Every time a website loads Google Fonts, the visitor’s browser makes a request to Google’s servers. That request includes the page URL, the visitor’s IP address, user agent string, and referrer header. Google receives this data for every page load, across every site that uses the service.
This is not a conspiracy. Google Fonts is a free CDN that serves typefaces reliably and fast. But “free” means Google absorbs the hosting cost in exchange for traffic data at massive scale. For a site that promises visitors ownership and privacy, sending their browsing data to a third party on every page load contradicts the message.
What the law says
In January 2022, a Munich regional court ruled that a website embedding Google Fonts without visitor consent violated GDPR. The reasoning was straightforward: loading a font from Google’s servers transmits the visitor’s IP address to a US company without a legal basis, because self-hosting is a readily available alternative.
You can argue about whether that ruling applies broadly. But the compliance question disappears entirely when you serve fonts from your own domain. There is no third-party data transfer to justify.
What self-hosting actually involves
Self-hosting fonts means downloading the font files and serving them from the same origin as your HTML and CSS. On this site, we use Equity B for article prose, Concourse for headings and product pages, and Space Mono for code and metadata — all from Matthew Butterick’s foundry and served from our own domain.
In practice, the setup is:
- Download the WOFF2 files for the weights you need.
- Place them in your project’s public or assets directory.
- Declare them in CSS with
@font-facerules pointing to local paths. - Reference the font family in your design tokens.
Astro has a built-in Fonts API that handles much of this. If your framework does not, the manual process takes about ten minutes.
The performance benefit
A Google Fonts request requires a DNS lookup to fonts.googleapis.com, a TLS handshake, an HTTP request for the CSS file, and then one or more additional requests for the actual font files from fonts.gstatic.com. That is two cross-origin connections before the browser has the typeface.
Self-hosted fonts load from the same connection the browser already has open for your HTML and CSS. One fewer DNS lookup, one fewer TLS negotiation, no render-blocking cross-origin fetch. The difference is measurable on slow connections and mobile networks.
Google’s CDN is fast, but same-origin is always faster when the file is already on your server and your server is already connected.
The trade-off
Self-hosting means you are responsible for updates. If a font releases a new version with improved hinting or additional characters, you need to download the updated files manually. In practice, most fonts change rarely.
You also lose the benefit of a shared cache. If a visitor has recently loaded the same font from another site using Google Fonts, their browser might have it cached. With self-hosting, every site loads its own copy. Modern browsers have reduced the effectiveness of cross-site caching for privacy reasons, so this benefit is smaller than it used to be.
Not a moral stance
Google is not doing anything evil by running a font CDN. The service works well and has improved web typography enormously. But when a privacy-respecting alternative exists and costs almost nothing to implement, there is no reason to send visitor data to a third party.
This is the kind of decision that is easy to get right once and never think about again. If your site claims to respect privacy, self-hosting fonts is the minimum credible action.
The fonts on this site are served from the same domain as everything else. No external requests, no data shared, no consent required. If you want the same setup on your own site, that is exactly the kind of work Leanersoft builds.