It depends on what the cookies are being used for. If they're "essential for site functionality" (e.g. fraud prevention) then consent is not necessary.

Well, here's the thing though, it could be argued that they are essential for site functionality (if you conflate functionality with availability for example), however, you are revealing the IP of the user to those third-party services, which is no bueno.

Loading Google Fonts via Google's CDN is non-compliant, ergo why would Jetpack be any different? https://www.theregister.com/2022/01/31/website_fine_google_f...

However, CloudFlare is an odd one. They're also the reverse proxy and DNS for the site, ergo they can collect that IP if they intend to, which they apparently don't.

Where is the line drawn? If an asset loaded via a third-party CDN is "leaking the IP", surely CloudFlare also is? Surely any kind of DNS is?

I'm asking big questions, I know, but have always been curious, and have been waiting for a good opportunity to put them in front of others.

What we did was basically ignore GDPR and send a mail to our watchdog about the points we weren't sure would pass as legitimate use.

Basically: if you in good faith think it's legitimate, it's probably legitimate. The watchdog will propose you ways to remove PII from your data if he think you're misguided, and they drafted us an architecture that worked for data protection (like half a day of work for an architect, i think they already have these kind of drafts as our issue was quite common). We spent 20 minutes to write the email and basically earned 500$ (or whatever is the cost of half a day of an architect is). We also had prior contact with the watchdogs for unrelated reasons (trying to get certified to handle sensitive data).