@jeolen @williamoconnell @chriscoyier The terms of service for Google Fonts are _very_ different from everything else at Google (see https://developers.google.com/fonts/faq/privacy)
They really try to do right here, but GDPR still requires consent before pushing PII (like IP addresses) to non-EU places.
That said, the CDN concept for common assets (like fonts or "standard" JS libraries) was more useful when multiple origins shared a CDN file. These days, browser download CDN files once per origin (i.e. website that's using it), removing most of the benefits of using a CDN.
tl;dr: Google Fonts is likely okay to use in theory, still requires opt-in by the user in practice, and doesn't even save bandwidth for the user like it used to.