Don't trust Cloudflare with your personal data

It has been over a year since I cancelled my Cloudflare account. They keep emailing me and haven't taken me off their marketing lists despite repeated requests. Their CTO told me he would investigate, but nothing changed. Their Data Protection Office hasn't respond to my requests.

Cloudflare do not appear to respect the GDPR.

I've escalated this to the highest levels of Cloudflare, but they just don't seem to be able to take any action. This is concerning.

Done. It was the email apologising for your most recent outage.

— Terence Eden is on Mastodon (@edent) August 31, 2020

Sadly, John Graham-Cumming - the CTO - deleted his Tweet saying that he'd look into it. I assume that JGC doesn't like his personal data being misused. If only I were able to delete my personal data from Cloudflare, eh?

Luckily, the Internet Archive has a backup

Despite promising an investigation and a response from their Data Protection Office - I've received no assurance that they have respected my rights.

Timeline

At the start of August last year, I cancelled my Cloudflare account. I received confirmation from them that I was no longer a customer. My login was disabled. That should have been the last I heard from them.

Two months later, I received an email update about their privacy policy.

I complained on Twitter, and their CTO promised he'd look into it:

(Again, tweet deleted, but saved in the Internet Archive)

I never heard back from John. But one of his minions sent me this:

When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations.

*Pffft* Whatever. No mention of that is made in their privacy policy.

At the end of August this year - well over 12 months after I unsubscribed - I received another email from Cloudflare. This time apologising for their downtime!

Just received more spam from @Cloudflare. With no unsubscribe link.
It has been more than a year since I asked them to delete my account.

You cannot trust Cloudflare with your personal data. pic.twitter.com/y3QkYagM81

— Terence Eden is on Mastodon (@edent) August 31, 2020

There was no option to unsubscribe. I'm not a customer - but apparently I still have to receive emails from them.

I got a message from someone at Cloudflare who said that they have multiple customer mailing lists and they are rarely in sync with each other. They don't have a good idea of who they are sending emails to, or whether people have consented. I think this is unacceptable for a company of this size to be so lax about their GDPR obligations.

I asked Cloudflare to report this breach to the Information Commissioners Office, and I suggested that they may need to notify the SEC if they are expecting a large fine. They may also need to let investors know if they have misrepresented their customer numbers.

I asked JGC and Cloudflare PR for a comment - but they were not inclined to provide one. They said their DPO would get back to me last week, but I heard nothing.

At this point, I can only conclude that Cloudflare do not respect their users' privacy. Cloudflare has no idea who its customers are, nor how many they have. Cloudflare doesn't care about your data rights.

CLOUDFLARE’S PROMISE

Our mission to help build a better Internet is rooted in the importance we place on establishing trust with our Customers, users, and the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems.
Cloudflare's privacy policy

*bitter laugh*