Why IP addresses are not always personal data

IP addresses can be both personal and non-personal data depending on the entity that holds the data and the contractual restrictions in place.

Fortunately, this concept is not quite as mind bending as the thought experiment Schrödinger's cat.^# There is a way of resolving the paradox.

Organizational Restrictions

An organization that holds an IP and possesses both the means to identify a natural living person and is not restricted in doing so by contracts will likely consider the IP address personal data and ensure they have a legal basis for possessing the IP address under data protection laws.

However, the same IP address in the hands of an organization that either lacks the means to identity a natural living person or is restricted in doing so by contracts is unlikely to need to treat the IP address as personal data.

Risk of Harm

Another lens with which to view IP addresses through is that of harm to people. What harm will come to a natural living person associated with the possession and use of the IP address?

If the IP address is merely being used to determine the country that a digital activity might have taken place in via an IP intelligence solution like 51Degrees then there is no risk of harm.

If the IP address is being used to group web sessions to maintain quality of service or identify possible fraud then there is no risk of harm.

But if the IP address is being used to form a cohort of people that are then treated in a particular way that might be different to other people, then there’s a whole world of "maybes" that open up due to this profiling. The bright line test of personal or non-personal isn't going to work.

If the IP address is used to identify a person following the completion of a check out process and then track them around the web as they perform other unrelated activities then the IP address will be personal data.

At 51Degrees we only use IP addresses for aggregated analysis and the provision of services as explained in our terms.

Data Protection Impact Assessments (DPIA)

Man holding a form and smiling indicating a well thought through DPIA being shown to an interested party

The UK Information Commissioner's Office advises and Controller and Processor to complete and maintain a DPIA.

If there’s one thing you do as a result of reading this article get your DPIA reviewed and up to date.

Also beware that guidance might change in 2026.

A well thought through DPIA aligned to your public privacy policy makes it clear why you have taken the actions you have and the legal basis for doing so. Should you ever get tapped up by a relevant regulator or aggrieved party you can show you thought about how you handle data and why you took the decisions you did.

Data Models

A significant challenge for engineers and data professionals relates to incomplete data models that don’t typically consider contractual terms and how they impact the use and meaning of data.

It is for that reason collectively all digital professionals need to update data models to include this information. Along with other folks with an interest in the subject a proposal is now socialized that explains data labels and how they can be applied to web browser storage and the advertising and publishing industries Open Real Time Bidding specifications.

The same proposal can be applied to any data model and used to classify contracts and data treatments. You can start using it within your business today.

Legal Advice

I’m not a lawyer, and this is not legal advice. However, I have spent rather a lot of time with lawyers, privacy professionals of all ends of the spectrum, and regulators over the past six years.

Do take this article to your friendly data protection professional and see what they think. If you want some recommendations contact us and I’ll happily make introductions. It might just make your life a whole lot simpler and customers a whole lot happier.

# I wanted to find a reason to use a cat picture. Secondary objective achieved. ✔️