TL;DR
- How to maintain GDPR compliance with Cloudflare
- Do I need a cookie banner with Cloudflare?
- What Cloudflare’s Privacy Policy/GDPR page says
- About Cloudflare
- Who are we
Cloudflare is a suite of tools and can be GDPR-compliant if all necessary steps are followed.
How to maintain GDPR compliance with Cloudflare
As Cloudflare is a suite of tools, you need to understand what data goes to its servers based on the product you are using.
For example, if you are only using CDN and DNS services, Cloudflare will primarily receive user IP addresses. However, if you also use its Web Analytics service, much more user information is shared.
Here are some must follow steps to ensure GDPR compliance with Cloudflare.
Request user consent (optional)
If you are using a Cloudflare service that uses cookies like "Zaraz," then obtaining user consent is mandatory; otherwise, this step can be skipped.
This requires having a “cookie opt-in banner” that requests your users' consent to use third-party tools such as Cloudflare.
You can use a free CMP tool like Termly or Cookiebot to manage this step.
Provide option to opt-out
It is also important to have a system that allows your users to have the option to opt out of tracking via third-party marketing tools when they need to, in order to ensure GDPR compliance. If you have CMP tool, then this step can be easily handled.
Add Cloudflare to list of data processors
Next, ensure that Cloudflare is included in the data sub-processor section of your privacy policy page. This is mandatory under the new GDPR regulations, and all businesses must comply.
Here’s how you need to mention Cloudflare in your privacy policy page
Monitor data security
According to Article 33 of the GDPR law, it is mandatory to notify users in the event of a data breach. To comply with this, it is essential to monitor Cloudflare to ensure no data breaches are reported by them. While such incidents are unlikely, they remain a possibility.
Additionally, it’s recommended that you ensure security by having a strong password with Multi-Factor Authentication (MFA) enabled. Even though it's not mandatory, doing this will help you with any possible data leaks due to account hacking, which may cause legal trouble.
Do I need a cookie banner with Cloudflare?
Yes - based on how you use Cloudflare, you might need to have a cookie banner.
What Cloudflare’s Privacy Policy/GDPR page says
Source: https://www.cloudflare.com/en-gb/privacypolicy/
The Cloudflare Privacy Policy, effective April 22, 2025, outlines how the company collects, uses, and discloses personal information. It emphasizes Cloudflare's dedication to protecting privacy, providing transparency, and ensuring data security in compliance with various legal frameworks.
Policy Scope:
The policy applies to different categories of data subjects such as event attendees, website visitors, customers, administrative users, DNS resolver users, end users, and registrants. It does not cover customers' websites, applications, and networks where Cloudflare acts as a service provider.
Data Collection:
Cloudflare collects different types of personal information based on the user's interaction with its services. The information includes contact details, payment information, DNS query data, user interaction data, and more. This data helps Cloudflare improve services, enhance security, and provide customer support.
Usage of Information:
Collected data is used to operate, improve, and personalize services. It helps in processing transactions, sending alerts, complying with legal obligations, and conducting marketing activities. Cloudflare commits to not selling personal information.
Data Sharing:
Cloudflare shares information with service providers under strict conditions, ensuring compliance with confidentiality and security measures. Personal data may be shared within the Cloudflare Group, with resellers, during business transitions, or as legally mandated.
EU, UK, and Swiss Residents:
A detailed notice addresses the data protection rights for residents in these regions, explaining Cloudflare's role as a data controller and processor. Legal bases for data processing include user consent, contractual obligations, and legitimate interests.
International Data Transfers:
Cloudflare implements appropriate safeguards for international data transfers, adhering to various data privacy frameworks, including the EU-U.S. Data Privacy Framework.
Data Subject Rights:
Individuals have rights to access, correct, delete, and manage their personal data. Cloudflare details the process for exercising these rights, ensuring compliance with regional privacy laws.
Data Security and Retention:
The company employs robust security measures to protect data from unauthorized access. Personal information is retained only as long as necessary to fulfill business and legal obligations.
Dispute Resolution and Updates:
The policy outlines procedures for resolving privacy concerns and commits to notifying users of significant changes to the privacy policy.
Contact Information:
Cloudflare provides contact details for reaching the Data Protection Officer across various regions for privacy-related inquiries.
Special Notices for California Residents:
California residents have additional rights under the California Consumer Privacy Act (CCPA) concerning data access, deletion, and opting out of data selling or sharing.
Points to Highlight:
- Commitment to Privacy: Cloudflare emphasizes trust, transparency, and data protection as its core values.
- Comprehensive Policy Scope: The policy caters to a wide range of data subjects and scenarios.
- Global Compliance: The policy ensures adherence to international privacy laws and frameworks.
- User Rights: It upholds individual rights to manage and control personal information.
- Security Focus: Represents a strong commitment to safeguarding data integrity and security.
About Cloudflare
Cloudflare is a leading web infrastructure and website security company that provides a wide range of services to enhance the performance and security of websites. Founded in 2009, Cloudflare's mission is to help build a better internet by offering various tools and solutions tailored for speed, security, and reliability.
Key Features:
- Content Delivery Network (CDN): Cloudflare's expansive global network helps deliver content from the closest server to users, ensuring faster load times and reduced latency, regardless of geographical location.
- DDoS Protection: Cloudflare offers robust protection against Distributed Denial-of-Service (DDoS) attacks, helping to maintain website availability even during intense traffic spikes caused by malicious activities.
- Web Application Firewall (WAF): The WAF feature safeguards websites from common vulnerabilities by filtering and monitoring HTTP traffic between the web application and the internet.
- SSL/TLS Encryption: Cloudflare provides easy-to-deploy SSL/TLS encryption, ensuring data transferred between users and websites is secure and private.
- Load Balancing: With Cloudflare's load balancing, users can manage traffic efficiently across multiple servers to ensure high availability and reliability.
- Domain Name System (DNS) Services: As one of the fastest DNS providers, Cloudflare offers a secure and highly performant DNS management service.
- Page Rules and Edge Caching: These features allow for granular control over caching, routing, and adjustments to optimize performance and resource allocation based on specific URL patterns.
Cloudflare continues to innovate and expand its offerings to cater to the evolving needs of businesses and individuals seeking to maintain robust, secure, and high-performance online experiences.
Who are we
We are Simple Analytics, a privacy-friendly and GDPR-compliant Google Analytics and Cloudflare Analytics alternative. We're EU-based & hosted, and normally best friend with your legal team (ask Michelin, Bloomberg, Mollie). Our aim is to improve data privacy by providing the website you need while being 100% compliant out of the box.
Freel free to give us a try. If you want me to show a demo, please schedule something using my link.