[martin_a]

The idea behind/the backbone of the GDPR is: Whenever you want to process personal information, you'll need the consent of your users and protect the data accordingly.

It's easy as that. You can absolutely use ANY tool or service you want (really), but if it processes personal information (and even IPs count as that) you'll need to ask for consent and inform the user what data is processed and where and how it is processed and how you plan on protecting that data.

That has to happen BEFORE anything is processed if it's not technically ultimately necessary. Hint: Passing user and browser information to Google because your site looks nicer with an external font is technically not necessary. ;-)

With these requirements in mind, you'll find that it's easier to self-host your fonts, run a local Matomo instance with high privacy settings for analytics etc.

It sure is a different approach on "how to do internet", but you'll get the hang of it and it's not that hard after all.

Also: If you don't use any external services that process private information, you don't need a cookie notice after all. ;-)

> A user told me they know of people who got fined because of this.

Yes, some people in Germany are currently running around and try to fine websites that use Google Fonts. It works and is legal, but the morality... That won't stop such people...

Self-hosting fonts can easily help you with that, even Google has a page on that: https://fonts.google.com/knowledge/using_type/self_hosting_w...

[peyton]

The ambition is cool, but the reality of a sweeping sector-wide law with extraterritoriality is it just makes the lawyers rich. No sane business is running a Matomo instance with high privacy settings and hoping for the best.

[Nextgrid]

The objective of the law is to put an end to the current "Wild West" attitude when it comes to data privacy, and the only reason it hasn't (yet?) had the desired effects is because enforcement is significantly lacking, so you're seeing the downsides without significant upsides.

There is tremendous value in having the GDPR enforced properly though. Imagine a world where you can actually talk to someone or buy something or without Google or Facebook knowing about it, webpages no longer embedding dozens of third-party trackers, "data brokers" going out of business, etc.

IMO it's actually quite insane that we let the situation deteriorate so badly that something like the GDPR was needed, both from a "do the right thing" perspective (smearing your PII over tons of third-parties with dubious or outright malicious business models is a sign of disrespect for your users, not to mention security liability) as well as legal perspective (some countries already had existing legislation around electronic data processing that predates the GDPR).