Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
close04 6 hours ago

> An IP address is not "personally identifiable data".

GDPR says it is [1][2].

> We are almost 10 years into the GDPR, and we still have these gross misunderstandings

Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:

> Fortunately, the GDPR provides several examples in Recital 30 that include:

> Internet protocol (IP) addresses;

From Recital 30:

> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses

[1] https://gdpr.eu/eu-gdpr-personal-data/

[2] https://gdpr.eu/recital-30-online-identifiers-for-profiling-...

rglullis 6 hours ago | parent [-]

When an IP address is linked to any other data, then it counts as PII. By itself, it's not.

So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".

kuschku 5 hours ago | parent | next [-]

An IP address linked with the website being accessed is already PII.

When serving content, you're by necessity linking it to a website that's being accessed.

For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.

rglullis 5 hours ago | parent [-]

> a display in their offices that showed the IP address (...) that's not saving or publishing

You are not sharing with a third-party, but that sure falls into processing and publishing it.

close04 5 hours ago | parent | prev [-]

IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)

Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.

rglullis 4 hours ago | parent [-]

Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.

So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.