Relief in Sight from Google Fonts Legal Claims 

Is the controversial practice of mass-mailing Google Fonts demand letters coming to an end? In a landmark decision on August 28, 2025 (Case No. VI ZR 258/24), Germany’s Federal Court of Justice (BGH) has referred a case to the European Court of Justice (ECJ). The court seeks to clarify the fundamental question of whether a claim for damages under the GDPR is valid when a data protection violation is systematically and massively provoked for the sole purpose of demanding money.

The Case of Intentionally Provoked Data Protection Violations

A website operator used Google Fonts in a way that automatically transmitted users’ IP addresses to Google in the US upon visiting the site—a known GDPR violation. A defendant exploited this situation and built a business model around it: he used software to specifically target such websites and accessed them automatically over 100,000 times. The goal was to document the violations and subsequently send out demand letters requesting payment. The affected website operator initially paid €170 but later sued to reclaim this amount.

The Crucial Questions for the ECJ

The BGH has now stayed the proceedings and submitted three key sets of questions to the ECJ for clarification, which have the potential to shake the “demand letter industry” to its core:

1. When is an IP address truly personal data?
   The BGH is asking for clarification on whether a dynamic IP address is considered personal data simply because a third party (e.g., an internet provider) could theoretically identify the person. Or must the website operator themselves have the “reasonably available means” of identification?
2. Can damages be claimed if the violation was intentionally triggered?
   This is the core question: Can a person suffer “non-material damage” if they consciously and deliberately bring about the GDPR violation just to assert a claim? Does it matter if this is done on a massive and automated scale?
3. Can such a claim be considered an abuse of rights?
   Even if a formal violation exists, the BGH asks whether the claim can be dismissed on the grounds of an abuse of rights, especially when the sole motive was to gain a financial advantage by “artificially creating” the conditions for it.

Implications for Companies and the Demand Letter Practice

• The potential end of the demand letter wave: Should the ECJ follow the line indicated by the BGH and affirm an abuse of rights, the business model of mass, automated GDPR demand letters would be finished.
• Greater legal certainty for IP addresses: The answer to the first question will clarify a fundamental data protection issue that has been debated for years, giving companies more certainty in handling IP addresses.
• Strengthening the “abuse of rights” defense: Companies would have a strong legal argument to defend themselves against claims that are clearly abusive and aimed solely at financial gain.
• The underlying problem remains: It is important to note that until the ECJ’s decision, and even afterward, the incorrect integration of services like Google Fonts remains a genuine GDPR violation that must be fixed.

FAQ: The Google Fonts Demand Letter Wave and the BGH Ruling

What are Google Fonts and what is the data privacy issue?
Google Fonts are typefaces provided by Google. In the standard integration, a connection to Google’s servers in the US is established every time a page is loaded, transmitting the user’s IP address. This constitutes an unlawful data transfer to a third country without a sufficient legal basis.

What is a “demand letter wave”?
This term refers to the mass sending of warning letters and payment demands by individuals or lawyers who systematically search for specific, easy-to-find legal violations (like the Google Fonts issue).

How long will it take for the ECJ to rule?
Proceedings before the ECJ typically take between 1.5 and 2 years. A decision is therefore not expected before 2027.

Should I just ignore a Google Fonts demand letter now?
No. Until the ECJ clarifies the situation, the legal position is uncertain. Ignoring a demand can lead to a court order for payment and further costs. Seeking legal advice is still strongly recommended.

How can I make my website legally compliant now?
The compliant solution is to host Google Fonts locally on your own server so that no connection to Google’s servers is established. Our experts can review your website and assist you with the correct integration. Contact us at en.sofortdatenschutz.de/contact/.

Conclusion

The BGH is pulling the emergency brake and aims to put an end to the business model of provoked GDPR violations. The referral to the ECJ is a clear signal that Germany’s highest judges are no longer willing to tolerate a systematic abuse of GDPR rules that were actually intended to protect data subjects. For the thousands of companies that have fallen victim to demand letter waves in recent years, this is a glimmer of hope. However, until the final decision from Luxembourg arrives, the best defense remains a technically clean and data-protection-compliant website.