Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Bot Management is the paid bot detection product from Cloudflare. It inspects every HTTP request at the Cloudflare edge, applies machine learning models to compute a bot score, and lets the operator block, challenge or rate limit bot traffic. It sets the __cf_bm cookie on the visitor's device (30 minute lifetime by default) to bind subsequent requests to the same session. Cloudflare positions the cookie as strictly necessary for security, but supervisory authority interpretations vary.
Cloudflare Bot Management is the paid bot detection product in the Cloudflare suite, available on the Pro, Business and Enterprise plans. It builds on Cloudflare''s position as a reverse proxy and CDN in front of the operator''s site to inspect every incoming HTTP request at the Cloudflare edge. Machine learning models trained on Cloudflare''s global request graph (over 50 million sites at last public estimate) compute a bot score from 1 (almost certainly a bot) to 99 (almost certainly a human). The operator then writes firewall rules that block, challenge or rate limit traffic based on the score. Bot Management is widely used by e commerce, banking, public sector and ticketing sites to defend against credential stuffing, scraping, inventory hoarding and DDoS.
Bot Management sets the __cf_bm cookie on the operator''s domain (default 30 minute sliding lifetime), containing an encrypted token Cloudflare uses to recognise the same session and refine its bot score. At the request level, Cloudflare inspects: the source IP, the TLS fingerprint (JA3/JA4), the HTTP request headers, the timing pattern of requests, the requested URL and any signals from the Cloudflare JavaScript Detection (if enabled by the operator). Aggregated metadata is fed back to Cloudflare''s machine learning models. None of the request body is inspected unless the operator explicitly enables features that examine payloads (Page Shield, payload bot detection).
The __cf_bm cookie is positioned by Cloudflare as a strictly necessary security cookie, falling within the ePrivacy Directive Art. 5(3) exemption for cookies that are required to deliver a service explicitly requested by the user. The French CNIL accepts this position for similar security cookies, but the German Datenschutzkonferenz and some other authorities have called for granular consent when security cookies are bundled with broader behavioural analytics. Under the GDPR, the lawful basis for processing the bot score and the cookie value is legitimate interest under Art. 6(1)(f), justified by the security and fraud prevention purpose, with the operator running a balancing test. Visitor IP addresses, request metadata and bot scores are personal data and must be documented in the record of processing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EU visitor traffic is typically processed at EU edge data centres (Frankfurt, Amsterdam, Paris, London, Madrid, Milan, etc.). Cloudflare''s configuration management, machine learning model training pipeline, customer dashboards and audit logs are partly in the United States. Cloudflare self certifies under the EU US Data Privacy Framework and uses Standard Contractual Clauses as fallback. Cloudflare is a US company and is therefore exposed to the US CLOUD Act, which European supervisors flag as a concern regardless of certification status. Cloudflare offers the Data Localisation Suite on Enterprise plans, which pins request inspection, key storage and log delivery to EU regions, reducing the residual transfer risk.
Cloudflare JavaScript Detection adds an executable challenge that is sometimes loaded before consent, which is acceptable under the security cookie exemption but should be reflected in the privacy notice. Bot Management interacts with Turnstile (Cloudflare CAPTCHA) and Page Shield, each of which has its own privacy posture. Operators can choose to log full request metadata for forensic purposes or to log only aggregated counters: full request logging carries more privacy weight and should be limited to what is necessary. On Enterprise plans, the Data Localisation Suite can be enabled to keep all inspection and key material in the EU.
Document Bot Management in the record of processing as a security processing activity under legitimate interest. List the __cf_bm cookie in the cookie policy as a strictly necessary security cookie, with the 30 minute duration and the bot detection purpose. Sign Cloudflare''s Data Processing Addendum and Standard Contractual Clauses. Assess US CLOUD Act exposure in the Transfer Impact Assessment, document the residual risk and the mitigations (Data Localisation Suite, hashed identifiers, limited log retention). Where possible, enable the Data Localisation Suite on Enterprise plans. Consider whether to require consent for Bot Management cookies based on the operator''s risk appetite and the national supervisor''s position.
Websites using Cloudflare Bot Management must obtain user consent under GDPR regulations.
DPIA considerations
Cloudflare Bot Management writes the __cf_bm cookie (30 minute default lifetime) on the operator's domain, containing an encrypted session identifier used by Cloudflare to correlate requests and feed its machine learning models. DPIA considerations: (1) the cookie ID is a persistent online identifier under GDPR and may be considered personal data even though it does not directly identify the visitor; (2) the bot score and request metadata are processed at the Cloudflare edge, which is typically in the EU for EU visitors but training data and dashboards may be in the US; (3) Cloudflare is a US headquartered company, with US CLOUD Act exposure that should be assessed regardless of the Data Privacy Framework certification; (4) the cookie is positioned as strictly necessary for security, which the French CNIL accepts in many cases (security cookie exception under ePrivacy Art. 5(3)), but German DSK and other authorities have called for granular consent for some bot management features; (5) for very high traffic sites, the Cloudflare Data Localisation Suite on Enterprise plans pins inspection and key storage to the EU. A DPIA is recommended for high traffic financial, e commerce or public sector deployments, particularly when Bot Management is combined with Cloudflare Workers or Page Shield.
Sample consent text
We use Cloudflare Bot Management to protect our website from automated abuse, scraping and credential stuffing. Cloudflare places a small first party cookie (__cf_bm) on your device for up to 30 minutes to recognise legitimate visitors and distinguish them from bots. Bot detection takes place at Cloudflare's European data centres, with limited data shared with Cloudflare Inc. in the United States for security analytics. We rely on legitimate interest for security under Art. 6(1)(f) GDPR. You can read more in our security and privacy notice.
Third-party domains contacted
challenges.cloudflare.comstatic.cloudflareinsights.comcdnjs.cloudflare.comcloudflare.comworkers.devCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | Strictly Necessary / Security | 30 minutes | Set by Cloudflare Bot Management on the operator's first party domain. Contains an encrypted token used by Cloudflare to recognise the same browser session, correlate requests at the edge and refine the bot score machine learning model. Refreshed on every page load (sliding lifetime). |
| _cfuvid | Strictly Necessary / Security | Session | Set by Cloudflare on the operator's domain when Rate Limiting or Bot Management is active. Used to bypass cookie based rate limiting for the same browser session. |
| cf_clearance | Strictly Necessary / Security | 30 days | Set by Cloudflare after a successful Cloudflare challenge (Managed Challenge, Interactive Challenge, JavaScript Challenge or Turnstile). Acts as a security pass for the browser, exempting it from further challenges for the duration of the cookie. |
| __cflb | Strictly Necessary / Functional | 24 hours | Set by Cloudflare Load Balancing when used together with Bot Management. Pins the visitor to the same origin server for session affinity, which can be important for bot detection consistency. |
Cloudflare Bot Management is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Cloudflare Bot Management sets the __cf_bm cookie on the operator's domain, default 30 minute sliding lifetime, containing an encrypted token used by Cloudflare to recognise the same browser session and refine its bot score. The Cloudflare JavaScript Detection feature may also use short lived client side storage. Cookies are first party on the operator's domain.
Cloudflare positions __cf_bm as a strictly necessary security cookie under the ePrivacy Directive Art. 5(3) security exemption. The French CNIL accepts this position in many cases, particularly for sites that face real bot threats. The German Datenschutzkonferenz and several other authorities have asked for granular consent when bot management is bundled with broader analytics. The operator should evaluate the local supervisor's position and document the chosen approach.
Legitimate interest under GDPR Art. 6(1)(f), justified by the legitimate purpose of preventing automated abuse, credential stuffing, scraping and DDoS. The operator must run a balancing test weighing the visitor's reasonable expectation of privacy against the security need, and document the analysis. Consent is generally not required for the security purpose, but the cookie disclosure must still be transparent in the privacy notice.
EU visitor requests are typically processed at EU edge data centres, but Cloudflare's configuration management, ML training pipeline, customer dashboards and audit logs are partly in the US. Cloudflare self certifies under the EU US Data Privacy Framework and uses SCCs as fallback. As a US company, Cloudflare is also exposed to the CLOUD Act, which European supervisors flag as a concern. The Data Localisation Suite (Enterprise) pins inspection and key material to the EU.
A DPIA is recommended for Bot Management deployments at scale, particularly in financial services, e commerce, public sector, ticketing and any context where automated profiling has a material impact on access. The DPIA should cover the bot score processing, the cookie purpose, the legal basis (legitimate interest balancing test), the data transfer mechanism, and any combination with Cloudflare Workers, Page Shield or Turnstile.
Document Bot Management in the record of processing as a security activity under legitimate interest. List __cf_bm in the cookie policy as a strictly necessary security cookie with 30 minute duration. Sign the Cloudflare DPA and SCCs. Run a Transfer Impact Assessment that addresses US CLOUD Act exposure. Enable the Data Localisation Suite on Enterprise plans. Document any combination with Turnstile, Workers or Page Shield as separate processing activities.
Other bot management products include DataDome (France), Imperva Advanced Bot Protection, Akamai Bot Manager, F5 Distributed Cloud Bot Defense, Kasada and HUMAN BotGuard. EU based options like DataDome offer EU only data processing by default, which simplifies the GDPR transfer assessment compared to US headquartered alternatives.
List __cf_bm under strictly necessary security cookies, with the 30 minute duration and the bot detection purpose. In the privacy notice, mention Cloudflare Inc. (Bot Management) as a processor, the security purpose, the legal basis (legitimate interest), the data residency (EU edge for inspection, partial US for ML training), and any Data Localisation Suite configuration. Update the security and risk register to record the residual transfer risk.