Cloudflare and US privacy law compliance

The Cloudflare team is confident that we have taken the steps necessary to ensure our policies, processes, and procedures meet the California Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA) requirements. We have updated our Privacy Policy to address CCPA and CPRA requirements. Cloudflare provides all users with data subject access, correction and deletion rights, and has done so since well before the CCPA first came into effect. Cloudflare maintains contracts with our customers and our service providers to ensure that any data use complies with applicable U.S. state data protections laws.

Yes. Under CCPA, a “service provider” is a company like ours that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract," subject to additional contractual requirements specified by the CCPA. This service provider relationship is explicitly in Cloudflare's Data Processing Addendum (DPA), which in turn is incorporated into both our Enterprise Service Agreement (ESA) and Self-Serve Subscription Agreement (SSA). In addition, to the extent Cloudflare processes personal data on behalf of our customer within the scope of the CCPA, we commit in our DPA that we will not retain, use, or disclose such personal data for any purposes other than the purposes set out in the ESA or SSA, together with the DPA, and as permitted under the CCPA, including under any “sale” exemption. Cloudflare will not “sell” or “share” the data we process on behalf of our customers, as those terms are defined in the CCPA.

No. Cloudflare does not sell, rent, or share personal information we process on behalf of our customers as a service provider or processor, including as the terms "sell" or "share" are defined in the CCPA.

On Cloudflare's public-facing websites, such as Cloudflare.com, we use services that help deliver interest-based ads to visitors to our websites and may transfer such visitors' personal information to business partners for their use. Making personal information (such as online identifiers or browsing activity) available to these companies may be considered a “sale” or “sharing” of personal information under the CCPA or other relevant state privacy laws. Individuals can opt out of such collection or use as described in our Privacy Policy or Cookie Policy.

As stated in our Privacy Policy, Cloudflare recognizes individuals’ data protection rights. Data subjects have the right to access, correct, update, port, or delete their personal information, and to restrict or object to the processing of their personal information (each of these a “Rights Request”). Data subjects may email us at sar@cloudflare.com with any Rights Request, and we will respond within thirty (30) days. Customers and administrative users also can access, correct, export, or update their account information by editing their profile or organization record at Cloudflare.com.

Please note that Cloudflare has no direct relationship with the individuals who access or use our customers’ domains, networks, websites, application programming interfaces, and applications or the customer employees who use Cloudflare's services, such as Zero Trust ("End Users"). Even where “Cloudflare” may be indicated as the authoritative name server for a domain, unless Cloudflare is the owner of that domain, we have no control over a domain’s content. We rely upon our customers to comply with the underlying legal requirements for Rights Requests in accordance with their obligations under applicable data protection laws. If an End User requests that we fulfill a Rights Request, we will direct that End User to contact the customer website(s) with which they interacted directly. Our customers are solely responsible for ensuring compliance with all applicable laws and regulations with respect to their website users.

We are paying close attention to the new and emerging U.S. state privacy laws, and we're taking a number of steps to ensure our compliance with these laws before they come into force. Cloudflare provides all users, regardless of residency, with data subject access, correction and deletion requirements, and has done so since well before any of the recent U.S. state privacy legislation became law. Cloudflare does not sell our customers' data or the data of our customers' End Users (as "End Users" is defined in the Cloudflare privacy policy). We will continue to monitor U.S. state legislative developments closely and will be taking them into account as appropriate going forward.

Cloudflare supports many businesses with rigorous data security requirements, including a number of healthcare organizations.

Although the U.S. Department of Health and Human Services (HHS) does not recognize a certification for HIPAA compliance, Cloudflare's network, management infrastructure, and associated processes and procedures are consistent with the security requirements specified by HIPAA and related regulations. However, Cloudflare will only enter into business associate agreements (BAAs) with its enterprise customers.