A couple of months ago our little startup received an email notifying us that we were violating GDPR. They went on to warn us about a potential massive and terrifying lawsuit. The reason? Our website was using Google Fonts, which apparently transferred user data to Google without their consent - a big no-no.
The "from" address seemed super official. Like "something-something@europedataprotection.com"
I have to admit, I freaked out initially.
Then, I took a closer look.
First off, their contact details were from... Bosnia? Yep, that's technically Europe, but not the "European Union". Kinda fishy.
After giving the email another go, I stumbled upon quite the gem of a paragraph at the end. It charmingly suggested that by paying a $500 fine, they offer to forget this matter entirely.
Yeah. Nice try. 😊
In January 2022, a German court in Munich did establish a precedent - they deemed the use of Google Fonts a GDPR violation. The website owner had shared IP addresses with Google without getting users' consent first. And because IP addresses are apparently "PII" or Personally Identifiable Information, the result was... a whopping 50 euro fine for the webmaster.
Then a couple of Austrian courts hopped onto the bandwagon with similar verdicts. And that's when the avalanche began. A whole new industry of scammers (and sometimes fancy-pants law firms) popped up in Europe. Their game? Frightening startups with spammy threats.
1. What is GDPR? (just in case, sorry)
It's a European law that protects users' personal data from being shared with anyone without a clear consent. The tricky part is that it's not just for EU citizens, but anyone in the EU. Visiting Paris for a 5-day vacation? You're protected by GDPR. Feel free to sue Facebook. Oh, and enjoy the cookie-popups everywhere.
2. Are IP addresses considered "personally identifiable information" (PII)?
Yes.
3. Is the use of Google Fonts (and CDNs in general) a GDPR violation?
Kinda. A minor one. Actually, in their TOS Google says they do receive the user's IP address (obviously), however, they don't store it or create user "profiles" for ad-targeting (actually, most decent CDNs don't either). Though, I wouldn't trust Google on that.
4. Hold up, so the court ruling was right?
Yes, and Google had to tweak the above mentioned policy after that ruling. However, this still remains a violation. Though, definitely not the one you get "massive lawsuits" for.
P.S. Oh, but you bet I replied to that Bosnian scammer. After poking around on his "europedataprotection.com" site using dev-tools, guess what I found? You got it, network requests to fonts.gstatic.com
🤦
I shot back a message, letting him know HE owes ME a thousand euros. Or better yet, a million. After all I'm actually in the European Union, you little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).
P.P.S. His website is now blocked, by the way, hope my abuse report contributed. Stay sharp out there, folks.