An interesting post from Paddle today (of note, Realmac Software and several addon developers here use Paddle) about IP addresses being treated as personal data:
To be honest, I would definitely sit up and listen to these guys. Paddle were one of the first payment vendors to negotiate the minefield that was VAT MOSS (the law requiring all international sellers of digital downloads to EU citizens to collect VAT). So Paddle certainly know all the legalities of doing business with EU customers and I consider their opinion on these matters to be pretty much indisputable. Clearly they have information to-hand that IP addresses are personal data, given that they are having to go to some complex lengths (at their own cost) to re-engineer their payment systems not to share IP addresses for successful transactions.
I do not agree with everything that has been discussed in this thread that IP addresses are not personal data. Certainly if the website user is transmitting their IP address solely to your server, then there is no harm in that. After all, that is the fundamentals of how the internet is wired-up to work! But if that IP address is being shared with a third party and logged elsewhere, this starts to get problematic. Even if you don’t know the name of the person behind an IP address, you can start to build quite a comprehensive profile about that particular datum - times of day it is most active, pages it likes etc. When IP addresses start going into a centralised database, then you can start looking for the same IP address over multiple websites. This might form the basis for targeted advertising - identifying an IP address and manipulating what it sees.
I would also ‘+1’ the post by @NeilUK regarding Matomo. I have done more research on this one and signed up to an online course about it. This analytics package seems to be on-top of how IP addresses should be managed in the context of measuring site traffic. Again I rather suspect Matomo know a lot more about the legalities of data protection, because it is one of their founding principles.
Call it scaremongering if you wish, but I think this is quite serious legislation. Doing nothing, I don’t think is an option, if you want to be perceived as owning and operating a legitimate website.
I’m sure Google and Facebook et al. are going to get sued to the moon and back by the EU; considering much of their business model is built entirely around data collection and resale. Granted, the EU probably hasn’t got the resources to go-after the small site owner just yet, but I reckon these new laws do mark the start of a systematic shift in how online data is managed.
As I have been telling others, I think that a positive, proactive approach towards GDPR could also benefit how customers view your company. If you are seen to be protecting customer privacy (putting the customer first), it seems logical that customers will be happier. And happy customers are more loyal and lucrative customers!
I agree 100% that the way the EU has pushed out GDPR (and equivalents) is a total shambles. It is utter chaos. Better privacy protection is needed. But this legislation seems to have been written 10 years late to chase-after the likes of Google and Facebook - and has inadvertently stung everyone else. Much like Sunday trading laws, I am of the opinion this legislation should only have been applicable to bigger companies - based on number of employees or amount of data they are collecting. The rest of us should have been allowed to continue following existing data protection laws; with only minor amendments to make things more relevant for the digital era. But it is what it is. Time to accept, adopt and move forward.