WordPress.org

Resolved Anna
(@anna88sabu)

9 months, 1 week ago

Is it possible to block CDN from Cloudflare in cookie banner before consent?

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author devowl.io GmbH
(@devowl)

9 months ago

Hi @anna88sabu,

First of all, please excuse my late reply.

Technically, it is possible to block Cloudflare CDN for JavaScript and similar libraries with Real Cookie Banner. However, it is necessary to consider the consequences of this action.

We must point out that the following statements do not constitute legal advice. Therefore, I can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

cdnjs.cloudflare.com (I expect you mean that one) is typically a so-called CDN (Content Delivery Network). This stores files on a large number of servers worldwide in order to be able to deliver them to the website visitor from the geographically closest server as quickly as possible. In almost all cases, not all servers are located in the EU or in secure third countries within the meaning of EU data protection law. The transfer of the website visitor’s IP address as personal data to the CDN’s servers and especially the potential transfer to unsafe third countries can usually only take place after your website visitors have given their consent. In general, a CDN is not a technically essential part of the web hosting, so that a legitimate interest does not come into question. Compare, among others, the decision of the VG Wiesbaden of 01.12.2021, Ref. 6 L 738/21.WI, the judgment of the OLG Cologne of 09.10.2020, Ref. 6 U 32/20 or the judgment of the LG München I of 20.01.2022, Ref. 3 O 17493/20. For you as a website operator, this means that we have the legal opinion that the CDN may only be used after consent has been given. However, refusing the CDN will result in parts of your website not working, as necessary scripts will not be able to load. Therefore, if you deliberately use the CDN, you should avoid it. If the CDN is surprisingly used on your website, it is probably because your theme or one of your WordPress plugins uses it. You would have to host their scripts locally, which is only offered as an option by a few themes or plugins. As of today, we don’t know of any practical solution to this problem other than asking the theme/plugin manufacturer to host them locally. Consequently, there is no service template for the CDN you might be useful.

If you have any further questions, please don’t hesitate to let us know!

Best regards,

Jan
Themis Theodoridis
(@themisth)

3 months, 1 week ago
Hi Mr. Jan,

I hope this message finds you well. I wanted to bring to your attention some developments regarding GDPR compliance and the use of Cloudflare that I believe may have an influence on the topic discussed.

On July 10, 2023, the European Commission adopted a new agreement on data transfer between the European Union and the United States, which officially came into force on July 11, 2023. This agreement aims to ensure an adequate level of protection for personal data transferred from the EU to US companies, similar to the protection within the EU itself.

Link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en

Given this significant update, it seems that Cloudflare’s compliance with GDPR may have shifted. This article I’ve come across:

https://www.managedserver.eu/cloudflare-and-gdpr-how-things-stand/

suggests that Cloudflare is now to be understood as compliant with GDPR regulations due to this new agreement. This contrasts with previous concerns raised about the potential risks to visitor data when using Cloudflare as a reverse proxy.

This aligns with Part 1 of Article 45 of the GDPR:

https://gdpr-info.eu/art-45-gdpr/

which states that transfers to a third country that ensures an adequate level of protection shall not require any specific authorization.

I wanted to reach out to you to get your perspective on these. Considering this new agreement, its alignment with Article 45 of the GDPR, and its implications for GDPR compliance, do you believe your previous recommendations regarding the use of Cloudflare remain the same? Have these developments influenced your stance on the matter? Do the above mean that the necessary cookies for Cloudflare CDN to function if I use it in my website intentionally are to be considered essential and do not require user consent?

Your insights would be greatly appreciated. Thank you for taking the time to consider this.

Best regards,
Themis Theodoridis
- This reply was modified 3 months, 1 week ago by Themis Theodoridis.
- This reply was modified 3 months, 1 week ago by Themis Theodoridis.
Plugin Author devowl.io GmbH
(@devowl)

3 months, 1 week ago

Hi Themis,

thanks for your additions and research. We must point out that the following statements do not constitute legal advice. Therefore, I can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

It is correct that there has been a new legal basis for EU-US data transfer since June 2023 with the TADPF (adequacy decision according to Art. 45 GDPR). We have also reported on this topic in our blog at https://devowl.io/2023/us-data-processing-tadpf/. In order for data processing in the USA to be considered secure, companies must self-certify. Cloudflare, Inc. is self-certified in accordance with the requirements of the TADPF (see entry at https://www.dataprivacyframework.gov/list). This means that EU-US data transfer is currently no longer a problem for Cloudflare.

However, Cloudflare operates servers in at least the following countries that are considered unsafe in terms of the level of data protection in the EU, whereby the personal data of your website visitors could be processed there (as of March 2024): Afghanistan, Albania, Algeria, Angola, Antigua And Barbuda, Armenia, Australia, Azerbaijan, Bahamas, Bahrain, Bangladesh, Barbados, Belarus, Belize, Benin, Bhutan, Bolivia, Bosnia And Herzegovina, Botswana, Brazil, Brunei Darussalam, Burkina Faso, Burundi, Cambodia, Cameroon, Cape Verde, Central African Republic, Chad, Chile, China, Colombia, Comoros, Congo, Congo, Democratic Republic, Costa Rica, Cuba, Djibouti, Dominica, Dominican Republic, Ecuador, Egypt, El Salvador, Equatorial Guinea, Eritrea, Ethiopia, Fiji, Gabon, Gambia, Georgia, Ghana, Grenada, Guatemala, Guinea, Guinea-Bissau, Guyana, Haiti, Honduras, India, Indonesia, Iran, Islamic Republic Of, Iraq, Jamaica, Jordan, Kazakhstan, Kenya, Kiribati, North Korea, Kuwait, Kyrgyzstan, Lao People’s Democratic Republic, Lebanon, Lesotho, Liberia, Libyan Arab Jamahiriya, Madagascar, Malawi, Malaysia, Maldives, Mali, Marshall Islands, Mauritania, Mauritius, Macedonia, Mexico, Federated States Of Micronesia, Moldova, Monaco, Mongolia, Montenegro, Morocco, Mozambique, Myanmar, Namibia, Nauru, Nepal, Nicaragua, Niger, Nigeria, Oman, Pakistan, Palau, Panama, Papua New Guinea, Paraguay, Peru, Philippines, Qatar, Russian Federation, Rwanda, Saint Kitts And Nevis, Saint Lucia, Samoa, San Marino, Sao Tome And Principe, Saudi Arabia, Senegal, Serbia, Seychelles, Sierra Leone, Singapore, Solomon Islands, Somalia, South Africa, Sri Lanka, Sudan, Suriname, Swaziland, Syrian Arab Republic, Taiwan, Tajikistan, Tanzania, Thailand, Timor-Leste, Togo, Tonga, Trinidad And Tobago, Tunisia, Turkey, Turkmenistan, Tuvalu, Uganda, Ukraine, United Arab Emirates, Uzbekistan, Vanuatu, Holy See (Vatican City State), Venezuela, Vietnam, Yemen, Zambia and Zimbabwe.

In our opinion, the best solution to the problem with the other unsafe third countries is the agreement of Standard Contractual Clauses with Cloudflare, which Cloudflare also provides for the conclusion of the contract (https://www.cloudflare.com/cloudflare-customer-scc/). In the Cloudflare service of Real Cookie Banner you can state if you have concluded Standard Contractual Clauses. This means that your website visitors will see in the cookie banner that you are taking this appropriate safeguard to ensure the security of their personal data.

I hope this information helps you!

Best regards,
Jan

Themis Theodoridis
(@themisth)

3 months, 1 week ago

Hi again Mr. Jan,

As I can see in Cloudflare’s GDPR Compliance page (https://www.cloudflare.com/trust-hub/gdpr/), the SCCs, including supplementary measures as necessary, are contained in their standard DPA, which is incorporated by reference into their Self-Serve Subscription Agreement,which has to be agreed during Sign up, therefore, no action is required to ensure that the appropriate cross-border data transfer mechanisms are in place.

With that in mind I assume that in Real Cookie Banner in the General service configuration > Special treatment for unsafe countries, both options
‘I have concluded standard contractual clauses with the provider’
and
‘Provider is self-certified in accordance with the Trans-Atlantic Data Privacy Framework for secure data processing in the USA’
have to be selected? (maybe by Default in the Cloudflare Template? I can’t check because I have the free version of Real Cookie Banner😅).

All in all, thank you so much for the valuable information provided, I appreciate the effort to answer comprehensively with such an amount of detail. You’re awesome!!

Best regards,
Themis Theodoridis

Plugin Author devowl.io GmbH
(@devowl)

3 months, 1 week ago

Hi Themis,

Your assumption is totally correct. In our service templates in the PRO version, these fields are already prefilled (if the template is already updated to the latest requirements).

If you are happy with our support want to do us a favor, please rate Real Cookie Banner on wordpress.org! Thanks 🙂

Best regards,
Jan

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

CDN from Cloudflare block

Tags