[iamacyborg]

> IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.

Probably more helpful to phrase this as Personal Data instead of “PII” as the latter does not appear in the GDPR once and the former is much broader in scope than pii data.

[victorbjorklund]

Personal data (while being what GDPR uses) is not as precise. Key is "identifiable".

For example "likes french fries" is "personal data" in the general sense but not gdpr since it is not identifiable since you cant figure out who it is talking about. Your name, address, etc is identifiable because it can be tied to a physical person.

[iamacyborg]

GDPR is not concerned with whether or not the data is identifiable. If it is linked to an individual, it is personal data.

In the context of an analytics package, a pageview would be considered personal data because it is associated with an individual user.

Article 4 is pretty clear.

> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

https://gdpr-info.eu/art-4-gdpr/

[legitster]

Sorry! PII is still the industry shorthand.