What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacyquestions@cloudflare.com', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "If you believe Cloudflare processes your data directly (e.g., via Cloudflare's own products like 1.1.1.1), email privacyquestions@cloudflare.com with your deletion request. If your data was processed on behalf of a third-party business, contact that business directly.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has enforcement authority over deceptive or unfair data practices, including misrepresentation of data processor/controller roles under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Controller vs Processor Distinction clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Controller vs Processor Distinction — Cloudflare

Share 𝕏 Share in Share 🔒 PDF

What it is

Cloudflare separates itself into two roles: when you use Cloudflare's own products directly, Cloudflare is responsible for your data; but when a website you visit uses Cloudflare behind the scenes, that website's owner is responsible, not Cloudflare.

Consumer impact (what this means for users)

If your data is processed by Cloudflare on behalf of a business you use, that business — not Cloudflare — is legally responsible for it, meaning Cloudflare will redirect your privacy requests to them and may not act on your behalf directly.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

If you believe Cloudflare processes your data directly (e.g., via Cloudflare's own products like 1.1.1.1), email privacyquestions@cloudflare.com with your deletion request. If your data was processed on behalf of a third-party business, contact that business directly.

Cross-platform context

See how other platforms handle Controller vs Processor Distinction and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This distinction determines who you must contact to exercise your privacy rights — for most internet traffic passing through Cloudflare, you must go to the website owner, not Cloudflare directly, which can make it harder to exercise rights.

View original clause language

In this Privacy Policy, we use the terms 'Cloudflare customer' and 'customer' to refer to entities that access and use the Services under our Terms of Service and any applicable agreement that Cloudflare may have with such entities, and 'end users' to refer to those whose information Cloudflare processes on behalf of our customers. Cloudflare acts as a data processor for certain personal data, processing it only on behalf of our customers and in accordance with their instructions. For such data, the relevant Cloudflare customer is the data controller and is responsible for ensuring that such processing complies with applicable law.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 4(7) (controller definition), Art. 4(8) (processor definition), Art. 28 (processor obligations including written DPA requirements), and Art. 82 (joint liability). Under CCPA, the analogous distinction between 'business' and 'service provider' is governed by §1798.140(ag) and §1798.100. The ICO and EU supervisory authorities, including the Irish DPC, hold enforcement authority over these classifications.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has enforcement authority over deceptive or unfair data practices, including misrepresentation of data processor/controller roles under FTC Act Section 5.
File a complaint →

Provision details

Document information

Document

Cloudflare Privacy Policy

Entity

Cloudflare

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-003010

Document ID

CA-D-00282

Evidence Provenance

Source URL

https://www.cloudflare.com/privacypolicy/

Wayback Machine

View archived versions →

SHA-256

f8e88ec9d8c545e030482f3dd3f67f81792db81930414a668aae4f61c5cebe58

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Cloudflare | Document: Cloudflare Privacy Policy | Record: CA-P-003010
Captured: 2026-04-18 11:44:46 UTC | SHA-256: f8e88ec9d8c545e0…
URL: https://conductatlas.com/platform/cloudflare/cloudflare-privacy-policy/controller-vs-processor-distinction/
Accessed: May 2, 2026

Classification

Severity

High

Controller vs Processor Distinction