back to Jitbit Blog home About this blog

We received a GDPR violation notice :)

by Alex Yumashev · Updated Aug 28 2023

A couple of months ago our little startup received an email notifying us that we were violating GDPR. They went on to warn us about a potential massive and terrifying lawsuit. The reason? Our website was using Google Fonts, which apparently transferred user data to Google without their consent - a big no-no.

The "from" address seemed super official. Like ""

I have to admit, I freaked out initially.

Then, I took a closer look.

First off, their contact details were from... Bosnia? Yep, that's technically Europe, but not the "European Union". Kinda fishy.

After giving the email another go, I stumbled upon quite the gem of a paragraph at the end. It charmingly suggested that by paying a $500 fine, they offer to forget this matter entirely.

Yeah. Nice try. 😊

New type of scam

In January 2022, a German court in Munich did establish a precedent - they deemed the use of Google Fonts a GDPR violation. The website owner had shared IP addresses with Google without getting users' consent first. And because IP addresses are apparently "PII" or Personally Identifiable Information, the result was... a whopping 50 euro fine for the webmaster.

Then a couple of Austrian courts hopped onto the bandwagon with similar verdicts. And that's when the avalanche began. A whole new industry of scammers (and sometimes fancy-pants law firms) popped up in Europe. Their game? Frightening startups with spammy threats.

Legal miniFAQ

1. What is GDPR? (just in case, sorry)

It's a European law that protects users' personal data from being shared with anyone without a clear consent. The tricky part is that it's not just for EU citizens, but anyone in the EU. Visiting Paris for a 5-day vacation? You're protected by GDPR. Feel free to sue Facebook. Oh, and enjoy the cookie-popups everywhere.

2. Are IP addresses considered "personally identifiable information" (PII)?


3. Is the use of Google Fonts (and CDNs in general) a GDPR violation?

Kinda. A minor one. Actually, in their TOS Google says they do receive the user's IP address (obviously), however, they don't store it or create user "profiles" for ad-targeting (actually, most decent CDNs don't either). Though, I wouldn't trust Google on that.

4. Hold up, so the court ruling was right?

Yes, and Google had to tweak the above mentioned policy after that ruling. However, this still remains a violation. Though, definitely not the one you get "massive lawsuits" for.

P.S. Oh, but you bet I replied to that Bosnian scammer. After poking around on his "" site using dev-tools, guess what I found? You got it, network requests to 🤦

I shot back a message, letting him know HE owes ME a thousand euros. Or better yet, a million. After all I'm actually in the European Union, you little peice of... (that's where I inserted a bunch of Serbian curse words that I had to google).

P.P.S. His website is now blocked, by the way, hope my abuse report contributed. Stay sharp out there, folks.