What does Cloudflare do?
Cloudflare is a US company that provides a content delivery network (CDN) and other services that make websites more scalable and perform better.
Cloudflare’s service essentially consists of DNS servers and “reverse proxies”. This ensures that websites are not delivered directly from the company to users, but via Cloudflare’s intermediary servers, which are located in a large number of data centers. This means that even large amounts of data can be delivered very quickly without putting a strain on the company’s web server.
Cloudflare’s upstream servers also protect against denial-of-service attacks or the tapping of website content by bots. Cloudflare Inc. is headquartered at 101 Townsend St, San Francisco, CA 94107, USA. According to Cloudflare, it offers services for 6 million websites and serves 11% of the top 10 million websites.
Is Cloudflare GDPR compliant?
If websites are delivered via a CDN, this always processes personal data within the meaning of the GDPR, as the visitor’s IP address is transmitted to the CDN server. According to the European Court of Justice, the IP address is personal data and therefore data processing takes place. Cloudflare also stores the transmitted content, which may include personal data, at least temporarily.
Data processing is generally only permitted for countries in the EU or for those for which there is an adequacy decision. For the USA, this is the case for companies that are certified in the EU-US Data Privacy Network. Cloudflare is a US company and certified in the DPF (as of 05.08.2024), so its use is initially legally permissible. For GDPR-compliant use, further obligations must also be fulfilled (see below).
Does Cloudflare set cookies?
Cloudflare does not use cookies in all usage scenarios, but according to its own information at least partially the following:
| Name | Zweck | Speicherdauer |
| __cflb | Used for load balancing | Up to 24 hours |
| __cf_bm | Used to protect a website from bots | 30 minutes |
| __cfseq | Used to protect a website against unauthorized access | |
| cf_ob_info cf_use_ob | Used as part of the “Always Online” product | 30 seconds |
| __cfwaitingroom _cfuvid __cfruid | Used for rate limiting of requests | |
| cf_clearance cf_chl_rc_i cf_chl_rc_ni cf_chl_rc_m | Used to identify suspicious accesses |
How to check whether Cloudflare is used on a website?
Cloudflare can be used on a website in two ways:
- Delivery of the website by the Cloudflare CDN and/or monitoring of access to the website.
- Integration of individual content (images, videos, Javascript files, etc.) into the website, which is delivered by Cloudflare servers (instead of storing them on your own web server).
Re 1: In this case, HTML files of the website are also delivered via Cloudflare’s network infrastructure. This can be verified using the IP address of the web server. This article describes how to do this.
Re 2: To prove this, load one or more pages of the website and check (this article describes how to do this) whether there are network accesses to one of the following domains:
- cloudflare.com
- cloudflare.net
- cloudflareinsights.net
How to use Cloudflare GDPR compliant?
Obtain consent
Whether the cookies set by Cloudflare are necessary for the operation of the website is controversial. If not, then Section 25 TDDDG stipulates that consent is required. Consent is recommended for legally compliant operation. If this is not possible because Cloudflare as a CDN is responsible for the delivery of the entire website, the use should be reconsidered.
Conclude a contract for order processing
As Cloudflare processes personal data on behalf of the website operator, an order processing contract must be concluded. This can be viewed in the Cloudflare dashboard.
Customize privacy policy
Information about data processing by Cloudflare must be included in the website’s privacy policy.
| Please note that this article does not constitute legal advice. |
