[mpeg]

Storing the log files (or IP addresses in general) is not a problem IF you're using them only with a legitimate interest basis.

For instance, you can use this stored IP address to help identify whether your user has had their account breached, and prompt for extra verification before letting them log in. You can also do a full browser fingerprint for this purpose, this is all covered under legitimate basis.

However, once you use any of this data to market to the user then you are in breach of the GDPR as you did not have a consent basis for it. The storage was never a problem, it's the use of it that becomes a problem.

[cccbbbaaa]

You're mostly right, but legitimate interest also require balance. Fingerprinting may be considered to be too intrusive if logs are enough.

[mpeg]

Depends on the product, payments products generally use fingerprinting and present extra prompts if you're using an unknown device – that is kind of one of the main problems of the GDPR though, there are nuances and it's usually not white and black what can be done without specialised legal counsel (and sometimes, even then...)

[justinzollars]

Sounds like there could be an opportunity here for a GDPR noncompliant analytics product. Personally, my customers are in the United States and I don't want ambiguity in my analytics because of Lawyers who reside outside of my jurisdiction.

[LunaSea]

If your customers are of a European nationality you will need to comply as well.

[mpeg]

Technically correct, but arguable... There are lots of UK and EU-based companies that blatantly breach the GDPR and get away with it as the regulatory bodies don't have the resources to chase after every breach at home, let alone abroad.

Unless you are a huge company or have a significant amount of customers in the UK/EU it's probably okay to ignore the GDPR.