Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Zaraz is a server side tag manager that runs third party tags on Cloudflare Workers, replacing browser tags with edge processed events and a built in consent layer.
Cloudflare Zaraz is a third party tag manager that runs on Cloudflare Workers at the network edge. Instead of loading dozens of tags directly in the visitor browser, the website sends a single request to Zaraz, which then dispatches server side calls to the configured destinations. Zaraz ships with a built in consent layer that can either replace a CMP for simple deployments or integrate with a more advanced one.
Zaraz writes a first party cookie that records the consent decision per category. The events themselves include URL, referrer, screen size and any custom payload defined by the operator. The destinations behind Zaraz can still set their own cookies if the integration uses pixel mode, but Zaraz can also relay events purely server side, which significantly reduces third party cookies on the visitor browser.
Even when tags are executed at the edge, the consent rules of article 5(3) of the ePrivacy Directive still apply because the destinations process personal data of the visitor. Zaraz must therefore be configured so that non essential destinations do not run before the visitor has accepted the corresponding category. The website operator remains the controller for the destinations, and Cloudflare is the processor for the edge execution.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Map every destination to a consent category, configure default reject for non essential categories, and use the Zaraz consent API to gate event dispatch on the consent state. Where Zaraz acts purely as a server side relay, hash personal identifiers before transmission and consider running the tag on first party domains instead of the default cdn-cgi path.
Cloudflare runs a global edge network. EU traffic can be pinned to European data centres through the Cloudflare Data Localisation Suite, but logs and configuration data may still be processed in the United States. The Cloudflare DPA, the EU-US Data Privacy Framework and Standard Contractual Clauses are the legal instruments that frame those transfers.
Sign the Cloudflare DPA, enable the Data Localisation Suite for EU only routing, configure default reject in the Zaraz consent layer, document each destination and its legal basis, and review server side payloads quarterly to ensure no field has been added without privacy review.
Websites using Cloudflare Zaraz must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is appropriate when Zaraz orchestrates a large set of advertising tags, when EU data is routed through US edge points of presence without the Data Localisation Suite, or when consent is fully delegated to the Zaraz consent layer for many destinations.
Sample consent text
We use Cloudflare Zaraz to load third party tags such as analytics and advertising from our servers rather than directly from your browser. By accepting, you allow Zaraz to set a consent cookie and to forward your interactions to the destinations you have enabled.
Third-party domains contacted
cloudflare.comcdn-cgizaraz.cloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cf_zaraz | Strictly necessary | 1 year | Stores the visitor consent decisions managed by the Cloudflare Zaraz consent layer. |
| __cf_zid | Functional | Session | Internal Zaraz session identifier used to deduplicate edge events. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Zaraz writes a cf_zaraz consent cookie that records the visitor consent decisions per category. Tags executed behind Zaraz can still set their own cookies if pixel mode is used; in pure server side mode the visitor browser sees no third party cookies.
Yes for any non essential destination orchestrated by Zaraz. The consent rules of article 5(3) of the ePrivacy Directive apply to the destinations themselves, even when they are executed at the edge instead of in the browser.
Consent for advertising and analytics destinations, legitimate interest for strictly necessary tags such as security or anti fraud, and contractual necessity for destinations directly required to fulfil a customer request.
Cloudflare is a US company with global edge points of presence. EU traffic can be pinned to European data centres with the Data Localisation Suite, but logs and configuration may still be processed in the US. Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.
A DPIA is appropriate when many advertising destinations are orchestrated by Zaraz, when EU data is routed without the Data Localisation Suite, or when the consent layer is the only gating mechanism for downstream destinations.
Sign the Cloudflare DPA, enable the Data Localisation Suite, default reject in the consent layer, map every destination to a category, document the destination list and review server side payloads each quarter.
Other server side or hybrid tag managers include Google Tag Manager Server Side, Tealium iQ, Commanders Act TagCommander, Stape, Snowplow, RudderStack and self hosted Workers based proxies.
List the cf_zaraz consent cookie alongside any cookies set by the destinations behind it, name Cloudflare as a processor, document the destination list and any US transfer, and explain how visitors can revoke their consent through your CMP or the Zaraz consent layer.