> If pulling a third party resource is not compliant then loading from any cdn is non compliant
Loading data from a third party can be GDPR compliant, but isn't always. One legal basis for processing personal data is "legitimate interest"[0]. Legitimate interest is incredibly vague. In short, it allows you to process data as long as doing so is necessary or of critical important to your business.
As an example, in order for someone to visit your website, you need to receive and process their IP address. That's just how TCP works. Since you have a "legitimate interest" to process their IP address so they can visit your site, you don't need to ask for consent before processing their IP. Similarly, since DDOS prevention is critical for maintaining your website, you are allowed to process IP address for DDOS prevention as long as you intend to process the IP only for DDOS prevention.
For your specific question, a website loading an external font resource would likely fall under legitimate interest since the font is necessary for the website to function.
Since user analytics is not necessary or critical to a business, you cannot share IP address with a third party if the intent of doing so is so you can perform analytics on your users.
> For your specific question, a website loading an external font resource would likely fall under legitimate interest since the font is necessary for the website to function.
Specifically, a website operator using Google Fonts was ruled to be non-compliant, for not disclosing that they were doing so, and refusing to honour their preference of the user.
I think a pure-play hosting service is probably fine for hosting fonts and relying on legitimate interest, but that's not Google, who is not being paid directly for hosting the fonts, and who actively wants to use the users' information for marketing purposes that the user clearly does not want.
I'm no lawyer, but I think that will depend on a number of factors. One important distinction is whether the CDN is based in Europe (or a country that has received an adequacy decision) or not. The details of your data processing agreement with the CDN will also matter, I assume.
In practice, I doubt someone will go through the legal trouble for something like jQuery. If you want to be sure, self-host your resources; it's not like using CDNs will give you any speed advantage anymore with modern browsers isolating websites.
If you pay the CDN, and they're not using your customers' data to make money, then probably not.
If you don't, or they do, then it's a violation of EU law if you do not allow (at least) EU users to easily control the use of that CDN. If you are making money, and you try telling the regulator that for your business, that you need (legitimate interest) to have jQuery hosted by a CDN that is using EU personal data illegally, then you might get a fine if they are reachable by the EU, because very few judges are going to believe that bullshit.
Loading data from a third party can be GDPR compliant, but isn't always. One legal basis for processing personal data is "legitimate interest"[0]. Legitimate interest is incredibly vague. In short, it allows you to process data as long as doing so is necessary or of critical important to your business.
As an example, in order for someone to visit your website, you need to receive and process their IP address. That's just how TCP works. Since you have a "legitimate interest" to process their IP address so they can visit your site, you don't need to ask for consent before processing their IP. Similarly, since DDOS prevention is critical for maintaining your website, you are allowed to process IP address for DDOS prevention as long as you intend to process the IP only for DDOS prevention.
For your specific question, a website loading an external font resource would likely fall under legitimate interest since the font is necessary for the website to function.
Since user analytics is not necessary or critical to a business, you cannot share IP address with a third party if the intent of doing so is so you can perform analytics on your users.
[0]: https://gdpr-info.eu/art-6-gdpr/