Does your website use third-party services? Get GDPR compliant in minutes.

Cloudflare

What does Cloudflare do?

Cloudflare is a global internet infrastructure company providing CDN, DDoS protection, DNS, WAF (Web Application Firewall), bot management, and security services. Its core infrastructure services do not require cookie consent — the security cookies (__cf_bm, cf_clearance) are strictly necessary for bot protection. Cloudflare acts as an infrastructure processor, not a data collector for advertising. EU data localisation options are available. Cloudflare is certified under the EU-US Data Privacy Framework.

What is Cloudflare?

Cloudflare is a global internet infrastructure company whose products sit between website visitors and the origin server, providing: content delivery (CDN) that accelerates page loads, DDoS protection that absorbs attack traffic, a Web Application Firewall (WAF) that blocks malicious requests, bot management, DNS services, and Cloudflare Workers (serverless computing). Over 20% of the internet uses Cloudflare as its CDN and security layer.

Cloudflare cookies and GDPR

Cloudflare sets two security cookies: __cf_bm (bot management, 30 minutes) and cf_clearance (security challenge clearance, 1 day). Both are strictly necessary for Cloudflare''s security functions — they are technically required for the WAF and bot protection to work. These cookies do not require consent under the ePrivacy Directive as they are strictly necessary for the legitimate security service. Cloudflare also sets __cflb for load balancing, which is also strictly necessary.

What data does Cloudflare process?

Cloudflare processes HTTP request headers (including IP addresses, User-Agent, Referer), response codes, and timing data. IP addresses are personal data under GDPR. Cloudflare retains logs for defined periods (typically 24-72 hours for standard plans). The legal basis is legitimate interest for security and performance services. Cloudflare does not sell or use this data for advertising.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

EU data localisation

Cloudflare offers Data Localisation Suite for enterprise customers, enabling restriction of data processing to EU points of presence. For standard deployments, Cloudflare''s Anycast network may route traffic through non-EU data centres. Cloudflare is certified under the EU-US Data Privacy Framework and provides SCCs in its DPA for transfers outside the EU/EEA.

Practical compliance steps

Sign the Cloudflare DPA (available in Cloudflare Dashboard, Account, Configurations). Classify __cf_bm and cf_clearance as strictly necessary in your cookie policy — no consent needed. Disclose Cloudflare as a CDN and security processor in your privacy policy. For enterprise deployments requiring EU-only processing, configure the Data Localisation Suite.

GDPR consent category

Other

Websites using Cloudflare must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f)) for CDN, DDoS protection, WAF, and security services as strictly necessary infrastructure. Cloudflare does not set advertising or tracking cookies for its core infrastructure services. The __cf_bm and cf_clearance cookies are strictly necessary for bot protection and security.

Risk levellow

Applicable regulationsGDPR, SCCs for US transfers. Cloudflare DPA available. EU-US Data Privacy Framework certified.

DPIA considerations

A DPIA is generally not required for standard Cloudflare CDN and security deployments. It may become relevant for Cloudflare Workers or R2 deployments that process significant volumes of personal data, or for Cloudflare Access/Zero Trust deployments managing employee authentication.

Sample consent text

This website uses Cloudflare for security and performance. Cloudflare sets strictly necessary cookies (__cf_bm, cf_clearance) for bot protection. These do not require consent as they are essential for website security. Cloudflare may process your IP address and request data for security purposes.

Technical details

Tracking methodCDN, DDoS protection, DNS, WAF, Bot Management, Cloudflare Analytics, Workers, Pages, R2 storage

Server locationGlobal network including European Union data centres

Cookieless tracking availableYes

Data transferred outside the EUCloudflare is a US company (San Francisco) with a global network including EU data centres. Standard Cloudflare deployments may route traffic through non-EU points of presence. Cloudflare offers EU data localisation options for certain products. Cloudflare provides a GDPR-compliant DPA and is certified under the EU-US Data Privacy Framework.

Third-party domains contacted

cloudflare.comchallenges.cloudflare.comcdnjs.cloudflare.com

Cookies placed

Name	Type	Duration	Purpose
__cf_bm	session	30 minutes	Cloudflare bot management cookie distinguishing legitimate users from automated bots — strictly necessary
cf_clearance	persistent	1 day	Cloudflare security challenge clearance cookie confirming the visitor passed the security check — strictly necessary

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Do Cloudflare cookies require GDPR consent?

No. Cloudflare's security cookies (__cf_bm, cf_clearance) are strictly necessary for bot protection and security services. They do not require consent under the ePrivacy Directive. Classify them as strictly necessary in your cookie policy.

What does Cloudflare do with visitor IP addresses?

Cloudflare processes IP addresses as part of its CDN and security services — routing requests, DDoS mitigation, and security analysis. IP addresses are personal data under GDPR. Cloudflare's legitimate interest covers this processing as a necessary infrastructure service. Cloudflare retains logs for defined periods per its privacy policy.

Does Cloudflare offer EU data localisation?

Yes. Cloudflare's Data Localisation Suite (enterprise) restricts data processing to EU points of presence. For standard deployments, Cloudflare's Anycast network may use non-EU data centres. Cloudflare is EU-US Data Privacy Framework certified and provides SCCs for non-EU transfers.

Is Cloudflare a data processor or controller?

Both, depending on the context. For CDN, WAF, and security services on behalf of website operators, Cloudflare is a processor. For Cloudflare's own security intelligence (aggregate threat data), Cloudflare acts as an independent controller. Sign the Cloudflare DPA which covers the processor relationship.

Do I need a DPA with Cloudflare?

Yes. Sign the Cloudflare Data Processing Addendum available in Cloudflare Dashboard under Account Settings. This covers Cloudflare's processing of personal data (including visitor IP addresses) as your infrastructure provider.

Does Cloudflare Analytics collect personal data?

Cloudflare Web Analytics is privacy-first: it does not use cookies, does not track individuals across sites, and does not store IP addresses beyond request processing. It is cookieless and GDPR-friendly — similar to Plausible in its privacy approach.

What is the __cf_bm cookie?

__cf_bm is a Cloudflare bot management cookie (30 minutes session). It distinguishes legitimate human traffic from automated bot traffic. It is strictly necessary for Cloudflare's bot protection service and does not require consent.

Can Cloudflare be used without any GDPR concerns?

Cloudflare's core services (CDN, DDoS, WAF) can be deployed with minimal GDPR friction: strictly necessary cookies, legitimate interest for security, and a signed DPA. It is one of the most GDPR-straightforward infrastructure services available. More complex products (Workers, R2, Access) require additional assessment.

Get compliant — Try FlowConsent free

Free plan · 10-min setup