The Bottom Line
- Expanded Compliance Scope: Dynamic IP addresses must now be treated as personal data under the GDPR in almost all commercial contexts, even if you cannot directly identify the user yourself.
- Increased Legal Risk: The basis for collecting routine web server logs and analytics data is now under greater scrutiny. Businesses lacking a clear legal basis (e.g., consent or a demonstrable legitimate interest) for this processing face a higher risk of fines.
- Immediate Action Required: Companies must update their privacy policies and consent banners to specifically account for the collection of IP addresses, and review data processing agreements with third-party analytics and advertising vendors.
The Details
The central issue before the Court of Justice of the European Union (CJEU) was whether a ‘dynamic’ IP address—one that changes each time a user connects to the internet—constitutes personal data. For years, businesses argued that since only an Internet Service Provider (ISP) can link such an IP address to a specific individual, the website operator itself did not hold ‘personal data’. This judgment decisively closes that debate, clarifying that the mere legal possibility of identifying an individual is enough to bring the data under the protection of the GDPR.
In its reasoning, the Court focused on the practical reality of data identification. It held that the key test is not whether a company can unilaterally identify the user from the IP address alone, but whether it has the legal means at its disposal to do so. Since a website operator can, in certain circumstances (such as in response to a court order or a cyber-attack investigation), require an ISP to disclose a user’s identity, that potential for identification is sufficient. This effectively makes a dynamic IP address personal data from the moment it is collected by the web server.
The commercial implications of this ruling are significant. It reinforces the CJEU’s trend towards an expansive and protective interpretation of data privacy laws. For CEOs and legal counsel, this means that technical arguments about data being ‘pseudonymous‘ are becoming weaker. The decision forces a fundamental shift: any data that could be re-identified, even with the compelled help of another party, must be handled with the full compliance rigour of the GDPR. This will impact everything from website analytics and targeted advertising to cybersecurity logging and data retention policies.
Source
Source: Court of Justice of the European Union
