California residents have the right to know what personal data Cloudflare holds about them, request deletion or correction of that data, opt out of its sale or sharing for advertising, and cannot be penalized for exercising these rights.
This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These are legally enforceable rights under California law, not just policy commitments, and include the right to opt out of data sharing for behavioral advertising, which is relevant given Cloudflare's use of third-party advertising cookies.
California residents can submit requests to Cloudflare to access, delete, or correct their personal information, and can opt out of the sale or sharing of that information for advertising purposes, with those rights enforced by the California Privacy Protection Agency.
How other platforms handle this
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
If you are a California resident, you have the right to know what personal information we collect, use, disclose, and sell about you. You have the right to request deletion of your personal information, subject to certain exceptions. You have the right to opt out of the sale or sharing of your perso...
If you are a California resident, you have the right to know what personal information we collect about you, the right to delete personal information we have collected from you, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of your personal informa...
Monitoring
Cloudflare has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"California residents have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These rights include the right to know what personal information we collect, use, disclose, and sell; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information; and the right to non-discrimination for exercising your rights.— Excerpt from Cloudflare's Cloudflare Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages the CCPA as amended by CPRA, enforced by the California Privacy Protection Agency (CPPA) and California Attorney General. The right to opt out of sale or sharing is particularly significant given Cloudflare's advertising cookie and third-party data sharing practices. Non-discrimination requirements under CCPA prohibit Cloudflare from degrading service quality in response to rights exercises. GOVERNANCE EXPOSURE: Medium. CCPA and CPRA compliance requires verified consumer request processes, response within 45 days (extendable by 45 days), and documented opt-out mechanisms. Cloudflare's privacy request portal must satisfy these procedural requirements. Failure to honor opt-out requests for sale or sharing within 15 business days of receipt constitutes a violation under CPRA. JURISDICTION FLAGS: Applies specifically to California residents. Other U.S. states with comprehensive privacy laws (Virginia, Colorado, Texas, Connecticut, and others) have analogous but not identical rights frameworks; compliance teams should assess whether Cloudflare's stated rights apply to residents of those states as well. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Cloudflare should confirm whether Cloudflare qualifies as a service provider under CCPA (with appropriate contractual restrictions) or whether data flows constitute a sale or sharing arrangement. If Cloudflare uses customer data for its own purposes beyond service delivery, the service provider exemption may not apply. COMPLIANCE CONSIDERATIONS: Compliance teams should test Cloudflare's privacy request portal to confirm it meets CCPA and CPRA procedural requirements, including identity verification standards that do not create unreasonable barriers to rights exercises. The Global Privacy Control (GPC) signal, which CPRA requires businesses to honor for opt-out of sale and sharing, should be assessed for implementation on Cloudflare's properties.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These are legally enforceable rights under California law, not just policy commitments, and include the right to opt out of data sharing for behavioral advertising, which is relevant given Cloudflare's use of third-party advertising cookies.
California residents can submit requests to Cloudflare to access, delete, or correct their personal information, and can opt out of the sale or sharing of that information for advertising purposes, with those rights enforced by the California Privacy Protection Agency.
ConductAtlas has identified this type of provision across 15 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.