[gnud]

Using a third party is not illegal in itself. But you need an agreement with the third party as to how they will store/process any user data they collect.

This is fairly fundamental under GDPR. It's the 'data controller'/'data processor' split.

I suspect (but IANAL of course) that most CDNs would fail here, because the blanket agreements they offer are basically worthless.

But it's easy to imagine a CDN that has a different business model (charges a tiny amount pr. resource stored, for example), and is completely fine under the GDPR.

[discardable_dan]

How can a CDN fail to retain an IP address, at least for the purposes of knowing where to send the response? The ruling doesn't say that Google stored the IP, causing the issue, but merely that the user's IP showed up in a packet sent to Google.

[gnud]

Storing an IP address in RAM until you have sent the response is _obviously_ a technically necessary use of personal data.

But who knows what else google does? The "privacy info" for site owners using google fonts says nothing about what they use any collected data for.

When you share personal data about your visitors with a data processor, you need an agreement that specifies how that data is treated.

[floatingatoll]

CDNs under the auspices of a non-GDPR government cannot offer any legally-binding assurances that they will comply with GDPR. Their government can legally compel them to lie about honoring the GDPR and secretly act otherwise. Since US courts and authorities are no longer bound by law to honor the GDPR, no service owned by, operated by, hosted within, or subsidiary to a United States entity can guarantee compliance with GDPR.

Any CDN that is owned/operated/subsidiary in full within countries that have legal GDPR protections in place, such as member states of the EU, would be fine to use — but that rules out Cloudflare, Akamai, etc.

(I am not your lawyer, this is not legal advice.)