Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Fastly is an edge cloud platform providing global content delivery, image optimisation, real time analytics and edge compute services. As a CDN, Fastly proxies traffic between users and origin servers, accelerating delivery and improving security. By default Fastly does not set client side cookies, which simplifies its GDPR posture. Logging of IP addresses and request metadata still constitutes processing of personal data and must be documented.
Fastly is a US headquartered edge cloud platform listed on the New York Stock Exchange under the ticker FSLY. It operates a global network of points of presence that act as reverse proxies between end users and origin servers. When a visitor requests a resource, the closest Fastly edge node serves the cached response or fetches it from the origin, accelerating delivery and absorbing traffic spikes. Fastly also offers image optimisation, real time analytics, Compute@Edge for running serverless code and a Next Generation Web Application Firewall for security filtering.
By default Fastly does not set first party or third party cookies in the visitor''s browser. It functions as transparent infrastructure that proxies HTTP requests and responses. Under Article 5(3) of the ePrivacy Directive, consent is required only when a service stores or accesses information on the user terminal, which Fastly does not do by itself. Processing of IP addresses and request headers needed to deliver content and to detect abuse falls under the legitimate interest legal basis of Article 6(1)(f) GDPR, with the strictly necessary cookies exemption applying where any session affinity cookie is used purely for routing.
Even without cookies, Fastly necessarily processes connection metadata to deliver the service. This includes IP addresses, user agent strings, requested URLs, referer headers, TLS fingerprints and response status codes. Logs may be retained for security analysis and operational troubleshooting. If the origin sets cookies, Fastly will pass them through but does not create them itself. Customers can also configure Fastly to enrich logs, hash IPs or strip sensitive headers at the edge.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Fastly is a US controller with infrastructure in Europe, Asia, the Americas and Oceania. Traffic from EU visitors may transit through EU edge locations but management plane data and support operations reach the United States. Transfers are governed by Standard Contractual Clauses included in the Fastly Data Processing Addendum and, where Fastly self certifies, by the EU US Data Privacy Framework. Controllers should perform a Transfer Impact Assessment and document supplementary measures such as TLS in transit and access controls.
Sign the Fastly Data Processing Addendum, list Fastly in your privacy notice as a processor for content delivery, document the legitimate interest assessment, and configure log retention to a minimum necessary period. Pseudonymise or truncate IP addresses in long term logs where possible. Avoid mixing Fastly with separate analytics or tag management functions in a way that would convert it into a tracking technology. Periodically review configurations to confirm no unexpected cookies are introduced through Compute@Edge workloads.
If you run authenticated areas, payment flows or health related content through Fastly, the volume and sensitivity of data processed grows. In such cases conduct a DPIA, restrict edge logging, enable TLS end to end, configure shielding to keep traffic on EU PoPs where feasible, and document the chain of subprocessors. For purely public content, the standard CDN posture remains low risk.
Websites using Fastly must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is not generally required for using Fastly purely as a CDN, since processing is limited to delivery, caching and security. However, a documented Article 30 record of processing activities and a Transfer Impact Assessment for US edge locations are recommended. If Fastly is used to process sensitive payloads, handle authenticated sessions or enrich logs with user identifiers, a DPIA should be performed.
Sample consent text
No prior consent banner is normally required for Fastly because the service operates as a content delivery network strictly necessary to deliver the requested content and to ensure security. The legal basis is legitimate interest under Article 6(1)(f) GDPR. Users should be informed in the privacy notice that Fastly processes connection metadata such as IP addresses and request headers to deliver and secure the site, and that some traffic may transit through US edge nodes under appropriate safeguards.
Third-party domains contacted
fastly.comfastly.netfastlylb.netglobal.ssl.fastly.neta.ssl.fastly.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| (none) | Not applicable | Not applicable | Fastly operates as a content delivery network and reverse proxy. By default it does not set first party or third party cookies on the visitor's browser. Any cookies observed in responses are set by the origin server or by application code, not by Fastly itself. |
| Fastly-Debug-* | Debug header, not a cookie | Per request | Fastly may emit response headers such as Fastly-Debug-Path or Fastly-Debug-Digest for diagnostic purposes when explicitly enabled. These are HTTP headers, not browser cookies, and they do not persist between requests. |
| fastly-session | Strictly necessary (optional, configured) | Session | Some implementations configure a session affinity cookie at the edge to keep a visitor pinned to the same backend during a session. Where used, it is strictly necessary for service routing and is exempt from consent under the ePrivacy Directive. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Fastly typically does not set any cookies on the visitor's browser. It operates as a content delivery network and reverse proxy, intermediating HTTP traffic without injecting client side identifiers. If you observe cookies in the response, they are almost always set by the origin server, by your own application, or by a Compute@Edge workload you have configured. A possible exception is a session affinity cookie used purely for routing to a consistent backend, which qualifies as strictly necessary under the ePrivacy Directive.
Used purely as a CDN, Fastly does not require prior consent from visitors. Article 5(3) of the ePrivacy Directive only requires consent when information is stored on or read from the user's device, which Fastly does not do by default. Processing of IP addresses and request headers for delivery and security is covered by the legitimate interest legal basis under Article 6(1)(f) of the GDPR. Mention Fastly in your privacy notice and document the legitimate interest assessment to remain transparent.
The most common legal basis is legitimate interest under Article 6(1)(f) of the GDPR, justified by the need to deliver content efficiently, protect against attacks and ensure availability. When Fastly is integral to the performance of a contract, for example serving an e commerce platform that the user has chosen to use, Article 6(1)(b) contractual necessity can also apply. Both bases should be documented in your record of processing activities.
Yes. Fastly is headquartered in San Francisco and operates global edge points of presence. EU visitor traffic can be served from EU PoPs, but management plane operations, support, and certain analytics reach the United States. Transfers rely on Standard Contractual Clauses in the Fastly Data Processing Addendum and, where Fastly self certifies, on the EU US Data Privacy Framework. A Transfer Impact Assessment is recommended.
A standalone DPIA is generally not required when Fastly is used solely for caching and security of public content. A DPIA becomes appropriate when Fastly handles authenticated areas, payment flows, health data, large scale logging with user identifiers, or when Compute@Edge processes payloads beyond pure delivery. Even without a DPIA, document the processing in your Article 30 record and complete a Transfer Impact Assessment.
Sign the Fastly Data Processing Addendum, list Fastly as a processor in your privacy notice, configure short log retention, pseudonymise or truncate IP addresses where feasible, and avoid mixing CDN with tracking functions. Enable TLS on origin connections, use shielding to keep European traffic on EU PoPs where possible, and review Compute@Edge code to ensure no unexpected cookies or third party calls are introduced.
Common alternatives include Cloudflare, Akamai, Amazon CloudFront, Google Cloud CDN, Microsoft Azure Front Door, and European providers such as BunnyCDN, Gcore, OVHcloud or Scaleway Edge Services. The choice depends on your performance needs, your tolerance for US transfers, the maturity of edge compute features and your existing cloud relationships. Most CDNs share the same low risk profile when used purely for delivery.
Even when Fastly sets no cookies, transparency benefits from mentioning it explicitly. Add a paragraph in the privacy notice listing Fastly as a processor for content delivery and security, explain that connection metadata such as IP addresses is processed under legitimate interest, describe the geographic scope of edge nodes, and reference the SCCs and DPF that govern transfers. If a session routing cookie is used, list it under the strictly necessary category.