Website operators in Germany are currently receiving warnings and letters with claims for damages if they use Google services such as Google Fonts (without consent) on their website. In these letters, website operators are requested to make immediate payments and to submit a cease-and-desist declaration with a penalty clause.
You have also received such a letter? Then first take a deep breath, take a step back and think carefully about what you are doing. Panicking, paying immediately and directly issuing a cease and desist declaration is usually not a good idea!.
In the following article, we will explain in detail why there are warnings about Google Fonts and Co. around right now, show you on the basis of letters we have, what exactly is being asked for whether the warnings are justified at all and give you tips on how you should handle your case.
Why are warnings issued for the use of Google services on websites?
If you want to use Google services such as Google Fonts, Google Analytics, Google Tag Manager, Google Ads, Google reCAPTCHA and many more on your website, you usually need consent from your website visitors. You can obtain such consent via consent management solutions (also known as cookie banners) such as Real Cookie Banner.
In the EU, you are not allowed to embed Google services easily for three reasons at once:
-
- Processing of personal data: Art. 6 GDPR requires that you have a legal basis to process personal data. Your website visitor’s IP address is usually also considered as personal data. It must necessarily be transmitted when a request is made to a server, e.g. to download fonts from Google Fonts. In the vast majority of cases, only informed consent comes into question as a legal basis. Website operators often argue that they have a legitimate interest in e.g. integrating Google Fonts into their website, but courts have denied this point of view. Since you, as the website operator, trigger Google’s processing of personal data when you embed Google Fonts into your website, for example, you need to take care of consent.
- Data transfer to unsafe third countries: Art. 46 GDPR requires that personal data may only be transferred to third countries – where the GDPR does not apply – if, in our case, Google can provide appropriate data protection safeguards and your website visitors have enforceable rights and effective remedies. Google’s parent company is a US company, and data of your website visitors is also processed by Google in the US. At the same time, in case C-311/18 (Schrems II), the ECJ judged that these conditions are not met in the US for EU citizens. As a result, data transfers to the USA are prohibited in principle for the time being! Website operators try to help themselves by obtaining special consents from their website visitors according to Art. 49 (1) lit. a GDPR by informing the visitors about the dangers of the data transfer. Whether these consents are legally valid depends on the specific use of the service and cannot be answered in a general way. In general, however, if you want to use services from the USA, such as those from Google, you should always obtain this special consent. With this, you at least show your will to do everything correctly.
- Cookies: The ePrivacy Directive stipulates that technically non-essential cookies and cookie-like information may only be read/written after the prior consent of the website visitor (see in Directive 2009/136/EG Rectial 66). Many Google services, such as Google Analytics, work with cookies to track your website visitors in the best possible way, among other things. Therefore, you cannot avoid obtaining consent for most Google services.
Let’s summarize: You need consent for personal data processing, US data transfer and usually also for cookies if you want to use Google services on your website. In addition, the consent must meet some legal requirements, which from experience not every (free) cookie banner meets. So, you should pay attention when choosing the right tool!
Judgement LG Munich (AZ 3 O 17493/20) encourages issuing a warning
You use Google services without or with insufficient consent on your website? Then there is definitely a need for action here! But maybe you have already had this violation on your website for several years and are wondering why you have just now received a warning or a letter with claims for damages.
The Regional Court (Landgericht; LG) of Munich ruled in AZ 3 O 17493/20 (German) in January 2022 that the use of Google Fonts is only permissible with the consent of the website visitor. The piquant thing about the decision is that the plaintiff was granted €100 in damages for the transmission of his IP address to Google Fonts.
However, according to the newsletter from RA Dr. Schwenke (German), the legal situation is less clear than reporting on the ruling implies. It was unclear whether a compensation of €100 for pain and suffering was not too high (compare from explanations of Mauß Datenschutz (German) on the assessment of claims for damages according to GDPR). In addition, the ruling did not clarify whether the very low risk of intelligence activities through the transmission of the IP address as a result of accessing an ordinary website was taken into account. This would have to be clarified by higher instances such as the OLG or the BGH (German courts).
Regardless of this, the ruling currently encourages people to send warning letters and letters with claims for damages to website operators if they use Google Fonts or other Google services on their website (without consent).
Who sends the warning letters and what is requested?
Receiving a warning letter is not a positive thing at first. However, a warning letter is a great German legal construct, because it makes it possible to achieve a cost-effective out-of-court settlement instead of immediately entering into expensive legal proceedings in court. Typically, warning letters are sent out in the field of competition law. For example, online store A sends a warning to online store B because B has taken an unfair and unlawful advantage. The aim is therefore to find an out-of-court solution so that both online stores have an equal chance of winning customers.
It’s a different story with Google service warnings on websites. So far, from Real Cookie Banner users, we have only seen warnings or letters with claims for damages from private individuals. So far, these act in their own name and without a lawyer. Especially active seem to be Nikolaos Ioannidis (location unknown) and Loris Bachert (from Heidelberg with sender mailbox in Mosbach).
The letters, which our customers have received, have so far always been sent by email. In the letters, different claims are made, which can be divided into the following categories:
- Compensation: The website operator is requested to remove, for example, Google Fonts from his website and to transfer compensation of, for example, €100 to the bank account of the sender of the email for the data protection violation already committed.
- Punishable cease-and-desist declarations: The website operator is requested to remove e.g. Google Fonts from his website and to issue a cease-and-desist declaration to the sender of the email by postal mail, in which he assures to never again commit data protection violations with Google services on his website. If he violates this requirement, he agrees to pay per data protection violation, for example, € 3,000 penalty to the sender of the email.
Should you as a warned not comply with the requirement within the time limit set, then the issuer of the warning could file a lawsuit against you. It should be noted that the plaintiff (as well as the defendant) is exposed to a high risk of legal costs. If you consider that the warning persons are private persons (without a lawyer), send such emails to a large number of website operators and the legal situation has not been clarified by the highest courts, they would expose themselves to a high financial risk. Therefore, we believe that in many cases no action will be taken if you do not comply with the claims of the issuer of the warning.
Instead of filing a lawsuit, the issuer of the warning could also report the data protection violation to the data protection authority responsible for you. In this case, they would not incur any risk of legal costs, but would also not be able to gain any financial advantage. However, in our experience, there is not much to fear here either. The primary goal of the authorities is to put an end to the data protection breach. You will usually be asked to do this by mail. In most cases, a fine will only be imposed if you do not comply with the request in due time.
Is the warning notice justified?
You’re faced within a cease and desist letter claiming you’ve committed a privacy violation. Whether you already use a consent management tool like Real Cookie Banner or not, you should now check whether the allegation is true in your case. Because the issuer of the warning has – in the cases we have seen – mainly a financial interest in making this claim.
Does a data protection infringement exist at all on the warned websites?
First of all, you should technically check whether, for example, Google Fonts is embedded on your website at all before consent is given. In our article “How do I find all services (cookies) on my website?” we explained to you step-by-step how to check if embeddings from external sources (in the example Google Fonts Server) take place on your website. This check should be sufficient and there is no need to check cookies if the warning party bases its claim on the transmission of the IP address and not on the setting of cookies.
💡 Good to know: Warned users of Real Cookie Banner PRO are welcome to open a support ticket and we check free of charge and without obligation, whether the claim from the warning is technically traceable for us.
We have repeatedly had to conclude that, from our point of view, there has been no data protection violation by Real Cookie Banner users who have been warned. Some of the warning letters presumably rely on a static HTML analysis in order to generate the claims automatically. This does not take into account that the content blocker of Real Cookie Banner prevents, for example, the integration of Google Fonts until consent is obtained.
Dear warning guys: Please check correctly – then send out warnings. A static HTML analysis is technically an extremely unfavorable approach. Because, in this case, the IP address is not even transmitted to Google (this only happens through the rendering in the browser) 😉
Are the evidence used in the warning letters correct?
Let’s assume that there really is a data protection violation on your website. This does not necessarily mean that the warning will be upheld, because the warning party must correctly demonstrate or prove the legal violation.
In the warnings we have received, the following information could only be found incompletely or not at all:
- Concrete URL on which the data protection violation was found
- Exact time of the data protection breach
- IP address of the caller (maybe he was never on the website, which should be checked in logs 😉)
- Concrete URL or HTML that triggered the unauthorized data transfer
- Screenshots/logs of the network traffic and copy of the complete HTML delivered etc. that documents the state of the website at the time of the call
- Address of the warning party (in some cases no summonable postal address was given in the warning letter and on the specifically linked website of the warning party 500 errors were output, no HTTPS was used, no privacy policy and no legal notice – required in Germany – was provided, etc. That seemed to us a bit dubious… 🤦)
- Address of the sender hidden behind a P.O. Box (legally speaking, a not summonable address, with which a possible negative declaratory action of the warned against the issuer of the warning could not be delivered)
In addition, the letters contain partly obviously contradictory or misleading statements. For example, a warning letter states to give the opportunity to “turn off the data protection violation itself and without […] legal consequences” (translated quote), while at the same time urging the submission of a cease-and-desist declaration with a penalty (legal consequence).
Can a warning be issued at all and damages claimed?
Assuming that you commit the data protection violation for which you have been warned and that the evidence provided by the warning party is correct, there is another question that needs to be clarified: Can you be warned at all?
According to Art. 79 GDPR, “[w]ithout prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation”. It can be deduced from this that GDPR infringements may be subject to warnings. However, there are a variety of other legal provisions that restrict the right and make the legal situation complex. A list of proceedings by IT-Recht Kanzlei München (German) shows that courts decide in all directions or leave the question open in proceedings. In the following, however, we assume for simplification that private individuals may issue warnings for the unlawful integration of Google services on websites.
Are the warnings abusive in law?
According to the Händlerbund, Datenschutz Notizen , Mauß Datenschutz and other sources, the warning letters against the integration of Google services on websites are currently being sent out in masses. Furthermore, in a warning letter we have received, a warning party claims that it had developed software that called up the website automatically in order to generate the letter to website operators.
First of all, it is important to bear in mind that, according to Art. 1 (1) of the GDPR in conjunction with recital 14, the GDPR applies to natural persons – but not to bots. So if the person issuing the warning did not call up the website himself, but a bot (software developed by the person issuing the warning), the question could be asked whether personal data was transmitted to Google at all. The internet access and thus also the IP address of the sender are likely to be those of the person issuing the warning, but it was not he who made the specific request to the Google servers.
Much more relevant, however, is the mass (automatic) dispatch of the letters. This leads to the assumption that the warning party could see the sending of the letters as a business model in order to generate additional income. It is questionable whether damages can be awarded if the damage was caused knowingly and with the aim of enriching oneself. Mauß Datenschutz states that in German law according to § 254 para. 1 BGB the warning party would have to accept at least a contributory negligence, whereby according to § 254 para 2 BGB a reduction in damages would have to be taken into account.
The LG Munich has in AZ 3 O 17493/20 justified the damages as follows (translated quote):
“The […] interference with the general right of personality is, with regard to the plaintiff’s loss of control over a personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the plaintiff as a result, so significant that a claim for damages is justified.”
Accordingly, whoever sends a personalized mass letter should also be able to claim no damages because he did not unknowingly transfer the data to Google Fonts against the will of the person concerned (loss of control). Instead, the warning party has actively attempted to cause the damage by (automatically) calling up masses of websites in the hope of finding websites that generate the damage (compare OLG Frankfurt Az. 6 U 101/14; referring to a company rather than a private individual as the warning party).
Assessment of the situation: Keep a cool head!
We have explained in the previous article that Google services such as Google Fonts can generally only be integrated into websites with informed consent. Whether services from U.S. service providers may still be used at all with special consent can neither be answered in general nor conclusively. A judgment of the LG Munich from January 2022 entitled the plaintiff to €100 in damages for a website call-up because of the use of Google Fonts, which motivates other people to write warnings and letters with claims for damages. In particular, however, whether the high damages were justified is disputed.
Letters with claims against website operators known to us are sent by private individuals without a lawyer. They demand damages and/or the submission of a cease-and-desist declaration with a penalty clause (with expensive contractual penalties in the event of further infringements). Due to the high risk of litigation costs and the not entirely clear legal situation, we assume that in many cases these private individuals will not file a lawsuit. In the case of an alternative possible notification of the website operators to data protection authorities, the first thing to expect is a request to remedy the data protection violation and fines only if this request is not complied with.
In some cases, warnings known to us were issued even though we were unable to verify any data protection violation on the website, as the technical checks performed by those issuing warnings were sometimes very unclean. In our opinion, the evidence in most of the warnings we received was also open to attack. Since the warnings are presumably currently being sent massively and automatically, these could also be abusive of rights, whereby only a reduced or no damages should be chargeable.
What should you do if you have received a warning?
First and foremost, keep a cool head and under no circumstances pay immediately or even immediately submit the punishable cease-and-desist declaration! The warning letters currently in circulation because of the use of Google Fonts and other Google services on websites should be viewed critically. Many warnings offer a target for mitigation or complete defense. In some cases, there is no data protection violation at all, even though this is claimed by the warning letter.
You should check your individual case carefully now! Our general advice from this article will help you to get your own first impression of your case. From our point of view, it is justifiable in some cases not to react at all, not to pay the requested damages and not to sign a cease-and-desist declaration. Due to the manageable procedural costs in the event of legal proceedings, even a negative outcome of the proceedings can be tolerated. In the end, however, it is a business consideration in each individual case.
Following should do in any case, if you have received a warning because of the use of Google services:
- Try to determine technically whether the data protection violation really exists.
If yes, stop it promptly, for example by using the consent management solution Real Cookie Banner (for WordPress websites) or by remove the problematic service from your website. - If you are unable to assess the risk and your options for responding to the warning letter, contact a privacy and IT law lawyer you trust. Note, however, that you must usually bear the consulting costs in an out-of-court dispute according to German law.
- If you (and your lawyer) are sure that there is no data protection violation (and you may have legal protection insurance), consider filing a negative declaratory action against the warning party. This will not only help you vent your anger, but will also help to deprive the warning party of its business model. This will save many other website operators horror and sleepless nights! And for the smart ones among you: The warning party must pay tax on the damages collected. If you have not received sufficient proof of payment from the warning party, the tax office responsible for the warning party will certainly be happy to receive a call from you 🥳 💥