Cloudflare Web Analytics

Overview

Cloudflare Web Analytics is a privacy-oriented analytics service that measures website traffic and performance without using cookies or collecting personally identifiable information. It operates through a lightweight JavaScript beacon that reports page views and Core Web Vitals performance metrics (Largest Contentful Paint, First Input Delay, Cumulative Layout Shift) directly to Cloudflare's edge network. The service is designed as a privacy-first alternative to traditional analytics platforms that rely on cookies and unique visitor identification.

What This Script Does

The Cloudflare Web Analytics beacon loads as a small JavaScript snippet from Cloudflare's CDN.

• Script loaded: static.cloudflareinsights.com/beacon.min.js — a lightweight beacon script (~5KB) that collects page performance and traffic data
• No cookies set: Cloudflare Web Analytics does not set any cookies, use localStorage, or store any identifiers on the visitor's device. This is a core design principle, not a configuration option.
• No unique identifiers: The service does not generate visitor IDs, session IDs, or browser fingerprints. All data is aggregated — there is no concept of a "unique visitor" in the traditional analytics sense.
• Data collected per page view: Page URL, referrer, browser user agent (aggregated, not stored per-visitor), page load timing metrics (Core Web Vitals), country derived from IP address (IP is not stored), and HTTP response status code
• Network request: A single POST request to cloudflareinsights.com transmits the page view data. The request payload contains no personally identifiable information.
• Performance metrics: The beacon measures real user monitoring (RUM) data including LCP, FID/INP, CLS, TTFB, and page load time, providing Core Web Vitals reporting alongside traffic analytics.

Consent & Compliance

Cloudflare Web Analytics falls under the analytics consent category, though its privacy design simplifies compliance significantly.

Under GDPR and ePrivacy, Cloudflare Web Analytics presents an unusual case for an analytics tool. It sets no cookies and stores no information on the user's device, which means the ePrivacy Directive's cookie consent requirement does not apply. The beacon transmits only aggregated, non-identifying data. IP addresses are used for country-level geolocation but are not stored or logged. Several privacy-focused analyses have concluded that Cloudflare Web Analytics can operate without consent under the ePrivacy Directive because it does not access or store information on the user's terminal equipment. However, the GDPR's broader scope still applies to any processing of personal data (even IP addresses used transiently), and some strict interpretations may still require a legal basis.

Under CCPA/CPRA, the aggregated, non-identifying nature of the data collection means Cloudflare Web Analytics does not process personal information in a way that triggers CCPA obligations for "sale" or "sharing."

Should You Block This Without Consent?

Yes. Despite its privacy-first design, Cloudflare Web Analytics is classified as an analytics service and should be managed under analytics consent for consistency with the site's consent framework. From a strict regulatory perspective, the absence of cookies and unique identifiers means it could operate without consent under the ePrivacy Directive, and some organizations choose to load it without consent on that basis. However, ConsentStack classifies it as analytics, and the conservative approach is to respect that classification in your consent management.