[zelphirkalt]

They are of course, like everything else context-dependent legitimate interest, or even needed to provide a service to the visitor or user, but that doesn't make them non-PII. There is a reason for things like Google captchas and Google Tags manager to have a flag to not even send an IP address to the backend.

[moooo99]

> They are of course, like everything else context-dependent legitimate interest,

Yeah and that is the challenge specifically. They are PII until they're not (or rather, they are not treated as PII until they are)

I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

[zelphirkalt]

> I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?

Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.

(not a lawyer, but this is my understanding)

> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.

This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.

> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.

That I cannot answer, or have not thought about in sufficient depth.

> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.

Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.