[corentin88]

GDPR states “For data to be truly anonymised, the anonymisation must be irreversible”. So dropping 3 digits is clearly not enough to anonymize PII, it’s more pseudonymization.

[dbbk]

How can an IP address without the last 3 digits possibly ever identify someone? That surface area is just way too large.

[M2Ys4U]

By using other information to narrow the pool of possible people.

[lez]

Aren't the biggest corporations doing the same on orders of magnitude larger datasets? They get away very well with merging data from quite a few acquired companies.

If small companies are called upon compliance with such vehemence, the big ones who know so much of us should be brought up, at least 100x times more.

[M2Ys4U]

> Aren't the biggest corporations doing the same on orders of magnitude larger datasets? They get away very well with merging data from quite a few acquired companies.

Yes, and it's worth noting how few data points one needs to identify an individual.

>If small companies are called upon compliance with such vehemence, the big ones who know so much of us should be brought up, at least 100x times more.

Absolutely, no argument from me here.

[that_guy_iain]

I am curious, how are you going to unanonymise an IP to something that could have 255 combinations (and that's just if you drop that last part on an IPv4). Nevermind that an IP alone is not PII. How can you reverse something that has many possibilties?

[donohoe]

>> IP alone is not PII

It is in Europe, despite some regional rulings (Germany?). It is not considered PII in the USA.

[fmajid]

IP addresses are also explicitly considered PII by California’s CCPA.

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following: (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

[donohoe]

That was true once. Longer answer "it depends":

“[I]f a business collects the IP addresses of visitors to its websites but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.”

Source: https://iapp.org/news/a/are-ip-addresses-personal-informatio...

[fmajid]

You missed the paragraph:

"However, when the attorney general revised its draft regulations for a second time March 11, the guidance was struck without explanation."

[that_guy_iain]

Just to be that guy. There is a slight difference between Personal Identifying Information and Personal Information.

[that_guy_iain]

GDPR is EU law. So the regional rulings are extremely important for deciding what you think you can and can't do.

And I think we're missing the main point. How can it be reversed if there are hundreds of possibilites.

[donohoe]

True. I was thinking more about how it drops some location level information.

I can't presume what Plausible does (have not read their docs in awhile) but they have commented here to provide more specific clarification that address IP usage (TLDR: what they do is fine and compliant)