Seoxpert.io
Get started
criticalPrivacy & Compliance

Google Fonts CDN Loaded Without Consent (Schrems II Risk)

Google Fonts are loaded from US-based CDNs without user consent, risking GDPR violations and legal claims.

By Seoxpert Editorial · Published

Why it matters

Loading Google Fonts from external CDNs transfers visitor IP addresses to the US, which is considered a personal data transfer under GDPR. Recent court rulings in Germany have resulted in fines for sites using Google Fonts without explicit user consent. Non-compliance can lead to legal claims and reputational damage.

Impact

Failure to address this issue can result in GDPR violations, legal penalties, and mass claims from EU visitors.

How it's detected

The crawler checks for requests to fonts.googleapis.com or fonts.gstatic.com before user consent is given.

Common causes

  • Using @import or <link> to Google Fonts CDN in CSS/HTML without gating by consent
  • Relying on third-party themes or plugins that load Google Fonts externally
  • Lack of awareness about GDPR implications of external font loading
  • Not self-hosting required font files

How to fix it

Download the required Google Fonts files and host them locally on your server. Replace all @import or <link> references to fonts.googleapis.com or fonts.gstatic.com with local paths. Tools like google-webfonts-helper.herokuapp.com can assist in downloading and generating the necessary CSS. Alternatively, only load Google Fonts from the CDN after explicit user consent via your consent management platform (CMP), though self-hosting is the recommended approach.

Code examples

Problem: Loading Google Fonts from CDN without consent

<link href="https://fonts.googleapis.com/css?family=Roboto&display=swap" rel="stylesheet">

Fix: Self-hosting Google Fonts locally

<link href="/fonts/roboto.css" rel="stylesheet">

FAQ

Why is loading Google Fonts from the CDN a GDPR risk?

Because it transfers visitor IP addresses to US-based servers, which is considered a personal data transfer under GDPR.

Is gating Google Fonts behind consent enough to comply with GDPR?

Gating may help, but self-hosting is the safest option as it eliminates external data transfer entirely.

How do I self-host Google Fonts?

Download the font files and CSS using a tool like google-webfonts-helper, upload them to your server, and update your site to use the local files.

Do I need to self-host if my users are outside the EU?

GDPR applies to EU visitors. If your site is accessible in the EU, you should comply regardless of your location.

Found this issue on your site?

Run a scan to see if Google Fonts CDN Loaded Without Consent (Schrems II Risk) affects your pages.

Scan my website →