Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Browser Insights is a cookieless Real User Monitoring beacon that reports Core Web Vitals, navigation timings and JavaScript errors from visitor browsers to Cloudflare.
Cloudflare Browser Insights is a Real User Monitoring beacon that Cloudflare can automatically inject into pages served through its proxy. It reports Core Web Vitals, navigation timing, JavaScript errors and a sampled view of resource performance back to Cloudflare. It is intended for performance and stability monitoring, not for marketing analytics.
By design Browser Insights does not set cookies. The beacon collects timing data, the URL, viewport size, browser and operating system, and the visitor IP, which Cloudflare uses to compute aggregated dashboards. There is no persistent visitor identifier and the data is not used to build behavioural audiences.
Because no cookies are written, article 5(3) of the ePrivacy Directive is not triggered. The beacon still processes the visitor IP and timing data, which can be relied upon under legitimate interest if the operator documents the limited purpose, retains data for the shortest reasonable period and configures the IP truncation that Cloudflare offers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Many operators leave Browser Insights on without a CMP gate. To stay on the safe side, expose the beacon in your privacy notice, document the legitimate interest balancing test and offer an objection mechanism. Some EU data protection authorities expect this kind of cookieless beacon to remain limited to performance monitoring with no link to advertising.
Cloudflare runs a global edge network. Browser Insights data is processed at the closest point of presence and aggregated centrally. The Data Localisation Suite can pin EU traffic to European data centres, but control plane and aggregated metrics may still be processed in the United States. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.
Sign the Cloudflare DPA, enable the Data Localisation Suite for EU only routing, configure short retention, document the legitimate interest assessment, mention Browser Insights in the privacy notice, and disable it for properties where any further analytics already covers performance monitoring.
Websites using Cloudflare Browser Insights must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for the default cookieless beacon, but it becomes appropriate when Browser Insights is combined with broader Cloudflare analytics that do use identifiers, or when EU traffic is routed through US data centres without the Data Localisation Suite.
Sample consent text
We use Cloudflare Browser Insights to monitor the performance of our pages. The beacon does not set cookies and only collects technical metrics such as load time and Core Web Vitals. No behavioural profiling is performed.
Third-party domains contacted
cloudflareinsights.comstatic.cloudflareinsights.comcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| No cookies | None | N/A | Cloudflare Browser Insights operates entirely without cookies; this row documents that the beacon does not set or read any cookie on the visitor browser. |
Cloudflare Browser Insights collects user analytics data — you legally need a consent banner. Try FlowConsent free.
None. Browser Insights is a cookieless beacon by design. It sends performance metrics to Cloudflare without writing any persistent identifier to the visitor browser.
Article 5(3) of the ePrivacy Directive does not apply because there is no cookie or local storage write. The processing of timing data and visitor IP can be relied upon under legitimate interest, with documentation and an objection mechanism.
Legitimate interest under article 6(1)(f) GDPR for cookieless performance monitoring, provided the data is not used for behavioural profiling or advertising and that retention is kept short.
Cloudflare is a US company. Even with the Data Localisation Suite, control plane and aggregated metrics may be processed in the US. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.
Generally no for the default cookieless beacon. A DPIA is appropriate only when Browser Insights is combined with other Cloudflare analytics that use identifiers, or when EU traffic is routed without the Data Localisation Suite.
Document the beacon under legitimate interest, enable IP truncation, set short retention, mention it in the privacy notice, expose an objection mechanism and prefer the Data Localisation Suite for EU only routing.
Cookieless RUM alternatives include SpeedCurve, New Relic Browser, Datadog RUM with EU residency, Sentry Performance, Cabin Analytics and self hosted Boomerang or Open Telemetry browser SDKs.
State that no cookies are set by Browser Insights, describe the metrics collected, name Cloudflare as a processor, document the legitimate interest basis and any US transfer along with the safeguards.