Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority under Section 5 over unfair or deceptive practices related to undisclosed passive data collection from consumers.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Passive Network Data Collection clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Passive Network Data Collection — Cloudflare

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Cloudflare Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Cloudflare automatically collects your IP address, browser type, and browsing behavior not just when you use Cloudflare's own products, but also when you visit any website that uses Cloudflare's infrastructure — even if you've never heard of Cloudflare.

ⓘ

This analysis describes what Cloudflare's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This collection mechanism enables Cloudflare to operate and deliver its services across distributed networks, including threat detection and performance optimization. The authorization extends to data collection across customer websites using Cloudflare's service infrastructure, establishing the operational basis for network-level data visibility.

Consumer impact (what this means for users)

Your IP address and browsing metadata are collected by Cloudflare every time you visit a website that uses Cloudflare's network, creating a data footprint with a company you may never have knowingly interacted with.

How other platforms handle this

Paramount+ Medium

"By clicking 'Next', you are indicating that you have read and agree to the TERMS OF USE AND PRIVACY POLICY"

OpenAI Medium

We automatically collect certain information from your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Service, we collect information about the individual web pages or products th...

Microsoft Azure Medium

Location data. Data about your device's location, which can be either precise or imprecise. For example, we collect location data using Global Navigation Satellite System (GNSS) (e.g., GPS) and data about nearby cell towers and Wi-Fi hotspots. Location can also be inferred from a device's IP address...

See all platforms with this clause type →

Monitoring

Cloudflare has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
When you visit our websites or use our Services, we and our third-party service providers may collect certain information automatically. This includes information such as your Internet Protocol (IP) address, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We also collect this type of information when users visit websites of our customers who use our Services, as part of providing those Services.

— Excerpt from Cloudflare's Cloudflare Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY FRAMEWORK: Automatic collection of IP addresses and browsing data constitutes processing of personal data under GDPR Art. 4(1) and requires a lawful basis under Art. 6. The ePrivacy Directive (2002/58/EC) and its national implementations govern use of tracking technologies and require consent in most EU jurisdictions. CCPA §1798.140(o) defines 'personal information' to include IP addresses and browsing history, triggering disclosure and opt-out obligations. FTC Act Section 5 applies to any deceptive omissions about the scope of data collection.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has authority under Section 5 over unfair or deceptive practices related to undisclosed passive data collection from consumers.
File a complaint →

Applicable regulations

CCPA/CPRA

California, USA

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

ePrivacy Directive

European Union

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

Universal Opt-Out Mechanism Expansion 2026

Provision details

Document information

Document

Cloudflare Privacy Policy

Entity

Cloudflare

Document last updated

May 5, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-003011

Document ID

CA-D-00282

Evidence Provenance

Source URL

https://www.cloudflare.com/privacypolicy/

Wayback Machine

View archived versions →

Content hash (SHA-256)

f8e88ec9d8c545e030482f3dd3f67f81792db81930414a668aae4f61c5cebe58

Analysis generated

April 18, 2026 11:44 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Cloudflare
Document: Cloudflare Privacy Policy
Record ID: CA-P-003011
Captured: 2026-04-18 11:44:46 UTC
SHA-256: f8e88ec9d8c545e0…
URL: https://conductatlas.com/platform/cloudflare/cloudflare-privacy-policy/passive-network-data-collection/
Accessed: June 17, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Controller vs Processor Distinction high
International Data Transfers medium
California Resident Privacy Rights (CCPA/CPRA) medium
Cookie and Tracking Technology Use medium
Third-Party Service Provider Data Sharing medium
Data Retention medium

Related Analysis

Netflix Updated Terms Authorize Voice Data Collection: April 2026
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
What Google Actually Knows About You
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Cloudflare's Passive Network Data Collection clause do?

How does this clause affect you?

Is ConductAtlas affiliated with Cloudflare?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cloudflare.