Cloudflare can share your personal data with law enforcement, government agencies, or private parties when legally required or when Cloudflare itself decides it is necessary — including to prevent activity it considers illegal or unethical, which is a broad discretionary power.
Your personal data can be disclosed to law enforcement or third parties not just when legally required but also when Cloudflare unilaterally decides it is necessary, which could include situations beyond formal legal process such as subpoenas or court orders.
Cross-platform context
See how other platforms handle Law Enforcement and Government Disclosure and similar clauses.
Compare across platforms →The inclusion of Cloudflare's own discretionary judgment ('as we, in our sole discretion, believe necessary') as a trigger for disclosure — beyond legal compulsion — creates a broader disclosure power than a strict legal-requirement-only standard.
REGULATORY FRAMEWORK: Law enforcement disclosures implicate the Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§2701–2712), the Stored Communications Act (SCA, 18 U.S.C. §2702), and GDPR Art. 6(1)(c) (legal obligation) and Art. 6(1)(f) (legitimate interests) for EU disclosures. GDPR Art. 23 permits member state law to restrict data subject rights for law enforcement purposes. The CLOUD Act (18 U.S.C. §2523) governs cross-border data requests. FTC Act Section 5 applies if discretionary disclosures are made in a manner inconsistent with representations in this policy.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.