[theanonymousone]

Many thanks. What about "fingerprints" such as browser user agent, country, ...? They are not exactly PII, are they?

And regarding anonymisation, is it enough to remove the last two parts of an IPv4 IP, or it must be more?

[shafyy]

It probably depends on how for you go with the fingerprinting. If it's only user agent, I would guess it's ok. If you start adding more and more info to the fingerprint, it will become PII at one point.

Not sure about how much of IPv4 must be anonymized. If you want to be sure, just anonymize the whole thing. Important to make it random, and not use a hashing function that always gives the same output for the same input IP (in that case, it counts as pseudoanonymized and can be PII).

Also, IANAL, just a dude who is passionate about online privacy.

[theanonymousone]

Thanks. I see many frameworks use hash(ip+ timeFrame). I thought it is to detect sessions, but it seems also to be about anonymisation.