[OJFord]

How is it not a GDPR violation? Before I've even connected to the site I intended and had the opportunity to consent, an IP address that potentially uniquely identifies me (plus whatever else) is shared with a third-party data processor?

[tuckerman]

There is generally exceptions for anti-abuse/spam to some of the provisions of GDPR and the like.

That said, is there really any 3rd party here? You are connecting to cloudflare and they are the ones that have seen this IP before and judging its behavior.

[OJFord]

It's a good point (made by sibling comment to yours too) but I do think it's a bit of a break-down in the intent of GDPR, or even 'not possible to satisfy requirement'?

Because from a user's perspective, my relationship is with news.ycombinator.com or whatever - I don't (have to) know or care if the site uses Cloudflare, that's some other company, maybe I haven't even heard of it or have any other relationship with it. But now it is a company that the one I knowingly have a relationship with is causing to be made aware of information which uniquely identifies me.

I didn't know there were anti-abuse/spam exceptions though, so I suppose that's it.

[Hikikomori]

How would it work with IP/Internet at all? Doesn't matter if the site is hosted in Cloudflare, aws or random datacenter.