Self-host Google Fonts to stop leaking visitor IPs
Loading fonts from fonts.googleapis.com sends every visitor’s IP address to Google on page load — a cross-border transfer that happens before consent and cannot be consented to for an essential asset.
Why it matters
A German court (the "Google Fonts" ruling) found that transmitting a visitor’s IP to Google via hosted fonts, without consent, was an unlawful transfer. Fonts are essential to rendering, so the fix is not a consent banner — it is to stop the transfer entirely by hosting them yourself.
How to fix it
Download the font files, serve them from your own domain, and declare them with @font-face. No third-party request, no IP transfer, and usually faster too.
/* Self-hosted — no request to Google */
@font-face {
font-family: 'Inter';
src: url('/fonts/inter-var.woff2') format('woff2');
font-display: swap;
}
/* Remove any <link href="https://fonts.googleapis.com/..."> */
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.