Is Cloudflare Web Analytics more GDPR-compliant than Google Analytics?
Is Using Cloudflare Web Analytics Instead of Google Analytics making your website GDPR Compliant?
Short answer: no.
Long answer: Consult legal professional.
Is Cloudflare Web Analytics GDPR Compliant?
Cloudflare is a U.S. corporation that ultimately processes your visitor's data, such as IP addresses. Cloudflare claims they don't store this data nor fingerprint browsers. An approach worth applauding. We are all citizens of the Internet. Seeing large corporations making an effort to promote privacy is heartwarming and uplifting.
Because data processing by Cloudflare fails the Schrems II test, usage of Cloudflare Web Analytics appears not to be GDPR compliant, for the same reasons Google Analytics or Universal Analytics are not.
A U.S. corporation, even if processing data in the E.U., is subject to U.S. surveillance laws. These laws are intrinsically incompatible with GDPR and the privacy protection awarded to European Union citizens and residents.
Cloudflare makes its claims about GDPR adequacy based on Standard Contractual Clauses. SCCs are an additional measure required by GDPR when engaging in data transfer to an inadequate country.
However, according to Schrems II ruling, the SCCs are insufficient to confer compliance. Despite the company's best intentions, Cloudflare must follow U.S. law, making SCCs highly unreliable
In case of complaints, can I blame Cloudflare?
Sadly, no. Your website is the Data Controller in this scenario. Data Controllers must ensure that all Data Processors involved in serving customers are disclosed and compliant with relevant laws.
It is more than just Cloudflare that might get you in trouble. The same applies to Google Analytics which, despite vehemently apparent proof and legal decision, insists on GDPR compliance. Bah, pick a random so-called privacy-friendly web analytics, do your due diligence, and you will see that many proudly displaying GDPR compliance badges fail to distinguish cookieless tracking from GDPR adherence.
Some companies are stubborn in their defiance, claiming compliance despite Data Protection Authorities ruling otherwise.
So how come Wide Angle Analytics can boast compliance while others fail?
You might be sceptical that such advice comes from a web analytics solution vendor. We invite you to scrutinize our claims. And in the gist, here is our summary:
- Except for billing information (we use PaddleHQ), neither customer nor your end-user data leaves the European Union or EEA country. This strict statement covers aspects such as our corporate email and customer support. If you exchange end-user Personal Data in support conversation, you remain compliant.
- We host all services in the E.U., on European Cloud. Not just on EU-based servers. Our sole hosting provider is the OVHcloud.
- We engaged with a professional Data Protection agency in the early stages. The DPO Consulting, a French DPO-as-a-Service we use, employs former CNIL employees. You cannot get better advice than this.
- We understand that GDPR is not just fancy graphics and avoiding cookies. We embrace the process and transparency and treat this as an ongoing effort. Together with our DPO, we continuously advance our GDPR compatibility score by producing more precise documentation and making appropriate disclosures.
- Our customer can obtain a signed Data Processing Agreement, a document necessary to process Personal Data should the customer decide to engage in such a processing activity.
We've got you covered.