The Munich Regional Court ruled on January 20, 2022 that the integration of fonts via Google servers is not in compliance with data protection laws(link to the ruling, news article on the ruling).
Why not let Google fonts on the website load from Google servers?
When loading Google fonts from Google servers, the IP address of the website visitor is transmitted to the Google server. The IP address belongs to the so-called personal data. Before this data is passed on to third parties, the user’s consent is required.
After judgment of LG Munich v. 20.01.2022, there have already been warnings from page operators (see article of golem.de from 09.08.2022).
Solution 1: Obtain consent from user
Before the Google Fonts are loaded, a so-called Consent dialog (selection dialog for agreeing or disagreeing with data transfer) is displayed. If the visitor agrees, the Google fonts can be loaded from the Google URL. However, if consent is not given, the writings may not be loaded.
Important: The URLs from Google must not be loaded in any case before the consent. This is often done wrong when including the Consent dialog!
The problem with this solution is that when the font is rejected, it is not present and thus the website is displayed for the visitor in the default font (corporate identity not given!). Since there is a better solution (see solution 2) I do not recommend disturbing visitors with dialogs.
Solution 2: Let Google Fonts load from the website (load locally)
Google offers the Google Fonts for download and allows them to be placed on the website’s web hosting server.
How can this be done on your own
Step 1: Use google-webfonts-helper to download the fonts you want to use on your website.
Step 2: If you use a WordPress theme, you have to make the theme stop using the styles that use the Google URLs. Some themes or page builders have an option for this. If this is not the case, it must happen programmatically.
How this works in the Genesis Sample Theme is explained here.
Step 3: The fonts downloaded from step 1 and the style that embeds the fonts are placed in a folder in the web hosting.
Step 4: The style (.css file) is included in the theme.
Ready! Already the Google fonts load from their own address and no longer via Google. Thus, the page is in this point again DSGVO compliant.