Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority under Section 5 over unfair or deceptive practices related to undisclosed passive data collection from consumers.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Passive Network Data Collection clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Passive Network Data Collection — Cloudflare

Share 𝕏 Share in Share 🔒 PDF

What it is

Cloudflare automatically collects your IP address, browser type, and browsing behavior not just when you use Cloudflare's own products, but also when you visit any website that uses Cloudflare's infrastructure — even if you've never heard of Cloudflare.

Consumer impact (what this means for users)

Your IP address and browsing metadata are collected by Cloudflare every time you visit a website that uses Cloudflare's network, creating a data footprint with a company you may never have knowingly interacted with.

Cross-platform context

See how other platforms handle Passive Network Data Collection and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Because Cloudflare handles a significant portion of global internet traffic, this passive collection affects an enormous number of people who have no direct relationship with Cloudflare and may be unaware their data is being collected.

View original clause language

When you visit our websites or use our Services, we and our third-party service providers may collect certain information automatically. This includes information such as your Internet Protocol (IP) address, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We also collect this type of information when users visit websites of our customers who use our Services, as part of providing those Services.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: Automatic collection of IP addresses and browsing data constitutes processing of personal data under GDPR Art. 4(1) and requires a lawful basis under Art. 6. The ePrivacy Directive (2002/58/EC) and its national implementations govern use of tracking technologies and require consent in most EU jurisdictions. CCPA §1798.140(o) defines 'personal information' to include IP addresses and browsing history, triggering disclosure and opt-out obligations. FTC Act Section 5 applies to any deceptive omissions about the scope of data collection.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has authority under Section 5 over unfair or deceptive practices related to undisclosed passive data collection from consumers.
File a complaint →

Provision details

Document information

Document

Cloudflare Privacy Policy

Entity

Cloudflare

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-003011

Document ID

CA-D-00282

Evidence Provenance

Source URL

https://www.cloudflare.com/privacypolicy/

Wayback Machine

View archived versions →

SHA-256

f8e88ec9d8c545e030482f3dd3f67f81792db81930414a668aae4f61c5cebe58

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Cloudflare | Document: Cloudflare Privacy Policy | Record: CA-P-003011
Captured: 2026-04-18 11:44:46 UTC | SHA-256: f8e88ec9d8c545e0…
URL: https://conductatlas.com/platform/cloudflare/cloudflare-privacy-policy/passive-network-data-collection/
Accessed: May 2, 2026

Classification

Severity

Medium

Passive Network Data Collection