8 Total
1 High severity
6 Medium severity
1 Low severity
Summary

This document establishes Cloudflare's practices for collecting, processing, and using personal information from visitors to Cloudflare websites and from users of Cloudflare services. The policy authorizes data collection including IP addresses, device information, and browsing behavior both when individuals directly interact with Cloudflare and when their traffic passes through Cloudflare's infrastructure serving third-party websites. The policy permits processing of this data for security, analytics, and marketing purposes, and authorizes disclosure to service providers, partners, and in response to legal requests.

Technical / Legal Breakdown

This document is Cloudflare's Privacy Policy governing the collection, use, and disclosure of personal information across Cloudflare's websites, products, and services, with stated legal bases including consent, legitimate interests, and contractual necessity under applicable frameworks including GDPR and CCPA. The policy states that Cloudflare collects information provided directly by users, information collected automatically (including log data, IP addresses, device identifiers, and cookies), and information from third-party sources, and the terms authorize use of this data for service delivery, security operations, product improvement, and marketing communications. Notably, the policy distinguishes between Cloudflare acting as a data controller for its own customer and website visitor data versus acting as a data processor for data passing through its network on behalf of customers, a structurally important distinction that limits Cloudflare's stated obligations regarding end-user data processed on behalf of enterprise clients. The policy references GDPR for EU and UK users, CCPA and CPRA for California residents, and other applicable regional frameworks, with Cloudflare asserting Privacy Shield successor mechanisms and Standard Contractual Clauses for international data transfers, though the enforceability of specific transfer mechanisms may depend on evolving regulatory guidance. Material compliance considerations include the adequacy of consent mechanisms for cookies and tracking technologies, the scope of data retention practices, and the handling of personal data transiting Cloudflare's global network on behalf of business customers.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

3 important changes detected

3 versions captured · Last updated: July 2026

What changed Cloudflare's privacy policy was updated on July 1, 2026 to remove two items from the footer navigation: 'Community forum' was deleted from the support section, and 'Cloudflare for Campaigns' was removed from the public interest projects list. These are navigation and organizational changes with no material impact on stated data practices, user rights, or privacy obligations.
Why this matters This change is a navigation and footer update with no material impact on Cloudflare's stated data collection, processing, or user privacy rights. The privacy policy's operative terms remain unchanged; only two footer links were removed from the document layout.
View full change record →
What changed Cloudflare's privacy policy was updated on May 5, 2026, but the detected change is a minor navigation and service listing update rather than a substantive revision to privacy terms. The change reorganized how support and professional services are presented in the document's reference materials. This appears to be a formatting or organizational revision with no material impact on what data Cloudflare collects, how it uses your information, or what rights you have.
Why this matters This change does not materially affect consumer privacy rights, data handling practices, or obligations. The detected modification reorganizes how Cloudflare's support services and product listings appear in the policy reference section rather than changing any substantive privacy commitments or data practices. No consumer action is required in response to this update.
View full change record →

April 18, 2026 low

Cloudflare's Privacy Policy was updated on April 18, 2026 to reorganize its navigation and service descriptions. The change adds new service sections including 'Support and success bundles', 'Optimized Cloudflare experience', …

View change record →

Recent Provision Changes Jul 1, 2026

Added (1)
Passive Network Data Collection Medium

Provision was consolidated into 'Automatic Data Collection and Log Data' rather than added as new content.

Removed (3)
Passive Network Data Collection

Specific enumeration of passive data collection (ISP, clickstream data, exit pages) was removed in favor of more generic language, reducing transparency about specific tracking categories.

Third-Party Service Provider Data Sharing

Removal of contractual requirements for third-party data protection and purpose limitation weakens binding obligations on service providers handling personal data.

Cookie and Tracking Technology Use

Specific distinction between session and persistent cookies and detailed enumeration of cookie purposes was removed, reducing granularity of cookie disclosure.

Modified (8)
Controller vs. Processor Dual Role

Definition expanded from generic contractual language to explicitly enumerate End User categories and clarify the direct contract requirement for Customers.

Automatic Data Collection and Log Data

Language simplified from detailed enumeration (ISP, referring/exit pages, clickstream data) to broader categories, with clearer delineation of data collection on behalf of Customers.

Cookies and Tracking Technologies

Added explicit examples of tracking technologies (web beacons, pixels), categorized cookies by necessity, and added disclosure of third-party partner cookie usage.

International Data Transfers

Removed specific Data Privacy Framework certifications in favor of broader consent-based language emphasizing U.S. governance and reduced local protections, with vaguer reference to transfer mechanisms.

California Consumer Privacy Rights

Added explicit mention of CPRA (new California law) and included additional rights (opt-out of sale/sharing, non-discrimination, correct inaccurate information) previously only partially addressed.

View full change record →
High — 1 provision
Medium — 6 provisions
Low — 1 provision

Monitoring

Cloudflare has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Controller vs Processor Distinction and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured July 1, 2026 00:39 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000282
Version ID CA-V-004366
SHA-256 d85fd48a640b74c160c9060049b8880cbc4bc79539b02480b3de2a514c527d93
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans