[moooo99]

I totally agree with this view!

I understand why the rules are vague to an extent, simply because it is hard to impossible to cover every aspect of data collection.

But the GDPR is super vague on some very technical datapoints as well. Is an IP Address PII? Is there a difference between an IPv4 or an IPv6 address being PII? What constitutes as legitimate interest specifically? Can I use data for legitimate interests also for different first party purposes?

I‘ve spent more time than I care to admit navigating the compliance landscape of the GDPR and every time I consulted with compliance experts, I got different - partially conflicting - answers.

[zelphirkalt]

IP addresses are PII. This has long been determined.

[einsteinx2]

This is a perfect example of uncertainty causing compliance overhead.

You say IP addresses are PII and this has long been determined.

Literally a week ago I read this reply on HN to someone mentioning IP addresses being PII:

> > logging an IP address.... > Untrue. IP is an category of PII but its not PII in itself unless you're a law enforcement. > Separately, if you log IP addresses you're doing it to prevent abuse and to provide security to your server, you're already permitted to do so. > More on that: https://missinfogeek.net/gdpr-consent/

So it seems like it’s not so determined, and this kind of uncertainty is exactly what makes compliance expensive.

[zelphirkalt]

They are of course, like everything else context-dependent legitimate interest, or even needed to provide a service to the visitor or user, but that doesn't make them non-PII. There is a reason for things like Google captchas and Google Tags manager to have a flag to not even send an IP address to the backend.

[moooo99]

> They are of course, like everything else context-dependent legitimate interest,

Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)

I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

[zelphirkalt]

> I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.

(not a lawyer, but this is my understanding)

> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.

> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

That I cannot answer, or have not thought about in sufficient depth.

> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.