reCAPTCHA, Google Fonts, and Maps: The Google Services That Quietly Break GDPR

Google Fonts: The €100 Fine That Changed Things

In January 2022, the Munich Regional Court (Landgericht München) ordered a website to pay €100 to a visitor whose IP address was transmitted to Google when their browser fetched fonts from fonts.googleapis.com. The ruling (Case 3 O 17493/20) found this constituted an unlawful transfer of personal data to a third country (the US) without consent.

The fine was small — €100. But the precedent wasn't. IP addresses are personal data under GDPR. Every time a browser fetches a Google Font, the visitor's IP is sent to Google's servers in the US. No consent is asked. No legitimate basis exists for most websites.

The fix is straightforward. Self-host your fonts — download them and serve them from your own domain. In Next.js, the `next/font` package handles this automatically: it downloads Google Fonts at build time and serves them from your domain with zero runtime requests to Google. In Webflow, WordPress, or other CMSs, you download the font files and host them as local assets.

reCAPTCHA v3: The Invisible Profiler

Google reCAPTCHA v3 is designed to be invisible — it runs in the background on every page load, collecting browser fingerprinting data, mouse movements, and behavioural signals to build a "risk score." This data goes to Google.

This is data processing. Users are being profiled — their behaviour is being analyzed to determine whether they're human. That data goes to Google, is processed on US servers, and contributes to Google's overall data systems.

The French DPA (CNIL) flagged reCAPTCHA in their 2021 cookie sweep. The German DPA conference (DSK) position is that reCAPTCHA requires consent and must not be deployed without it. Most legal analyses conclude that reCAPTCHA v3, deployed on every page load, cannot rely on legitimate interests alone.

The alternatives:

• →hCaptcha — privacy-focused alternative, EU data processing, no profiling. Plug-in replacement for reCAPTCHA in most frameworks. Free tier available.
• →Cloudflare Turnstile — free, uses proof-of-work challenges instead of user behaviour profiling, no data sent to third parties beyond Cloudflare's normal CDN logs. The cleanest option from a privacy perspective.
• →Honeypot fields — for simple contact forms, a hidden form field that bots fill but humans don't is often sufficient. Zero external requests, zero data transfer.

Google Maps Embeds

When you embed a Google Maps iframe on your contact or location page, every visitor's browser makes a direct request to maps.googleapis.com — sending their IP address, user agent, and referrer to Google, before consent.

Google Maps also sets cookies regardless of your site's consent state. The German DSK recommends not embedding Google Maps without prior consent.

Three practical alternatives:

• →Static map image with link. Use the Google Static Maps API to generate a PNG image of the map and serve it as an `<img>` tag. Only loads when the image loads (one request), no JavaScript, no cookies. Clicking opens Google Maps in a new tab.
• →Consent-gated load. Show a placeholder image with a "Click to load map" button. The Google Maps iframe only loads when the user explicitly clicks — making their action an affirmative consent signal.
• →OpenStreetMap. Open-source maps via Leaflet.js or MapLibre, no data sent to Google. EU-hosted tile servers available (e.g., OpenStreetMap.org, which is based in the UK/EU).