Hacker News new | ask | show | jobs
by rglullis 159 days ago
An IP address is not "personally identifiable data". You can not know who the person is just because you got an IP address in the request.

We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
3 comments
close04 159 days ago
> An IP address is not "personally identifiable data".

GDPR says it is [1][2].

> We are almost 10 years into the GDPR, and we still have these gross misunderstandings

Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:

> Fortunately, the GDPR provides several examples in Recital 30 that include:

> Internet protocol (IP) addresses;

From Recital 30:

> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses

[1] https://gdpr.eu/eu-gdpr-personal-data/

[2] https://gdpr.eu/recital-30-online-identifiers-for-profiling-...

link
rglullis 159 days ago
When an IP address is linked to any other data, then it counts as PII. By itself, it's not.

So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".

link
close04 159 days ago
IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)

Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.

link
rglullis 159 days ago
Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.

So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.

link
close04 159 days ago
Not really, no. I don’t think I can make it more clear than I, or the law, already did: IPs are PII no matter what. Period. It’s literally spelled out in the law.

The misconception is that you need explicit consent for any kind of processing of PII. That is not the case. The law gives you alternatives to consent, if you can justify them. Some will confuse this with “must mean IPs aren’t PII”, which is not the case.

link
kuschku 159 days ago
An IP address linked with the website being accessed is already PII.

When serving content, you're by necessity linking it to a website that's being accessed.

For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.

link
rglullis 159 days ago
> a display in their offices that showed the IP address (...) that's not saving or publishing

You are not sharing with a third-party, but that sure falls into processing and publishing it.

link
youngtaff 159 days ago
IP address is considered personal data and can be considered personally identifiable data in some circumstances for example if you can geolocate someone to a small area using it
link
Nextgrid 159 days ago
The lack of enforcement is consistent across all companies big and small so I don’t think it counts as regulatory capture.
link
kuschku 159 days ago
Tbh, Google and Facebook, after several enforcement actions, now provide a simple "Reject All" button, while most smaller websites don't.

I'd argue that's the opposite of regulatory capture.

link
rglullis 159 days ago
Yeap, but the thing is:

- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.

- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.

link
Fargren 159 days ago
This is not my experience at all with Facebook. Since six months ago or so, Facebook is saying my three option are to pay them a subscription, accept tracking, or not use their products. I went with option three, but my reading of the GDPR as that it's illegal for them to ask me to make this choice.

I'm in Spain, this is probably not the same worldwide.

link
Nextgrid 159 days ago
The "Reject all" does not in fact reject all. They are taking extreme liberties with the "legitimate interest" clause to effectively do all tracking and analytics under it.

The YouTube consent screen for example includes this as a mandatory item:

> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services

I don't believe this complies with the GDPR to have this mandatory.

link