovereignty over their data.
So is the Google Fonts warning justified?
As just described, it is indeed a data protection violation if website operators transmit personal data to an external server without being asked. However, whether the actions of Mr. Kilian and the other actors are legal is obviously questionable. From a “layman’s” point of view, this approach feels extremely dubious and somehow wrong, hostile – even malicious. If the allegations of the Berlin public prosecutor’s office prove to be true, we are talking about “at least 2,418 cases” of “attempted (in some cases) warning fraud and (attempted) extortion” (source: https://www.berlin.de/generalstaatsanwaltschaft/). In addition, the parties involved have thus obtained several 100,000 euros – provided the “victims” have paid the settlement sum of 170 euros offered in the letter.
The presentation of evidence of the infringements was deliberately provoked
In particular, the type of “evidence” of the warned data protection violations will play a major role in any proceedings in this case. Mr. Kilian and his client deliberately visited the websites of the respective site operators in order to recreate / depict a possible data protection violation and document it visually. “Unaware” is certainly defined differently in the legal sense, isn’t it? “Unaware” implies – in our understanding – a certain “ignorance” in their actions. However, the actions of the “plaintiffs” in the context of these warning letters seem quite calculated and deliberate.
Furthermore, Mr. I. merely commissioned these letters; Mr. Kilian names IG Datenschutz – an interest group that strives to ensure compliance with data protection laws and appears here as a “natural person” whose personal rights have been violated – as the client/clients and thus the injured party.
What we can say from an agency perspective
In addition to the data protection-compliant design of a website, it is equally important to create functioning online presences that provide site visitors with a positive user experience.
For display reasons, it is disadvantageous from a user experience perspective if fonts are only loaded under certain conditions. In order to comply with data protection – without provoking disadvantages in the display – the fonts can be integrated “locally”. In this way, a website operator avoids the need to communicate with an external server.
Of course, we are also against the unsolicited disclosure of personal data or other unfair behavior in this area. As an agency, we are well aware that a lot of fraud has been perpetrated in this area in the past. Last but not least, the GDPR, which came into force in 2018, will contribute to stricter penalties for data protection violations. We know the limits of our knowledge at this point and always recommend that our customers consult a lawyer in legal matters. Of course, we provide technical support at all times.
Do you use the Google Fonts directory on your site? And if so, do you ask about the transmission of the IP address in the data protection consent?
If you have any questions about Google Fonts, please contact us. We will integrate the required fonts for you locally on your site.
☞ Short two-fact check on the Google Fonts issue
1. are the lawyer, Mr. Kilian and his co-actors guilty? And what does the raid on the lawyer’s offices tell us?
So far, only the accusation of the Berlin public prosecutor’s office against Mr. Kilian and his client is known (fraud & extortion). This allegation in turn justifies the police search of the offices. Whether he or Mr. I. are guilty must be decided in court.
2. is the lawyer therefore wrong in his accusations against the site operators and has wrongly accused them?
Unfortunately not. The respective person must consent to the transfer of personal data (such as the IP address) on the network. If this is not the case, the controller is in breach of applicable law.
Do you have any questions? We look forward to getting in touch with you! Give us a call or use our inquiry form.
