[tuckerman]

There is generally exceptions for anti-abuse/spam to some of the provisions of GDPR and the like.

That said, is there really any 3rd party here? You are connecting to cloudflare and they are the ones that have seen this IP before and judging its behavior.

[OJFord]

It's a good point (made by sibling comment to yours too) but I do think it's a bit of a break-down in the intent of GDPR, or even 'not possible to satisfy requirement'?

Because from a user's perspective, my relationship is with news.ycombinator.com or whatever - I don't (have to) know or care if the site uses Cloudflare, that's some other company, maybe I haven't even heard of it or have any other relationship with it. But now it is a company that the one I knowingly have a relationship with is causing to be made aware of information which uniquely identifies me.

I didn't know there were anti-abuse/spam exceptions though, so I suppose that's it.