[s73v3r_]

"- IPs are personal private infromation"

IPs combined with other user data could be PII.

"- You need opt-in consent for all (ad) cookies, including non-tracking ones. Basically, advertising is optional in EU sites as of today."

Wrong. You need opt-in consent for non personalized ads, but this can be the "soft consent" type where you only present the "Accept" button. Advertising is no more optional tomorrow than it was today.

"- I could argue the right to download your data is superfluous, mostly because it creates potential holes for data leaks/phishing etc."

Knowing what you have on me is not superfluous; it's my data.

Seriously, the FUD around this law is getting tiresome.

[davorak]

> IPs combined with other user data could be PII.

1) Bob signs up for a service and is logged

2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.

3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.

This seems like a likely violation, if so you would have to treat ip address like personal information.

[boomlinde]

The personal information here is the IP-Bob tuple, not the IP on its own. Bob might as well be assigned a new address from DHCP on a daily basis. His friends might be using his address. He might have used the address of some public network in the first place. All or these are pretty likely scenarios. The IP is only interesting given the context of who uses it and when, so as to separate Bob from Alice, and Bob's favorite cafe and Bob's workplace from Bob's home, and to figure out if Bob is ever visiting Alice.

So if Bob asks for his personal information to be cleared and the system leaves Bob-IP tuples behind, it clearly didn't do what he told it to do.

[davorak]

That is playing dice while dealing with potentially personal information though right?

It depends on Bob using DHCP, that his DHCP switches often enough, and there are enough people on the same network that the link can not be made.

The above is not always true, other mitigating factors are not always true. Which seems to make some of IP logs personal information. Or at least you are safest if you treat it that way.

I am basing some of my reasoning off an article that I was pointed to earlier: https://www.whitecase.com/publications/alert/court-confirms-...

Where, to my understanding, IP address are considered personal information only if you can link it to some other identifying info.

I think a regulator is unlikely to go after a company for not deleting IP logs in the current climate. As far as I can tell GDPR gives them the power to however.

Until there is some case/enforcement history it is understandable if people are cautious.

[zerostar07]

- Ips in general are not bound to some specific person. It's only because laws require that ISPs keep PII allocation data that they become personally identifying. Perhaps it would be easier to plug that leak right there.

- ah, well google suggests you ask consent even for content-based ads

- 99% of the sites show you what they have on you when you use them. The provision could be to have a separate download page when that is not the case. If every business must have an unauthenticated download page, it becomes easier to get other people's data via phishing.

its not fud. this is the internet. lets talk again in a few months.