Previous related discussion: [webmasterworld.com...]

There has been a series of rulings like this since Schrems II

I think Schrems II does not apply to the UK, but I do not think the UK courts have ruled on that either so they still could under UK GDPR.

The only thing really that worries me is embedding video. Its a pain to self host and there are also a lot of US hosted video I would like to embed.

By the way, it also makes Adsense's own consent banner illegal, since it's achieved through an external javascript call, hosted by Google.

I don't know why people bother with fonts anyway.

They just slow down your site and don't add anything that isn't better served by a device's default font.

I don't know why people bother with fonts anyway.

They just slow down your site and don't add anything that isn't better served by a device's default font.

I don't know why this idea seems so radical. The opposite should be the radical view.

I don't know why people bother with fonts anyway.

Agree.

But I think the idea is more general, any request to an external file, can be subject to GDPR violation, including the fact of using a CDN, since the company running the CDN can collect the IP Address ... see?

Even hot linking an image, can result in a violation.

edit: in fact, most of ads might be illegal ,since the ad material, is certainly hosted and served from outside the EEA.

Personally never used third party fonts ...

At the same time some of these new rules will "break the web" in places folks least expect any exposure. Whew!

We need to differentiate here:
Germany: prior setting up a website there you need 10 lawyers to look after every html sign or whatever and with GDPR many are making money out of it via denunciation…. Well we know this.

In my view the crucial thing is to protect yourself in relation to Adsense and Google Analytics

I don't know why people bother with fonts anyway.

You're aware that your site loads at least two additional web fonts, right? ;-)

Web fonts certainly have their place, a fact sometimes lost on web people who are not designers (ah, the old divide). It's true that sometimes they're overused, e.g. an extra font is slapped on for a single header, but a different font can have a drastic effect on the look-and-feel of a site.

I've always self-hosted web fonts, making the tradeoff between benefiting from HTTP/2's multiplexing and the possibility of clients having Google's font files already in cache (plus the speed of its CDN). Never considered the privacy aspect of it, but I guess self-hosting comes out on top there.

these files need to be hosted in the EEA or in an approved country*, otherwise you are in trouble.

When loaded from fonts.googleapis.com, an EEA visitor will in most cases be downloading the font from an EEA server. Same with the AdSense (a ping to pagead2.googlesyndication.com from NL comes back with 8ms latency). Ultimately the data collected on that EU server will be flowing to the US; but is that our responsibility?

When loaded from fonts.googleapis.com, an EEA visitor will in most cases be downloading the font from an EEA server. Same with the AdSense (a ping to pagead2.googlesyndication.com from NL comes back with 8ms latency). Ultimately the data collected on that EU server will be flowing to the US; but is that our responsibility?

This is what I was thinking... so far!

I think that regulators want the publishers to stop using Google, Facebook, Amazon's tools.

Also, to me, it looks like all sites using AWS, are hosted in the USA...

We need to differentiate here:
Germany:

Problem is , what is ruled in Germany, then "can" apply to all EEA countries, ... depending of national regulators. For example, you can be sure that France and Italy, will follow Germany's rulings.

If the EU wants to protect the IP address of the Europeans, they should simply do like in China, and make all connection to pass through a VPN ran by the EU ...

Also, to me, it looks like all sites using AWS, are hosted in the USA...

Maybe it looks that way because that's where AWS started out, they have a bigger footprint there. But I have a few LightSail instances in Frankfurt, S3 buckets in Dublin. There are 6 European AWS regions, soon to be 8. It's up to the customer to decide where to host, of course, as with any other hosting company.

Thank you for the info @robzilla .

I mentioned AWS, because, I remember, that, during the core of the pandemic (to me we are still in the core,but that is another subject), several medical related sites and companies were pointed, because they were using AWS, and sensitive health data hosted in US servers.

Reading that article made my skin crawl since it's a good case of people enforcing laws on technology without understanding the technology. "The website … passed the unidentified plaintiff's IP address to Google". For god's sake, THAT'S NOT HOW IT WORKS! The user's browser passed the user's IP address to Google (because that's the only way to get a response when you request something from a server - if you don't tell them where you are they can't send the information back.) The website didn't pass anything to Google. The website just said it needed a file that was on Google's server and the user's browser did the rest.

Fonts and other external files aren't like Google Analytics where there's Javascript on the page which does send information to Google (for the purpose of tracking you).

IMHO, The webmaster and their lawyer were both incompetent for not catching that rather obvious problem in the decision. Now it's a precedent.

@jay5r, yes and no. The European Union's regulators consider that a publisher, is responsible of the content of his pages. So, if a publisher, embeds a Google font, then , the publisher is responsible. This is the same for social networks buttons, ads, etc...

Also, it's not a matter of embedding JS or anything kind of files. The server hosting the file, can have access to the IP, and the referrer, excepting, if the site of the publisher prevents passing a referrer, I do this.

A file, even if it looks static, can be served by a dynamic script too.