An IP address acts as a digital tag, helping websites to personalise online experiences or track visitors. But under GDPR, does it count as personal data? Yes, and the answer comes with critical implications for businesses that collect user data, track website visits or run online ads.
This guide explains how IP addresses are classified under GDPR and what businesses must do to stay compliant.
What counts as personal data under GDPR?
The General Data Protection Regulation defines personal data as any information relating to an identified/identifiable natural person (Article 4(1)).
This includes data that, directly or indirectly, identifies an individual, such as:
- Names
- Phone numbers
- Email addresses
- Precise location
- Identification numbers
- Online identifiers like IP addresses.
The regulation also creates a new type of personal data called special categories of personal data, such as biometric and health data, which require stricter protection.
Personal data not only includes information that directly identifies someone, but also any data that, when combined with other details, can be used to identify a person. This makes it subject to data protection laws.
What is an IP address and why is it considered personal data under GDPR?
An Internet Protocol (IP address) is a unique set of numbers separated by periods or colons, for example, 203.88.156.112 or fe80::1a2b:3c4d:5e6f:7890.
Simply put, it is just like a digital address for your device or a website which helps in identification and communication over the internet.
Why does GDPR consider an IP address as personal data?
GDPR in Recital 30 classifies an IP address as personal data because they:
- Can be used to identify an individual, especially when combined with other data.
- Reveal online behaviour and interactions.
- Are often stored and processed by websites, advertisers, and analytics tools.
Legal rulings and clarifications for classifying IP addresses as personal data under GDPR
The Court of Justice of the European Union (CJEU) reinforced this view in the Breyer v. Bundesrepublik Deutschland (C-582/14) case, where it ruled that a dynamic IP address constitutes personal data if the website operator has legal means to obtain further identifying details from an Internet Service Provider (ISP).
Furthermore, the European Commission in February 2025 stated that IP address classification depends on context, such as:
- Available technology
- Whether the data controller can reasonably identify the person
Even if not personal data, collecting IP addresses via cookies still requires user consent under the ePrivacy Directive, unless strictly necessary.
Does Your Website Reflect Privacy with the Right Cookie Banner?
A complaint cookie banner builds trust- Create one using CookieYes today
14-day free trialCancel anytime
What is the status of a static IP address under GDPR?
Static IP addresses, which remain constant and can be associated with a particular person, unambiguously qualify as personally identifiable information (PII) under GDPR.
Business insight
If you process IP addresses, you must comply with GDPR obligations, such as:
- Ensuring a lawful basis for processing
- Providing data subjects with transparency
- Honouring privacy rights such as the right to correction or erasure>
What are the different types of IP addresses and their GDPR status?
IP addresses act as online identifiers, enabling Internet Service Providers (ISPs) and website operators to track users’ interactions online. GDPR categorises IP addresses as personal data under certain conditions.
What are the types of IP addresses?
| Type of IP Address | Description | GDPR Status |
|---|---|---|
| Static IP Address | A fixed address permanently assigned to a device. Directly linkable to individuals, making it personally identifiable information (PII) under GDPR. | Personal data |
| Dynamic IP Address | Changes periodically and is usually assigned by ISPs. Not fixed, but can still identify individuals when combined with ISP logs or other data. | Personal data if linkable via ISP |
| Public IP Address | Assigned by ISPs to connect to the wider internet. This is visible to websites and online services. Can reveal general location and user activity, often logged by websites. | Personal data |
| Private IP Address | Used within a local network (e.g., home or office). Not visible on the public internet. Less likely to identify individuals, but still potentially personal when linked with other identifiers. | Not personal data unless linkable |
| Shared IP Address | Used by multiple users, such as in shared hosting environments. Harder to link to a specific person, but may still be personal data if combined with other details. | Personal data if linkable |
Did you know?
Public IP addresses can reveal your approximate location, while private IP addresses are only used within local networks and aren’t visible on the Internet.
Does IP anonymisation help with GDPR compliance?
To address privacy concerns and achieve compliance, businesses frequently employ IP anonymisation—a method involving the alteration or partial masking of IP addresses.
A common approach, for instance, replaces the last digits of an IP address with zeros (e.g., changing 192.168.1.123 to 192.168.1.0), significantly reducing the likelihood of individual identification.
However, from a compliance standpoint, anonymisation under GDPR must be robust enough to ensure that the data subject cannot be identified by any reasonable means, including the combination of the anonymised data with other datasets.
Mere partial anonymisation, if reversible, does not fully exempt the data from GDPR regulations, as there remains a risk of re-identification.
Thus, while IP anonymisation is a critical step in safeguarding user privacy and aligning with GDPR principles, organisations must ensure that their anonymisation procedures are sufficiently thorough, irreversible, and supported by adequate technical and organisational safeguards to genuinely mitigate privacy risks and fulfil regulatory obligations.
IP addresses and cookie consent management
Under the GDPR and the ePrivacy Directive, collecting IP addresses via cookies typically requires user consent—unless the processing is strictly necessary for the basic technical functioning of a website (e.g., session management or security).
In such cases, consent is not required, and the processing may be based on a legitimate interest or fall under the “strictly necessary” exemption.
How are IP addresses collected via cookies?
Websites often store IP addresses through:
- Tracking cookies (e.g., Google Analytics cookies)
- Session logs for security purposes
- Advertising and third-party cookies used for targeting
Since IP addresses are classified as personal data under laws like the GDPR and CPRA, businesses are required to ensure compliance.
A key step is implementing a Consent Management Platform (CMP) that:
- Informs users about data collection,
- Allows them to opt in or out of cookies and tracking technologies,
- Provides granular control over different cookie categories (e.g., marketing, analytics, essential),
- And stores consent choices in a compliant manner.
Failing to obtain valid consent—especially for non-essential cookies like tracking or advertising—can lead to regulatory penalties and damage to brand trust.
Using a CMP for GDPR compliance
A CMP, like CookieYes, enables websites to:
- Run cookie audits to identify any cookies that require consent
- Obtain explicit user consent before processing IP addresses
- Customise consent banners to meet GDPR and ePrivacy Directive requirements
- Create a privacy and cookie policy to comply with transparency requirements
- Secure consent logs with partially masked IP addresses
What are the best practices for handling IP addresses under GDPR
Pro Tip: Use data encryption, and retention policies to ensure compliance with GDPR when handling IP addresses.
#1 Implementing privacy by design
Businesses should embed privacy by design into their data management processes, ensuring compliance at every stage.
#2 Ensuring transparency
Under GDPR, businesses must provide clear privacy policies outlining their use of IP addresses, their purposes, and users’ rights regarding their personal data.
#3 IP anonymisation
Mask or alter IP addresses to reduce identifiability and minimise privacy risks in line with GDPR requirements.
Is an IP address considered personal information under CCPA/CPRA?
Yes. CPRA classifies IP addresses as personal information.
The law defines personal information as “any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This means an IP address is considered personal information if a business can reasonably link it to a specific individual or household.
However, if an IP address is stored in a way that prevents it from being linked to an individual or household, it may not be classified as personal information.
FAQs on IP address under GDPR
Yes, in many cases, IP addresses can be traced back to an individual, especially static IPs. Even dynamic IPs can be linked to a person when combined with additional information, such as ISP logs.
Under GDPR, organisations must have a lawful basis for collecting IP addresses. This could be consent, legitimate interests etc, depending on the use case.
Businesses can protect IP addresses by anonymising or pseudonymising data, implementing data retention policies, and ensuring secure storage practices.
No, IP addresses are not classified as special categories of personal data under GDPR. However, they are still personal data and must be handled with care.
Yes. Privacy laws, such as the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), consider online identifiers like IP addresses to be personal data.
CCPA only considers IP addresses as personal information when they can be linked to a specific consumer or household, whereas GDPR classifies IP addresses as personal data by default.
On its own, an IP address does not typically reveal specific personal details like a person’s name, email, or phone number. However, it can provide general information, such as the approximate geographic location (e.g., city or region), internet service provider (ISP), and device type.
That said, when an IP address is combined with other data, such as ISP logs, website account details, cookies, or tracking data, it can be used to identify an individual, especially in controlled environments or with legal access to ISP records.
This is why under laws like the GDPR and CPRA, an IP address may be considered personal information, depending on whether it can be reasonably linked to a person or household.
Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.
