|
|
|
|
|
|
by hnbad
510 days ago
|
|
|
As with all legal questions (IANAL): it depends. Can you demonstrate legitimate interest for "using" those parts of the IPv4 address? If yes, then no. The IPv4 address combined with a timestamp identifies the typical person almost uniquely. Tracking this data over time allows narrowing it down further. This makes it PII for all intents and purposes. Anonymizing an IP adress by truncating it is a form of processing. So technically you are "processing PII" which makes this subject to the GDPR. If the result is sufficiently anonymous, any data that is attached to further is probably not considered PII unless that additional data helps de-anonymizing the truncated IP. I guess you could have situations where the first two parts of the IPv4 are sufficiently unique in your data set for it still to be sufficient to uniquely identify a person (e.g. when you know that only one IP had these first two parts in the given context) but that's a freaky edge case. PII or not, the more important question is what legal basis you have for storing and processing it. Consent is one mechanism and it's what requires "banners" - or really: consent forms, as the legally required default action is "reject all non-essential" even if most implementations blatantly ignore this and pretend otherwise - and note that "essential" here means "not requiring consent". So if you have a different mechanism, you're golden, although truncating still makes sense given that it complies with the requirement for "data minimization" (i.e. being frugal in what you collect). "Legitimate interest" could for example be security-based. You should also make sure to only store this data as long as actually necessary and err on the side of that duration being shorter than longer. |
|
|
Somewhere in the original article it was mentioned that even hashing is not enough to make data non-PII. I assume then that's also out of questions?