I fell over this article just now from Hacker News: German Court Rules Websites Embedding Google Fonts Violates GDPR

This worries me a little bit. Does this imply all CDN sources are in violation of privacy rights, including Netlify?

As per my reading, any server that collects user data including but not limited to IP Address is in violation. This includes Netlify. We record IP Address for every file requested from our servers. As a developer, if you add a warning about this or a consent, you should be safe. However, the consent can’t be like:

Do you allow us to collect your IP Address?

Because even if they say no, their IP Address will be collected and rather, even before you asked that confirmation, it was already collected. Instead, the consent could be to accept your privacy policy which would mention the PII being collected. The policy should mention that if you don’t consent with this, you should not be using the service.

But then, this is purely based on my reading about that article and I’m not a lawyer.