A Munich, Germany court has fined a website owner for transferring a user’s personal data (IP address) to Google via the Google Fonts library without the individual’s consent.
The court said the unauthorized disclosure of personal data violates the user’s privacy rights.
As per GDPR, anything that narrows down to an individual including IP addresses, advertising IDs, cookies, and location data is considered to be a PII.
Any business collecting this data needs to notify users and get their consent for collecting the same.
Google would also need to guarantee that they don’t track/store/use this data, which the court recognizes that they do. Google would also have to have the explicit consent of the user to do so.
The ruling reads like this:
Dynamic IP addresses represent personal data for the operator of a website because, in the abstract, he has the legal means that could reasonably be used to, with the help of third parties, namely the competent authority and the Internet access provider, identify the person concerned based on the stored IP – to have addresses determined
Google Fonts is a library of fonts many developers use in websites and Android apps.
Since all IPs, including dynamically assigned ones, can be traced back to a real person in Germany, an IP address is considered personal data.
Because of the GDPR violation, the website was ordered to stop embedding the font library. The court additionally urged the company running the website to disclose the kind of personal data that is being processed.