As I understand it, a checkbox is not required, as pressing the submit button is an active action.
So, in this case, it can be solved with a few tweaks:
- Put the information text above/before the submit button.
- The text should be made more readable (it’s currently somewhat obscured by the background image).
To be fully compliant, I would suspect you must also have a method of removing or anonymizing said data from the CDN providers logs/databases if a user requests to be “forgotten”. It’s currently unclear (at least to me) whether a users rights to access (and remove/anonymize) their own data also applies to low-level tehnical logs such as server log, database logs, etc. This is made a lot more complicated by the fact that IP addresses are defined by the EEA as personal information and that most web servers log IP addresses by default.
The simpler solution would just be to host the google fonts (and any other HTTP resources) on your “own” servers.
I also agree that one should not market a product as GDPR compliant, as GDPR compliance applies to organizations as a whole and not (only) products. Even if an organization uses only “compliant” software, that does not automatically make the organization compliant.