Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are IP addresses personally identifiable information under GDPR?


Yes, and also cookie IDs. Both are called out as examples in recital 30:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...


I should have been more clear that I meant IP addresses alone.

It seems like this only addresses when IP addresses are combined with other data.


That particular guidance has provided a lot of gnashing of teeth because some readings of it have an implicit “because” before the final sentence. That is IP addresses are personal data as sometimes they uniquely identify people.

The guidance my firm received was to treat them, by themselves, as an ID. YMMV.


IP Addresses are Personal Data.

I think the easy way to check is to ask yourself if the data can directly link to someone's IRL identity.

If no, ask yourself if the police could identify them if they demanded and got the data.

If still no, ask yourself if the data is of a protected category (gender, religion, sexuality, etc.).

If you need any of this data, minimize your need first (ie this means storing IPs only for a limited timespan, german authorities have IIRC recommended 7 days as normal).

If you can't reduce your need, find another way to do what you do that has less need.

If all else fails, cover under legitimate interest and hope you're not Adtech.


Here is a write-up of the decision from EU’s highest court on this topic: https://www.whitecase.com/publications/alert/court-confirms-...

It’s easy to see why quote I gave says what it says with this context.

Also, if you’re worries, talk to your lawyer.


DSGVO concerns 'directly' identifying information (Name, SSN...)

aswell as 'indirectly' identifying information like IP adresses where the technical possibilities exist to link them back to the person.

EVEN if you do not actively link them to the person DSGVO treats them the same way as the directly identifying information


PII is a US concept, ‘personal data’ is the equivalent in GDPR. But yes, IP addresses are considered personal data.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: