>This ruling can't be allowed to stand.

Sounds like a great ruling from a security and user perspective. Just changes a design paradigm. If it kills a business model that's based on intrusive user-tracking and the user being totally unable to know who has their data and who their computer should vs shouldn't be connecting to - great.

Trying to figure out from traffic analysis alone these days whether a website is malicious or not is an absolute nightmare as every single site pulls in 20 or 30 externally-hosted resources for totally impenetrable purposes.

Let's migrate to an easily understandable model where sites host 100% of their own resources. If that means the site engine has to run CI behind the scenes and pull in those resources, great, it centralises responsibility.

> If it kills a business model that's based on intrusive user-tracking and the user being totally unable to know who has their data and who their computer should vs shouldn't be connecting to - great.

What are you talking about? You can always block whatever you want, and we're not talking about "intrusive user-tracking" here but literally just an IP address. You can have the opinion that websites shouldn't use third-party resources, but legislating that requirement is beyond ridiculous.

There are countless good reasons for using third-party resources on websites, and disallowing it will absolutely make the web a worse place regardless of any "privacy" benefits it could have.

How about for video? This effectively kills the ability for a small website to pay for video hosting services from a well scaled video CDN. This effect can be generalized: At some point the only organizations with the resources to comply with the GDPR are in fact the big tech companies.