Fonts functionality_storage

Google Fonts — consent fix

Google Fonts loads directly via <link rel="stylesheet" href="https://fonts.googleapis.com/..."> in the HTML or CSS @import. This sends the visitor's IP address to Google servers before consent. The Munich Court of Appeals ruled in 2022 that this is a GDPR violation (IP = personal data). No cookies, but a network request.

Domains

  • fonts.googleapis.com
  • fonts.gstatic.com

When loading fonts, Google Fonts immediately sends your visitor's IP address to Google's servers. In 2022, a regional court in Munich (OLG München) ruled that an IP address constitutes personal data. Because this data is transmitted before the visitor has given consent via your cookie banner, your website is violating the GDPR.

Why Google Fonts loads too early

Google Fonts are almost never loaded via Google Tag Manager. Instead, they are placed directly in your website's source code via a <link> tag, or deeply embedded in a stylesheet via a CSS @import rule. As soon as the browser parses the code, it fetches the font from Google directly.

The Fix: Self-Host Google Fonts (Best Solution)

The fastest and most robust solution requires no cookie banner or consent logic at all: host the fonts yourself. If the fonts are served from your own server, the visitor's browser never connects to Google, and the privacy issue is instantly resolved.

Step 1: Download the fonts

  1. Visit the Google Webfonts Helper tool.
  2. Search for the font your website uses (e.g., Roboto or Open Sans).
  3. Select the required weights.
  4. Download the .zip file containing the WOFF2 files.

Step 2: Upload the fonts to your server

  1. Extract the .zip file.
  2. Upload the font files via FTP (or your hosting/CMS file manager) to a folder on your server, for example /fonts/.

Step 3: Update the CSS

Replace the Google Fonts <link> tag or @import rule with the CSS provided by the Webfonts Helper.

  1. Remove the original Google Fonts link from your HTML or stylesheet. Examples of what to remove:
    <link href="https://fonts.googleapis.com/css2?family=Roboto&display=swap" rel="stylesheet">
    Or in your CSS:
    @import url('https://fonts.googleapis.com/css2?family=Roboto&display=swap');
  2. Add the new CSS to your own stylesheet. Ensure the file path to the fonts is correct.
  3. Add font-display: swap; inside the CSS rule to prevent invisible text while the font is loading.

Alternative Fix (via GTM)

If you absolutely cannot self-host the fonts, you must load them via Google Tag Manager as a Custom HTML Tag. Ensure this tag has an exception trigger where Consent State — functionality_storage is set to denied. Note: @import rules inside CSS files will bypass GTM entirely and must still be removed manually.

How to Verify the Fix

Do not rely on how the font looks visually. Use your browser's Network tab.

  1. Open your website in an incognito window.
  2. Ignore the cookie banner.
  3. Open Developer Tools (F12) and navigate to the Network tab.
  4. Search for fonts.googleapis.com. There must be absolutely no files loaded from this domain.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

No CMP yet?

A Cookie Management Platform (CMP) handles consent automatically for Google Fonts and other trackers — including the correct GTM integration.

Cookiebot → CookieYes → CookieFirst → Complianz → Borlabs Cookie → Enzuzo → ConsentOS →

Check your own site

Scan your website for free to see if Google Fonts (or other trackers) loads before consent.

Start free scan →