Use a CDN that doesn't use cookies

[ghost]

My cookie disclaimer states my site does not use cookies.

#1880 added CloudFlare

Cloudflare plants __cfuid cookie on sites using shields now and all users without a cookie disclaimer are at risk of violating GDPR.

[paulmelnikow]

Hi! We take our obligations seriously and do not want to put our developers at risk. Thanks for opening this.

img.shields.io (the badge server) added Cloudflare as an SSL gateway in May 2015 (#459) and that cookie has been part of every request since then. Previously Cloudflare had also sat in front of shields.io (the website), but that is no longer the case (#608 (comment)).

Since #1880 we have configured Cloudflare to provide downstream caching as well. It carries about 40% of the production traffic. (The cookie behavior did not change when that was turned on, only the caching behavior.)

The cfduid cookie is necessary for Cloudflare's security features. It protects Shields servers from DOS attacks. Removing the CDN would likely cause occasional downtime and hinder our ability to serve our users.

My understanding is that GDPR does not require consent for cookies which are strictly necessary for the delivery of a service requested by the user. See this thread on the Cloudflare forum for a bit of response from Cloudflare support. I'm open to getting a professional legal opinion on that.

As Cloudflare provides no way of turning this off, I'm open to exploring alternate technical solutions. It would be helpful to know about other CDN providers, and whether or not they have tracking cookies which can be turned off.

Also, there's a workaround if this is something you can't live with. While Shields is not able to provide a CDN-free endpoint, it's easy to self-host your own Shields server if you want to. The server has some modest anti-abuse detection built in, and it doesn't depend on cookies. The server doesn't set or read any cookies.

[ghost]

Thanks for the detailed response. I was afraid you were going to link to that post on their forums. It's very unauthoritative and comments were closed after someone linked to a somewhat authoritative-looking EU doc from 2002. A likely story.

Anyway, those cookies are still personal identifiers despite any grayness thrown around them and because of that CloudFlare has to stay current with https://www.privacyshield.gov/participant?id=a2zt0000000GnZKAA0 both in the EU and the US.

If you want to trust them with your users' data please by all means. What could possibly go wrong? In my case I'll look for another solution as my scope is fairly limited and—as I mentioned—my website does not use cookies.

I recommend taking a look at https://ec.europa.eu/justice/smedataprotect/index_en.htm. It's fairly clear those collecting data need to state who's collecting, where it's going, how long it will be stored and to get consent before that data is collected. I doubt most using shields are doing that today.