[c01n]

On the one hand I don't want lawyers, government and politicians to shape cyberspace. But I also like this ruling it seems to set a precedent for users to be able to opt-in to APIs (and probably javascript the obvious next step if this goes on). Client-server interactions should be transparent, this will prevent allot of privacy related issues. It also makes the web more decentralized, getting developers back into a host your own stuff mentality.

[discardable_dan]

On its face, this appears to be death of the third-party CDN. The largest issue is this means companies will no longer be able to use third-party hosting services like Squarespace which rely on shared (technically third-party) CDNs.

A secondary, but similar, issue, is that now all embeds are opt-in: streams, videos, everything must first be clicked on to even load the thumbnail.

A third, and less-important, issue is that advertising providers are basically over: the website, on load, can't query the third-party ad service to figure out what ad to display. Which I'm fine with, abstractly, but it's also a very large revenue issue.

[gnud]

Using a third party is not illegal in itself. But you need an agreement with the third party as to how they will store/process any user data they collect.

This is fairly fundamental under GDPR. It's the 'data controller'/'data processor' split.

I suspect (but IANAL of course) that most CDNs would fail here, because the blanket agreements they offer are basically worthless.

But it's easy to imagine a CDN that has a different business model (charges a tiny amount pr. resource stored, for example), and is completely fine under the GDPR.

[discardable_dan]

How can a CDN fail to retain an IP address, at least for the purposes of knowing where to send the response? The ruling doesn't say that Google stored the IP, causing the issue, but merely that the user's IP showed up in a packet sent to Google.

[gnud]

Storing an IP address in RAM until you have sent the response is _obviously_ a technically necessary use of personal data.

But who knows what else google does? The "privacy info" for site owners using google fonts says nothing about what they use any collected data for.

When you share personal data about your visitors with a data processor, you need an agreement that specifies how that data is treated.

[floatingatoll]

CDNs under the auspices of a non-GDPR government cannot offer any legally-binding assurances that they will comply with GDPR. Their government can legally compel them to lie about honoring the GDPR and secretly act otherwise. Since US courts and authorities are no longer bound by law to honor the GDPR, no service owned by, operated by, hosted within, or subsidiary to a United States entity can guarantee compliance with GDPR.

Any CDN that is owned/operated/subsidiary in full within countries that have legal GDPR protections in place, such as member states of the EU, would be fine to use — but that rules out Cloudflare, Akamai, etc.

(I am not your lawyer, this is not legal advice.)

[Puts]

This ruling has nothing to do with opt-in or consent. It has to do with the concept of data minimization. According to the GDPR you should only process as much data as necessary and this applies no matter what legal basis (eg consent) you have. So basically the point with GDPR is that you as a user should not even have to care, the company that processes your data is responsible to care for you. And it's actually cool that we see this enforced now.

[floatingatoll]

It does not necessarily set a precedent: use of APIs hosted fully within GDPR countries would be unaffected by this Google Fonts judgment, which only concerns a GDPR site using non-GDPR resources without user consent.