What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: The policy explicitly engages GDPR (EU and UK), CCPA and CPRA (California), and references international data transfer mechanisms including Standard Contractual Clauses. Cloudflare identifies the Irish Data Protection Commission as its EU lead supervisory authority. The FTC Act is implicitly engaged through Cloudflare's U.S.-based consumer data practices. Where the policy asserts broad data processing authority, specific provisions may be constrained by GDPR's data minimiz…

How does Cloudflare's Cloudflare Privacy Policy affect users?

The policy establishes that personal data including IP addresses, device identifiers, and browsing behavior may be collected and processed by Cloudflare through two pathways: direct collection when using Cloudflare services, and indirect collection when visiting websites that use Cloudflare's infrastructure. The document authorizes use of collected data for security, analytics, and marketing operations, and permits sharing with service providers and in response to legal requests. The policy pro…

How often is Cloudflare's Cloudflare Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Cloudflare updates this document?

Yes. Watcher subscribers ($9.99/month) can add Cloudflare to their watchlist and receive same-day email alerts whenever this document or any other Cloudflare document changes.

CA-D-000282

Cloudflare Privacy Policy

Cloudflare

Last change detected May 5, 2026 Privacy policy

SHA-256: 11345595e27ea9423cb… 2 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Cloudflare ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

6 Medium severity

1 Low severity

Summary

This document establishes Cloudflare's practices for collecting, processing, and using personal information from visitors to Cloudflare websites and from users of Cloudflare services. The policy authorizes data collection including IP addresses, device information, and browsing behavior both when individuals directly interact with Cloudflare and when their traffic passes through Cloudflare's infrastructure serving third-party websites. The policy permits processing of this data for security, analytics, and marketing purposes, and authorizes disclosure to service providers, partners, and in response to legal requests.

Technical / Legal Breakdown

This document is Cloudflare's Privacy Policy governing the collection, use, and disclosure of personal information across Cloudflare's websites, products, and services, with stated legal bases including consent, legitimate interests, and contractual necessity under applicable frameworks including GDPR and CCPA. The policy states that Cloudflare collects information provided directly by users, information collected automatically (including log data, IP addresses, device identifiers, and cookies), and information from third-party sources, and the terms authorize use of this data for service delivery, security operations, product improvement, and marketing communications. Notably, the policy distinguishes between Cloudflare acting as a data controller for its own customer and website visitor data versus acting as a data processor for data passing through its network on behalf of customers, a structurally important distinction that limits Cloudflare's stated obligations regarding end-user data processed on behalf of enterprise clients. The policy references GDPR for EU and UK users, CCPA and CPRA for California residents, and other applicable regional frameworks, with Cloudflare asserting Privacy Shield successor mechanisms and Standard Contractual Clauses for international data transfers, though the enforceability of specific transfer mechanisms may depend on evolving regulatory guidance. Material compliance considerations include the adequacy of consent mechanisms for cookies and tracking technologies, the scope of data retention practices, and the handling of personal data transiting Cloudflare's global network on behalf of business customers.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

2 important changes detected

2 versions captured · Last updated: May 2026

May 5, 2026

low

What changed Cloudflare's privacy policy was updated on May 5, 2026, but the detected change is a minor navigation and service listing update rather than a substantive revision to privacy terms. The change reorganized how support and professional services are presented in the document's reference materials. This appears to be a formatting or organizational revision with no material impact on what data Cloudflare collects, how it uses your information, or what rights you have.

Why this matters This change does not materially affect consumer privacy rights, data handling practices, or obligations. The detected modification reorganizes how Cloudflare's support services and product listings appear in the policy reference section rather than changing any substantive privacy commitments or data practices. No consumer action is required in response to this update.

View full change record →

April 18, 2026

low

What changed Cloudflare's Privacy Policy was updated on April 18, 2026 to reorganize its navigation and service descriptions. The change adds new service sections including 'Support and success bundles', 'Optimized Cloudflare experience', 'Professional services', 'Expert-led implementation', 'Technical account management', 'Focused technical management', and 'Security operations service' with 'Cloudflare monitoring and response'. The update also removes certain navigation items related to 'Expert-led success' and reorganizes product listing sections. This appears to be a structural and navigational change rather than a substantive modification to privacy obligations, data handling practices, or consumer rights.

Why this matters The updated Privacy Policy reflects organizational changes to Cloudflare's service menu and navigation structure. The change adds descriptions of new enterprise support services including professional services, technical account management, and security operations monitoring. These additions appear to be informational changes to the document's navigation structure rather than modifications to privacy practices, data collection, or consumer rights. No new privacy obligations or data handling practices are established by this change.

View full change record →

High — 1 provision

Controller vs. Processor Dual Role Compare →

Cloudflare plays two different privacy roles: it controls your data when you are its direct customer, but when you visit another website that uses Cloudflare's network, Cloudflare only processes your data on behalf of that website's operator, who is responsible for informing you about how your data is used.

Added May 9, 2026 Standard Seen across 189 platforms

Medium — 6 provisions

Automatic Data Collection and Log Data Compare →

Cloudflare automatically collects technical data including your IP address, browser type, and pages visited whenever you use its services or visit a website powered by Cloudflare's network, even if you have no direct relationship with Cloudflare.

Added May 9, 2026 Standard Seen across 251 platforms
Cookies and Tracking Technologies Compare →

Cloudflare uses cookies and similar tracking tools on its own websites, including for advertising purposes, and works with third parties who may track your activity across other websites.

Added May 7, 2026 Standard Seen across 251 platforms
Legal Process and Law Enforcement Disclosure Compare →

Cloudflare can share your personal data with law enforcement or government authorities if required by law, court order, or subpoena, or if Cloudflare determines disclosure is necessary to prevent fraud, protect property, or serve public interest.

Added May 9, 2026 Standard Seen across 246 platforms
International Data Transfers Compare →

Cloudflare transfers your personal data to the United States and other countries, where data protection laws may offer fewer protections than in your home country, and relies on Standard Contractual Clauses for EU, UK, and Swiss users.

Added April 18, 2026 Common Seen across 122 platforms
California Consumer Privacy Rights Compare →

California residents have the right to know what personal data Cloudflare holds about them, request deletion or correction of that data, opt out of its sale or sharing for advertising, and cannot be penalized for exercising these rights.

Added May 9, 2026 Standard Seen across 262 platforms
Data Retention Compare →

Cloudflare keeps your personal data for as long as your account is active, and keeps log data for an unspecified limited period tied to security and legal needs.

Added April 18, 2026 Standard Seen across 223 platforms

Low — 1 provision

Third-Party Data Sharing Compare →

Cloudflare shares your personal data with third-party service providers for functions like billing and marketing, and may also transfer your data as part of a business sale, merger, or acquisition.

Added May 7, 2026 Standard Seen across 246 platforms

Monitoring

Cloudflare has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Controller vs Processor Distinction and similar clauses.

Compare across platforms →