I agree, but the definition of the law can also be interpreted many different ways, until it's clarified, I guess. This seems to me like a very grey area.
There was no trap, in my opinion, document clearly specifies that an additional resource, here a font, will help the website look as intended by the designer. It's visible and its effects are well known (it's part of a well understood specification) and can be blocked. Websites have a responsibility, absolutely, but this is just feels like going too far...
The going far feeling might come from the Overton window being pushed away in a direction. Regardless of what's right, healthy, good or bad usual things feel normal, and unusual will feel like going too far. The thing that matters in this feeling is what someone is gotten used to, which is not an objective quality of the thing, but an attribute of the viewer.
Not a lawyer, but to my knowledge, GDPR does not care if something technically "can be blocked" with some effort. It cares if there was clear, voluntary consent to share a particular bit of data - which wasn't the case here.
Then GDPR should blame the browser vendors for shipping with JS execution enabled by default and demand that JS execution for all browsers be turned off by default. To repaint the stories spun by the grand parents: If I hold up a dagger and announce the fact, why would you run into the dagger anyway without protection? Put on some armor, dude. The client browser had all the information it needed to not make the request (geolocation, external resource, purpose of external resource) and yet it did. I know this is just shifting blame but it's also a good argument for returning HTTP 451 to EU clients and be done with it.
>If I hold up a dagger and announce the fact, why would you run into the dagger anyway without protection? Put on some armor, dude.
Let's say I'm dumb, and I run into the dagger that you're holding. The case is then investigated by the law enforcement. Who do you think they'll blame? Would I be deemed guilty, and would my crime be not having armor on?
I'm not either, and neither are most developers. My takeaway from this is GDPR doesn't care, leaked data is leaked data. I'm just worried about this implications this will have for non-malicious intent that the internet has evolved to use over time. Perhaps this is for the better, but I fail to see that future at the moment.
There was no trap, in my opinion, document clearly specifies that an additional resource, here a font, will help the website look as intended by the designer. It's visible and its effects are well known (it's part of a well understood specification) and can be blocked. Websites have a responsibility, absolutely, but this is just feels like going too far...