As I understand it, a checkbox is not required, as pressing the submit button is an active action.
However, it should be made clear that by submitting the form you are accepting that the provided information is processed in accordance with the privacy policy and what the information is specifically used for.
So, in this case, it can be solved with a few tweaks:
- Put the information text above/before the submit button.
- In the information text, include a sentence like “By submitting this form you are accepting that the provided information may be used, stored and processed in accordance with our privacy policy.”, where the text “privacy policy” should be a link.
- The text should be made more readable (it’s currently somewhat obscured by the background image).
You can use a CDN, but you must inform users about what data is collected by the CDN, why they are collecting it and what its used for. You must also ensure that the CDN only collects, stores and processes that data in accordance with your privacy policy and the GDPR requirements.
To be fully compliant, I would suspect you must also have a method of removing or anonymizing said data from the CDN providers logs/databases if a user requests to be “forgotten”. It’s currently unclear (at least to me) whether a users rights to access (and remove/anonymize) their own data also applies to low-level tehnical logs such as server log, database logs, etc. This is made a lot more complicated by the fact that IP addresses are defined by the EEA as personal information and that most web servers log IP addresses by default.
The simpler solution would just be to host the google fonts (and any other HTTP resources) on your “own” servers.
I also agree that one should not market a product as GDPR compliant, as GDPR compliance applies to organizations as a whole and not (only) products. Even if an organization uses only “compliant” software, that does not automatically make the organization compliant.