CDN in the gray area
Cloudflare is a content delivery network for optimizing website performance.
- Headquarters: San Francisco, California, United States
- Category: CDN
- Legal Basis: Consent required via Consent Management Platform (CMP)
What is Cloudflare?
Cloudflare is a Content Delivery Network (CDN), which is a network of servers in different data centers around the world.
When you use a CDN, static content from your website (such as images, videos, audios, documents, or CSS, HTML, or JavaScript files) is first cached and stored on different servers around the world. These servers are called replica servers.
How does a CDN work?
At the moment when a user calls up a certain content on the website, the server that can transmit the data the fastest is determined. It then sends the cached content to the user. Depending on the CDN provider, the number and distribution of servers varies, as does the degree of integration of high-performance backbone networks.
Why is Cloudflare used?
Due to the described mode of operation of CDNs with worldwide replica servers, loading times and thus the performance factor of the website improve. Since in the process website content is cached on Cloudflare’s servers, Cloudflare is a service provider according to Art. 1 para. 1 TMG
Cloudflare confirms that it stores the content of the customer website longer than would be necessary for the mere transmission. On the one hand, to reduce the number of calls to the pages of your customers, on the other hand, to be able to load content even faster. In addition, harmful visitors should be able to be blocked in this way.
CDNs use DNS resolvers to convert a domain into an IP address. Which server (or server location) is/was accessed is difficult to trace. In the CDN, algorithms have control over routing and connection optimization; the user himself cannot influence this.
This poses a problem in terms of the GDPR, as website operators must be able to prove that no data transfer to unsafe third countries has taken place. In the case of Cloudflare, as an American company, it can be assumed that a large part of the data processing takes place in the USA, which is to be classified as an unsafe third country. A contract processing agreement (CPA) with Cloudflare is not possible, as Cloudflare does not assume any responsibility for the content of your customers.
What data is processed?
Cloudflare collects data such as
- IP-Address
- Contact and protocol info
- Security fingerprints
- Performance data for websites
Cloudflare uses the _cfduid cookie to identify individual users and apply security settings to each user.
The _cfduid cookie is deleted after one year.
Other data is stored at user level for domains in the Free, Pro and Business versions for a maximum of 24 hours. For Enterprise domains that have Cloudflare logs enabled, data can be stored for up to 7 days.
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
Why is Cloudflare subject to consent?
- If data would be processed on a server in a secure third country, consent according to Art. 6 (1) lit. a GDPR must nevertheless be obtained for the use of Cloudflare in any case, as data is stored by the service.
- Accordingly, the service of Cloudflare may only be loaded after consent, otherwise a connection to one of the servers would already be established.
- Fulfilling the obligation to provide information according to Art. 13 GDPR in the privacy statement is another hurdle, since the information of the third country is missing and thus no transparent information can be provided.
This means that there are violations of points 1, 2, 3 and 7 above. Freedom from consent cannot be established.
DISCLAIMER: This does not mean that the points not mentioned are fulfilled.
Conclusion on the privacy-compliant use of Cloudflare
Since the Privacy Shield was overturned, the use of third-party services in America is a gray area and should be secured by a standard contractual clause. In any case, we classify Cloudflare and other content delivery networks as requiring consent.
Still, it’s worth considering whether the benefits that come from the CDN outweigh the associated risks. If not, you should find out about possible alternatives.
Since all content delivery networks work according to the replica server principle, we are currently not aware of any 100% GDPR-compliant alternative to Cloudflare and other CDNs.
In order to optimize website load times, local measures can be used such as downsizing image files. Locally embedded files are always compliant with the GDPR.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:
