Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Cloud CDN is Google's edge content delivery network for Google Cloud customers that caches static and dynamic content at globally distributed points of presence.
Google Cloud CDN is the Content Delivery Network integrated with the Google Cloud load balancer. It caches content closer to end users on Google''s global edge network, reducing latency and origin load. It is primarily an infrastructure service rather than a tracking tool.
Cloud CDN itself does not set marketing cookies. It processes IP addresses, request headers and URLs to route, cache and protect traffic. Depending on the integration, Google''s edge may set operational cookies such as NID or __Secure prefixed cookies when other Google services are involved, but these are not necessary for Cloud CDN to operate.
In a pure caching configuration, Cloud CDN qualifies as strictly necessary for the technical delivery of the website and does not require consent under Article 5(3) of the ePrivacy Directive. If marketing or analytics features from other Google products are layered on top, those features must obtain consent independently.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Although traffic is served from the closest POP, Google is a US headquartered controller and may transfer operational and logging data to the United States. Transfers are governed by Standard Contractual Clauses and the EU US Data Privacy Framework. Customers can configure region restrictions for some Google Cloud services.
Document Cloud CDN in your record of processing activities under hosting and content delivery, rely on the Google Cloud Data Processing Addendum, restrict regions where possible and avoid mixing Cloud CDN with Google products that introduce advertising cookies unless you have a consent flow in place.
Websites using Google Cloud CDN must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Cloud CDN used as pure caching, but transfer risk should be documented. A DPIA may be needed if combined with monitoring or marketing services.
Sample consent text
We use Google Cloud CDN to deliver our website from servers close to you. Cloud CDN processes your IP address and request headers and may transfer technical data to the United States.
Third-party domains contacted
googleusercontent.comgoogleapis.comgstatic.comcloud.google.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | preferences | 6 months | Operational cookie set by Google to remember user preferences such as language; may appear when other Google services run alongside Cloud CDN. |
| __Secure-1PSID | necessary | 24 months | Secure session and security cookie set by Google when authenticated Google services are integrated with the property. |
| GOOGLE_ABUSE_EXEMPTION | necessary | 1 year | Security cookie issued by Google to confirm a human user has passed an abuse challenge. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Cloud CDN does not set tracking cookies on its own. It is a caching layer that processes IP addresses, headers and URLs. Operational cookies such as NID or __Secure prefixed cookies may appear if other Google services are layered on top of the same property.
In a pure caching configuration Cloud CDN qualifies as strictly necessary for the delivery of the service and does not require consent under Article 5(3) of the ePrivacy Directive. Consent is needed for any additional analytics or marketing component layered on top.
The legal basis is legitimate interest under Article 6(1)(f) of the GDPR, namely the technical delivery, performance and security of the website. Contract performance may also apply for authenticated user areas.
Yes, indirectly. Although traffic is served from the closest edge POP, Google is a US headquartered controller and may transfer operational, logging and abuse data to the United States. Transfers are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
A standalone DPIA is generally not required for Cloud CDN used as a pure cache. A DPIA becomes useful when Cloud CDN is combined with Cloud Armor logs, monitoring or marketing services that involve systematic user observation.
Activate Cloud CDN only on resources that do not contain sensitive personal data, restrict the Google Cloud project to EU regions where possible, sign the Google Cloud DPA, enable Cloud Audit Logs and document the service in your record of processing activities.
Bunny.net, Fastly EU, Scaleway Edge Services or self hosted Varnish provide caching with a smaller US footprint. The choice depends on geographic coverage, performance requirements and the level of data residency you need.
Mention Cloud CDN under hosting and content delivery, explain that it processes IP addresses and headers as a sub processor, state that no marketing cookie is set by the CDN itself, list the Google Cloud DPA as the legal framework and disclose potential transfers to the United States.