[wolki]

AIUI the embedding is itself not the issue. The issue is that you are leaking user data to a third party, and this needs to be handled with care, considering the degree of threat to the user data, your legitimate need to use a CDN, and any possible consent. If your CDN assures you that this data will only be used for legitimate purposes and conforming to GDPR, I think (but IANAL) that explicit user consent wouldn't be necessary, as site owners have a legitimate interest in using CDN services. After all, DDoS prevention is even explicitly listed as a legitimate interest, and fulfilling this legitimate interest is itself enough to allow processing of personal data, without further consent. With the Google fonts ruling, the issue seemed to be that there was no such agreement in place, Google is known for aggressively building user profiles, and the technical need for this was judged to be low, as fonts are rather small and the site could have operated with self-hosted fonts. This was considered to go beyond the scope of the legitimate interest - it's essentially selling user data to Google to save a little on bandwidth, and that would require consent.

(Then there is a separate issue with a human rights dispute between EU and US that makes things a bit more complicated)