From what I’ve been reading, as soon as the browser loads jQuery or a Google Font or a Google map it sends the IP address of the visitor to Google’s servers without any option to ask for their consent beforehand.
A key problem is that every country is treating this differently, but Germany is saying that under GDPR, IP addresses are considered personal data, so If we could store the fonts on our own servers there is no IP number transfer and therefore it sidesteps that particular issue.
I believe Google complies with the US Privacy Shield, which should be adequate in theory, but it seems that is irrelevant, because it still requires visitor consent and the owner of the website is held accountable. Web hosts are also walking on egg shells here and I’m very glad I never became a reseller.
From what I can tell it’s just a very badly written law, created by people who have no understanding of the internet or how it works, which is then being interpreted differently in every country. As always there are people who get a kick out of making it as complicated and expensive as possible, just like they did with EU VAT on digital downloads.
My inbox has been full of emails from a small number of clients fussing over GDPR and they are treating me like a legal consultant, but worse still framing the discussion as though I will be personally accountable if they experience any issues.
Reading on the internet, I’ve seen various software developers for web apps scrambling to find away around these points and issuing updates. For example the developer of the Stacks plugin for Rapidweaver issued an update so that jQuery access to a CDN can be controlled.
My wife works at a local college and they have been furiously shredding papers there for the last month in preparation for all of this, so the hysteria is not just limited to websites, but it seems like the penalties for non compliance can be pretty harsh.