German court: Entire modern Internet is illegal, embedding anything breaks the GDPR

German court: Entire modern Internet is illegal, embedding anything breaks the GDPR
German regional court just dropped a total bombshell of a ruling today. Court decided that the way how virtually all modern websites function, is actually illegal under the European Union GDPR legislation.

And all this over a 100 euro fee.



Behind all the madness is a court case against an unnamed German website, a lawsuit filed by a single person. And because the website used a specific font.

The website had embedded the Google Webfont to its pages directly from Google Fonts' servers - just like appx. 50 million other sites do.

But how the Internet works, this also meant that the user's browser not only downloaded the website requested, but also the font needed to show the page as intended. And while the user had obviously given the permission to hand out his/her IP address to the website in order to be able to use it in the first place, he/she didn't give the consent to connect to Google servers (in order to get the font).

His browser - as it should - contacted the Google server in the background in order to get the font for the website. And obviously, any connection through the 'net will also reveal the users IP address. And according to the user, he/she had not given explicit permission to do that.

And court agreed.

According to the court, the website in question could have had the font stored locally on its own servers and thus, to avoid the connection to Google servers. And also, according to the ruling, now Google got the users IP address and can potentially do unholy things with it, like build a profile of the user.

Surely, Google's font library can be self-hosted, but it typically isn't, as loading it off Google's servers allows users browsers to find the very same font in cache more often, as different sites tend to use the same fonts (and cache is detected by the entire domain URL address of the font file).

But the ruling also effectively bans all kinds of embedding (without the user's explicit consent): whether it is YouTube videos embedded to news articles or to use CDN-hosted jQuery libraries on your website. Oh, obviously Instagram embeds and stuff like Google Analytics are banned, too.



Few weeks earlier an Austrian court ruled Google Analytics illegal in Europe.

Written by: Petteri Pyyny @ 31 Jan 2022 16:34
Tags
European Union GDPR
Advertisement - News comments available below the ad
  • 2 comments
  • ChikaraNZ

    Well, if the IP address is classed as private information under GDPR legislation, then this is technically a correct ruling by the court.

    Many people are more privacy conscious nowadays, and I think most would not be aware that Google, and other big sites, receives their IP address in these situations and uses that data to potentially build their profile on you. If this can go some way to either stopping that behaviour, or building more awareness of it, it's a good thing regardless of the practical consequences of it.

    4.2.2022 02:13 #1

  • scorpNZ

    Can be circumvented by using duckduckgo & installing the duckduckgo extension. Without the extension duckduckgo is no different than google as it allows data collection by websites

    9.2.2022 22:56 #2

© 2022 AfterDawn Oy

Hosted by
Powered by UpCloud