I don't see a difference with fonts.bunny.net and Google Fonts? From the perspective of GDPR, they still both receive your IPA and browser info, which was what made it illegal to use G fonts.

You can download fonts from both of them and host them on your own server to avoid processing that information.

I'm all for privacy and such (I don't use Google Fonts or tracking ads/analytics), but I don't really see a difference in here. According to G Fonts privacy policy, they don't store any PII. (This also reminds me that based on what I understand of the ruling, almost any 3rd party requests for assets should be blocked? Including G fonts, bunny fonts and jsdelivr)

> According to G Fonts privacy policy, they don't store any PII.

Do they log IP addresses? That would be enough as those count as PII. Maybe bunny.net has logs disabled and that's what makes them stand out.

But especially with fonts it's just so easy to self-host them that it's kind of a no-brainer.

> almost any 3rd party requests for assets should be blocked

That could be a very good practice/state of mind for developing privacy-respecting websites/apps and will save you from stress, before it can happen.

As you have no more advantages due to separated caches from using CDNs for scripts etc., you can self-host those, too. Saves on DNS lookups and you have control over the caching-times, too.

I'd try to run as much as possible from the same domain.

The GDPR also has the concept of data minimization, which I believe would apply in the case where you're unnecessarily sharing IP addresses with a third-party (regardless of whether they ultimately log them) for something that can trivially be done in-house.

There's zero benefit to using a CDN for fonts - browsers have long ago started partitioning caches per origin anyway, so you don't even get a performance benefit. Just put the fonts where you put the rest of your static files and you're good to go.