[tekism]

This is a bit confusing, I have a website and I log IP addresses in my web server log and I use google analytics, what do I need to do?

[Jakob]

The legal ramifications of storing IP addresses didn’t change with GDPR. You should already have them anonymized since they count as personal data:

Google Analytics (https://developers.google.com/analytics/devguides/collection...):

  ga('set', 'anonymizeIp', true); 

Web server (here nginx, https://stackoverflow.com/a/45405406):

  map $remote_addr $remote_addr_anon {
    ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
    ~(?P<ip>[^:]+:[^:]+):       $ip::;
    default                     0.0.0.0;
  }

Only if you store more data about your customers/users you need to act further.

[pdkl95]

> ga('set', 'anonymizeIp', true);

Note that this doesn't actually provide any useful anonymization. That feature is a placebo designed to give minimal compliance with privacy policies and pre-GDPR data protection requirements.

https://news.ycombinator.com/item?id=13639921

[SquareWheel]

Are IP addresses actually considered "personal data"? They are how computers talk to each other. Anonymizing them doesn't make any sense to me.

[s73v3r_]

They're anonymized for things like logs. When the computers aren't talking to each other, the reasons to know the exact IP address are rather minimized. If you feel you have a real need to do so, then you just need to inform your users what you're doing.

[ahoka]

You can also irreversibly hash sensitive data it so you can still use it for debugging.

[emilfihlman]

IPV4 is only 4 bytes. Hashing through all 4 milliard is trivial.

[NullPrefix]

Another reason for IPv6.