I was building a checklist for GDPR compliance and the more I researched, the more I found weird scenarios.
Developer - Let's put this font as it's more readable and suits the brand, will improve UX too, let me use Google Fonts to load it.
Real world - You are violating GDPR as the font get requests from the browser will log the IP address of the client on Google servers (which is personal information)
Developer - One of our clients wants to delete data as they are no longer using our service. Should I build this feature?
Real world - GDPR says you can't store their data anymore. But there's a way. If you have done any monetary transaction (like a paid subscription), then you can argue that this data is required for financial records and to keep the data.
Even if it was a free plan, you can still keep the data in backups (as long as you promise that you will delete particular records if that backup is ever restored!)
Developer - We use localstorage for sessions, so we don't have to flash cookie consent of GDPR anymore.
Real world - GDPR never said you can't save cookies without consent. It was another law called Cookie Law which require you to show the banner, and as per Cookie Law, all type of storage (localstorage too) comes under this law
Developer - I need a cookie to preserve the session, should I switch to JWT now to make it GDPR complaint?
Legal - No need to switch, you can use cookie as it's a functional requirement in this particular scenario! No need to flash banner too.
Developer - I know this anonymous user doesn't want cookies, they clicked on don't save cookies, but now I need to store this preference of the user in a cookie, is it cookie-ception?
Legal - You can set cookie that tells your system not to set any cookie, it's GDPR compliant practice
Developer - I need to change profession, this is too complex
Real-world - Would you like some fries with the order sir?