I see quite a few web pages in Germany that do not load JavaScript or any other content from YouTube,Twitter, Facebook until you explicitly opt in. Basically, the content is replaced by a placeholder saying “click here to load external content from.” - it’s technically not very hard to do so, and I quite like it. I don’t need to be tracked by any of those entities everywhere I go. Tracking and creating profiles is one of the large problems of Facebook like buttons and similar.
> this could probably be avoided by extending the sites terms.
Reading the judgement, I don’t think so. Consent is required before exposing the IP address and is must be explicitly given. Terms can help in cases where there is a technical requirement, for example “if you want to watch this embedded video, you must consent to this”, but they won’t save you when you just embed.
> it’s technically not very hard to do so, and I quite like it
For the average user, it's yet another thing to click without thinking, just to be able to visit a page.
> Consent is required before exposing the IP address and is must be explicitly given
There's the crux of the problem, it's difficult to know what to consent for without first displaying the website, so you implicitly give consent for "just the bare minimum", until you accept the rest. This sounds great, but is both an absolute nightmare for website developers (it's not very easy to do, with how the internet was designed, inline scripts, fonts, CDN stylesheets) and for "most" end-users who just expect good defaults and don't want to sign a consent form every time they visit a website.
> > it’s technically not very hard to do so, and I quite like it
> For the average user, it's yet another thing to click without thinking, just to be able to visit a page.
And yet, they’re still protected: They’ll click on the video when they want to watch the video, load the like button when they want to like, the tweet button when they want to tweet. And all the other times when they visit a website that offers any of this functionality, no data is transmitted to YouTube, Facebook, Twitter.
> This sounds great, but is both an absolute nightmare for website developers (it's not very easy to do, with how the internet was designed, inline scripts, fonts, CDN stylesheets
There is no need to ask for consent for every Stylesheet you load from a CDN. You’re allowed to use cloudflare, cloudfront, fastly,… - they’ll all provide the required DPA that allows you to use them without consent. You need to be careful when it comes to things like like-buttons etc. that get loaded from places that use them to create user profiles for non-consenting users. Yes, that’s hard. But the culprits are the entities that siphon up every bit of data. Direct your ire there.
> There is no need to ask for consent for every Stylesheet you load from a CDN. You’re allowed to use cloudflare, cloudfront, fastly,… - they’ll all provide the required DPA that allows you to use them without consent.
And Google doesn't? (Honest questions)
On first look serving a font from Google and a stylesheet from Cloudflare seem very, very similar things.
The primary difference is that you usually have a contract with cloudflare that they host and serve your data on your behalf. A DPA would usually be part of the contract. Cloudflare also doesn’t mine the IP addresses that they gather as part of their operations to build advertising profiles.
AFAIK google fonts does not require any contract. Google could certainly offer a contract, a DPA, etc., assert that they are subject to the GDPR and waive processing of the data they gather from operating google fonts as a service.
> this could probably be avoided by extending the sites terms.
Reading the judgement, I don’t think so. Consent is required before exposing the IP address and is must be explicitly given. Terms can help in cases where there is a technical requirement, for example “if you want to watch this embedded video, you must consent to this”, but they won’t save you when you just embed.