When an IP address is linked to any other data, then it counts as PII. By itself, it's not.

So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".

▲

kuschku 5 hours ago | parent | next [-]

An IP address linked with the website being accessed is already PII.

When serving content, you're by necessity linking it to a website that's being accessed.

For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.

	▲	rglullis 5 hours ago \| parent [-]
		> a display in their offices that showed the IP address (...) that's not saving or publishing You are not sharing with a third-party, but that sure falls into processing and publishing it.

▲

close04 5 hours ago | parent | prev [-]

IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)

Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.

	▲	rglullis 4 hours ago \| parent [-]
		Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing. So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.