[maxwell86]

As a German citizen, this isn’t nuts.

Leaking extremely sensitive user data, like their IP addresses, to third parties, enable them to finger print users.

Leaking those to third parties outside the EU, and in particular to companies whose revenue depends on this finger printing, like Google, just to serve a font, it’s the dumbest thing I’ve heard all week.

The whole purpose of the GDPR is to discourage this behavior, requiring websites to inform users of all their crappy unnecessary things they want to do before they do it.

The only reason Google gives you hot loading for free is to get your users data. Trading your users personal data to serve a font is brain dead.

IMO this fine of 100€ is too small. They should have made it 10% of their revenue to send the clear message that this is not ok.

[Vespasian]

I agree with everything you said except the last paragraph.

100€ was fine in my opinion, because a) it isn't that big of an infraction b) it probably was their first offense and c) this legal ruling is indeed setting some kind of precedence and therefore was unexpected given industry practices. If the ruling stands and other courts follow a similar reasoning I would expect higher fines in the future.

[dgb23]

You have a point and I as a dev will ensure to follow this principle. The issue is that serving fonts and other assets from an external service is pretty much normal practice. This is new ground. The understanding so far was explicit tracking being the issue and not serving static assets. This ruling makes sense but goes way beyond what the consensus was so far.

[cryptime]

Whose “consensus” ? Google or ad techs. That is not acceptable. The right way is GDPR pop up listing the companies you will share user data. With. If the user approves I am sure no court can touch you.

[dgb23]

I meant consensus among developers. Using external _static_ resources has been a normal thing for very long and generally hasn’t been discussed under the light of GDPR.

In fact I would argue that most devs don’t assume that this is a problem at first glance. The general awareness and education should be better here.

[izacus]

IP Address is far from "extremely sensitive user data". Really.

[freemint]

Giving an IP Address to Google including referrer header is. They can do a lot with this and as long as the Google Font hosting service doesn't give out assurances (they can be sued for for breaking) that this data is not used in any way which would enable Google to track a person.