[fooblat]

It seems pretty reasonable to me.

1. In Germany an IP address is considered PI under GDPR because it is easily associated to a natural person.

2. Google is open about the fact that they log IP address with Google Font request activity, which includes the page you are on.

3. GDPR requires justification by necessity to collect and/or send PI to a 3rd party without consent.

4. No consent was given.

5. It is not necessary in this case because it is possible to use Google Fonts in other ways that don't send PI to Google, without significant burden.

I'm not a lawyer but I am responsible for GDPR compliance at a German startup.

edit: typo

[Jyaif]

By that logic you must self-host any landing page, otherwise you are leaking IP addresses to whoever is hosting your website.

[fooblat]

We have a contract with our hosting provider that specifies what data they may collect, the limited purposes for which they can use it, and when it must be deleted.

This is called a Data Processing Agreement and is also part of GDPR compliance.

We have the same thing in place with all 3rd party vendors.