Note that despite the claims of GDPR compliance, Beam is likely _not_ GDPR compliant for a few different reasons. Going off of this doc[0], a few things stand out.
First, there's a Javascript snippet you add to your site to set up Beam. That Javascript snippet loads additional Javascript from beamanalytics.b-cdn.net. If you add the Beam provided Javascript to your site, every time a user visits your site, their IP address will be shared with beamanalytics.b-cdn.net. If the user didn't consent to sharing their IP address with beamanalytics.b-cdn.net, you do not have a lawful basis[1] for sharing the user's IP with beamanalytics.b-cdn.net.
Second, there's this notion that because Beam hashes IP address that "anonymizes" the data[0][2]. According to GDPR, this is actually "pseudonymisation"[3]. If you know what hash function is used, you can still tie back the hashed data to the original user. Pseudonymized data still meets the GDPR definition of personal data[3] so applying this hash doesn't actually do anything in terms of helping with GDPR compliance.
Loading fonts from Google Fonts for example is indeed considered not GDPR compliant without consent, because it reveals your visitors IP addresses. You can self hosts the fonts however and then it should be fine.
> If pulling a third party resource is not compliant then loading from any cdn is non compliant
Loading data from a third party can be GDPR compliant, but isn't always. One legal basis for processing personal data is "legitimate interest"[0]. Legitimate interest is incredibly vague. In short, it allows you to process data as long as doing so is necessary or of critical important to your business.
As an example, in order for someone to visit your website, you need to receive and process their IP address. That's just how TCP works. Since you have a "legitimate interest" to process their IP address so they can visit your site, you don't need to ask for consent before processing their IP. Similarly, since DDOS prevention is critical for maintaining your website, you are allowed to process IP address for DDOS prevention as long as you intend to process the IP only for DDOS prevention.
For your specific question, a website loading an external font resource would likely fall under legitimate interest since the font is necessary for the website to function.
Since user analytics is not necessary or critical to a business, you cannot share IP address with a third party if the intent of doing so is so you can perform analytics on your users.
> For your specific question, a website loading an external font resource would likely fall under legitimate interest since the font is necessary for the website to function.
Specifically, a website operator using Google Fonts was ruled to be non-compliant, for not disclosing that they were doing so, and refusing to honour their preference of the user.
I think a pure-play hosting service is probably fine for hosting fonts and relying on legitimate interest, but that's not Google, who is not being paid directly for hosting the fonts, and who actively wants to use the users' information for marketing purposes that the user clearly does not want.
I'm no lawyer, but I think that will depend on a number of factors. One important distinction is whether the CDN is based in Europe (or a country that has received an adequacy decision) or not. The details of your data processing agreement with the CDN will also matter, I assume.
In practice, I doubt someone will go through the legal trouble for something like jQuery. If you want to be sure, self-host your resources; it's not like using CDNs will give you any speed advantage anymore with modern browsers isolating websites.
If you pay the CDN, and they're not using your customers' data to make money, then probably not.
If you don't, or they do, then it's a violation of EU law if you do not allow (at least) EU users to easily control the use of that CDN. If you are making money, and you try telling the regulator that for your business, that you need (legitimate interest) to have jQuery hosted by a CDN that is using EU personal data illegally, then you might get a fine if they are reachable by the EU, because very few judges are going to believe that bullshit.
First, there's a Javascript snippet you add to your site to set up Beam. That Javascript snippet loads additional Javascript from beamanalytics.b-cdn.net. If you add the Beam provided Javascript to your site, every time a user visits your site, their IP address will be shared with beamanalytics.b-cdn.net. If the user didn't consent to sharing their IP address with beamanalytics.b-cdn.net, you do not have a lawful basis[1] for sharing the user's IP with beamanalytics.b-cdn.net.
Second, there's this notion that because Beam hashes IP address that "anonymizes" the data[0][2]. According to GDPR, this is actually "pseudonymisation"[3]. If you know what hash function is used, you can still tie back the hashed data to the original user. Pseudonymized data still meets the GDPR definition of personal data[3] so applying this hash doesn't actually do anything in terms of helping with GDPR compliance.