Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Stream is a managed video hosting, encoding and delivery platform operated by Cloudflare Inc. It allows publishers to upload videos, automatically transcodes them to HLS/DASH adaptive bitrate, and embeds them via a first-party iframe player served from Cloudflare's global CDN. By default the platform does not run cross-site advertising tracking, but it processes viewer IP addresses for routing and basic analytics and sets a small number of operational cookies on the player domain.
Cloudflare Stream is a software-as-a-service video platform operated by Cloudflare Inc. from San Francisco. Operators upload source files through the dashboard or API, Cloudflare transcodes them into multiple HLS and DASH renditions, and viewers receive the streams from the closest of Cloudflare''s 300+ edge data centres. The reference embed is a first-party iframe pointing at iframe.cloudflarestream.com or customer-<accountId>.cloudflarestream.com; advanced operators can also use the open-source Stream Player or any HLS-compatible player. Each playback opens a number of HTTPS requests that carry the viewer IP, the URL of the requested segment, and a user-agent string, which together act as personal data under GDPR Article 4(1).
Even though Cloudflare Stream does not embed advertising trackers by default, loading the iframe triggers Cloudflare''s standard CDN cookies on the cloudflarestream.com domain: __cf_bm for bot management, cf_clearance after a CAPTCHA challenge, and sometimes _cfuvid for visitor-level analytics. Under Article 5(3) of the ePrivacy Directive any storage or access to information on the user''s terminal that is not strictly necessary to deliver a service explicitly requested requires prior, informed consent. Because the embed is loaded by the website operator and not directly requested by the viewer, EU regulators (CNIL, AEPD, garante) generally treat the iframe and its cookies as requiring opt-in consent, unless a click-to-load pattern is used.
Cloudflare''s Data Localisation Suite (Regional Services, Customer Metadata Boundary, Geo Key Manager) can pin video segment delivery, key material and customer metadata to the EU only, which substantially reduces transfers to the United States. Stream-specific localisation is offered as the Regional Services add-on for Stream and must be explicitly enabled per zone. Without it, segments and logs may be served from US, UK or APAC edges depending on viewer location. Operators with a Schrems II concern should combine the Data Localisation Suite with the Article 28 DPA and the EU Standard Contractual Clauses already incorporated by Cloudflare.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cloudflare Inc. acts as a processor on behalf of the website operator for video hosting and delivery. The publicly available Cloudflare Data Processing Addendum (DPA) is automatically incorporated for paying customers and references the new EU SCCs (2021/914) module 2, the UK IDTA addendum and the Swiss revisions. Cloudflare also self-certifies under the EU-US Data Privacy Framework, which serves as a complementary transfer tool. Operators should still run a Transfer Impact Assessment (TIA) addressing FISA Section 702 and EO 12333 because Cloudflare Inc. qualifies as an ''electronic communication service provider'' under US law.
The Stream API exposes per-video analytics: minutes viewed, unique audiences, country breakdown and playback errors. These are derived from server logs and the playback cookie. When operators use signed URLs they can inject a custom userId, which becomes a pseudonymous identifier and increases the risk profile of the integration. Operators must document this in their Record of Processing Activities, expose Cloudflare in their cookie banner and privacy policy, and respect data subject rights including erasure and access; Cloudflare provides a privacy contact and a designated EU representative.
For organisations that need to minimise US exposure, alternatives worth evaluating include Vimeo OTT (US, with privacy-friendly mode), Bunny Stream (Slovenian, EU-based by design), Mux Video (US, developer-focused), MediaCMS or PeerTube for fully self-hosted federated video, and OVH/Scaleway object storage paired with a self-hosted Video.js or Plyr player. The right choice depends on the volume of viewers, the criticality of EU-only residency, and whether features such as live streaming, DRM or real-time analytics are required.
Websites using Cloudflare Stream must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Cloudflare Stream is embedded on pages that may be visited by minors, on health/political content, or when video analytics are combined with first-party identifiers. Document: (1) categories of personal data (viewer IP, approximate location, user-agent, playback events, optional signed-token user identifiers), (2) legal basis (consent for the iframe load and playback cookie), (3) sub-processor chain (Cloudflare data centres worldwide), (4) transfer mechanism (SCCs + EU-US Data Privacy Framework, optional Data Localisation Suite), (5) retention (raw logs typically <30 days, aggregated analytics longer), (6) rights of data subjects and how to exercise them, (7) residual risks from Schrems II and FISA 702.
Sample consent text
This page contains a video hosted by Cloudflare Stream (Cloudflare Inc., USA). When you start playback, your IP address, user-agent and playback events are transmitted to Cloudflare for delivery and aggregated analytics, and a small playback cookie may be stored on your device. Click "Accept" to load the video and consent to this processing, or "Decline" to keep it blocked.
Third-party domains contacted
cloudflarestream.comcustomer-<accountid>.cloudflarestream.comvideodelivery.netiframe.cloudflarestream.comupload.cloudflarestream.comcloudflareinsights.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cf_clearance | http | 1 year | Set by Cloudflare after a successful CAPTCHA / Managed Challenge to indicate that the visitor has cleared the bot check and may continue to access the protected resource (including the Stream player). Persistent HttpOnly cookie scoped to the Cloudflare-protected domain. |
| __cf_bm | http | 30 minutes | Cloudflare bot management cookie used to distinguish between humans and automated traffic on requests to the Stream player domain. Strictly operational in Cloudflare's view; EU regulators may still require consent when set by a third-party iframe. |
| _cfuvid | http | Session | Cloudflare visitor cookie used for rate limiting and aggregated visitor analytics. Set on a per-session basis when Stream is delivered through certain Cloudflare features. Not set on every deployment. |
Cloudflare Stream uses cookies for user preferences — inform visitors with a consent banner.
In most EU deployments, yes. The default iframe player on cloudflarestream.com loads automatically, sets at least one Cloudflare CDN cookie (__cf_bm and potentially _cfuvid) and transmits the viewer's IP address to Cloudflare Inc. Article 5(3) of the ePrivacy Directive requires prior consent for any non-strictly-necessary storage on the user's device, and EU data protection authorities consider an autoloaded third-party iframe to require consent. A click-to-load pattern with a clear notice is the recommended compliant default; a fully cookieless mode is not available out of the box.
Without the Data Localisation Suite, originals are stored and segments are cached across Cloudflare's global anycast network (300+ data centres in 100+ countries, including the United States). Delivery happens from the edge closest to the viewer. With the Stream Regional Services add-on, processing and storage can be restricted to the EU only, and the Customer Metadata Boundary keeps logs and metadata inside the EU. This is the configuration EU operators should prefer when transfers to the US are a concern.
The most common cookies on the player domain are __cf_bm (Cloudflare bot management, ~30 minutes), cf_clearance (CAPTCHA clearance, up to a year, only set after a challenge) and occasionally _cfuvid (Cloudflare visitor analytics, session). Cloudflare considers __cf_bm strictly necessary for bot management; many EU regulators contest this when the cookie is set by a third-party iframe rather than by the first-party domain. Treat them as requiring consent by default unless your DPO concludes otherwise based on a written analysis.
Yes. Cloudflare publishes a Data Processing Addendum (DPA) under Article 28 GDPR that is automatically incorporated into paid customer contracts. It references the EU Standard Contractual Clauses (Module 2, controller-to-processor) for transfers outside the EEA, the UK International Data Transfer Addendum, and the Swiss FADP. Cloudflare Inc. is also self-certified under the EU-US Data Privacy Framework, which acts as an additional transfer tool. Operators should still perform a Transfer Impact Assessment because Cloudflare qualifies as an electronic communications service provider under US FISA 702.
By default Stream exposes per-video metrics: minutes viewed, unique audiences, percentage watched, country, and playback errors. These are computed from server logs (IP, user-agent, segment URLs) and the playback cookie. When operators use signed URLs with a userId claim, that pseudonymous identifier is associated with playback events and accessible via the Stream API. There is no first-party advertising profile, no cross-site identifier, and no link to ads ecosystems by default.
Largely yes, but it requires activating the Data Localisation Suite (Regional Services for Stream, Customer Metadata Boundary, Geo Key Manager) on the relevant zones, which is a paid add-on. With this configuration, video processing, key material and metadata stay inside the EU. Even so, Cloudflare Inc. remains a US company subject to US law, so a residual Schrems II risk persists; this should be documented in the Transfer Impact Assessment and balanced against the technical and contractual safeguards in place.
Vimeo OTT offers a do-not-track mode but is US-based. Bunny Stream is operated from Slovenia and stores by default in EU regions, which makes Schrems II compliance easier. Mux Video is US-based and developer-focused, with similar transfer concerns to Cloudflare. PeerTube and MediaCMS are open-source self-hosted options that put the operator fully in control but require operational effort (encoding, scaling, monitoring). Cloudflare Stream sits in the middle: managed convenience and global CDN, with serious but configurable transfer risks.
Run a DPIA covering categories of data, purposes, retention and risks. Update the Record of Processing Activities and the privacy policy to mention Cloudflare Inc. as a processor, the international transfer tool relied upon (SCCs + DPF, optionally EU residency), and the cookies set by the player. Configure the cookie banner so that Cloudflare Stream is blocked until consent is given, ideally using a click-to-load placeholder. Document the Transfer Impact Assessment, enable the Data Localisation Suite where feasible, and keep evidence of Cloudflare's DPA acceptance.