The plaintiff's browser did what the defendant's code ordered it to do.
If the defendant's code violated GPDR (which seems to be the court's conclusion) by sending the plaintiff's browser somewhere, it's a defendant's problem, not plaintiff's.
Yeah, that's exactly the agency argument. It's not as if the plaintiff's browser is actually under control of the defendant, a user agent is not forced to follow the instructions that are contained in a website it requested on behalf of its user.
I don't think forcing each and every single website provider to implement their own consent forms is the right approach to regulating this. User agents should have the ability to convey and enforce privacy preferences on behalf of the user, and website providers should be legally required to comply with these if possible (or refuse service if not). But requiring ever more complex, explicit and custom opt-in consent forms for various provider, third party and user jurisdiction combinations is just inane.
Consent forms are not required, just host the font. They are also way more expensive and complicated to implement than self-hosting fonts. Asking for consent over usage of third-party fonts borders on pettiness from the website owner.
> User agents should have the ability to convey and enforce privacy preferences on behalf of the user, and website providers should be legally required to comply with these if possible (or refuse service if not).
The burden of respecting privacy choices in every single other case (data in the backend, data shared with partner, paper data) is already with the website. Every non-privacy-respecting implementation in the frontend is made by website owners.
Keep in mind that sometimes websites don't work with blocking other stuff, or are more difficult to use when blocking fonts (Google Material). So this is not even a practical suggestion.
There are two options to do what's required by the law: either A. not sending users' personal data to third parties; or B. receive informed consent from the users before sending their personal data to third parties.
If the option B seems unwanted for some reason (any reason), there is still option A. Implementing a different solution (that breaks the law) has consequences.
This is a pretty sad state of affairs IMO. The fact is that CDNs and similar third party services play an important role. Websites wont stop us6them, it's not feasible (btw if I "host" my fonts in S3 do I have to get consent for sharing IP with Amazon? With DNS? with every router that goes through tracert?) .
In reality, websites will add more crap "opt in" CYA forms at first loading, making the interaction fugly and unusable. We can discuss here in HN how that is unnecessary and whatnot, but that's what's going to happen...
I just wish that websites wouldn't force us outside of the EU to the asinine UX required by the EU (I hate having to press ACCEPT ALL on each page I visit.... whatever I dont want is already blocked by an extension anyways).
There's a difference between data sent to the website provider (and through it, indirectly to third parties), and interactions between the browser and third parties. The linked ruling forces the provider to ask the user for consent for third parties (even though the provider has nothing to do with the interaction!), instead of mandating a direct opt-in interaction between the user (agent) and third parties.
Imagine embedding many social media sites. Instead of forcing the social media sites or browser vendors to create embeddings that ask for consent themselves, the website provider has to ask for consent on behalf of all external sites before loading any content. As a web developer, this is a nightmare.
"Your honor, the victims of my ransomware attack decided to use a modern CPU to run my code. The attack would not have succeeded have the victims used Z-80, so there's no one to blame but the victims themselves."
Yeah like when you use a browser no where did you literally cause & consent to loading and running stuff.
False analogy.
Ironic that people use this line of reasoning to defend ad blockers (I'm responsible for whatever software I run) but then use the opposite argument when they don't like what the software does.
> a user agent is not forced to follow the instructions
Luckily! A large german media corporation called "Springer" has for years, and is still, unsuccessfully trying to get the courts and politicians to rule that users can not manipulate web content and must run it as intended, as changing it would violate copyright and is a sabotage of their program. And i bet they aren't the only ones globally. Also: how many devices are locked down and can only run code as it is provided by trusted third parties? Try installing an ad-blocker on a smart-tv or a playstation.
Website have no authority over the browsers accessing them. They can't order. Just state information. "There's a font over here" not "you have to go access this font over here".
That browsers by default tend to follow links to resources automatically doesn't change that. It's still the agent the user has chosen to represent them when talking to the website making the decision not the website.
If a legal body want to make the call that users shouldn't be responsible for choosing what their browsers automatically do or don't do on their behalf that's fine. But it's absurd to do it by making it the website creators problem. It's the browser that's choosing to do things without asking the person it represents for explicit permission. It's the browser sending the information to the third party. Put it on the browsers!
We've got a handful of choices for browsers. They all gratuitously send every bit of information they can get their hands on to every website they can. Just straight up informational security Judas'. And GDPR blames websites? It's crazy to me.
If the defendant's code violated GPDR (which seems to be the court's conclusion) by sending the plaintiff's browser somewhere, it's a defendant's problem, not plaintiff's.