[OJFord]

It's a good point (made by sibling comment to yours too) but I do think it's a bit of a break-down in the intent of GDPR, or even 'not possible to satisfy requirement'?

Because from a user's perspective, my relationship is with news.ycombinator.com or whatever - I don't (have to) know or care if the site uses Cloudflare, that's some other company, maybe I haven't even heard of it or have any other relationship with it. But now it is a company that the one I knowingly have a relationship with is causing to be made aware of information which uniquely identifies me.

I didn't know there were anti-abuse/spam exceptions though, so I suppose that's it.