Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Note that I didn't say IPs aren't PII; I said they don't count as long as you are collecting them for the specific purpose of security and don't have any way to identify the person using that IP. Pretty much by definition that is not PII.

That came from the legal departments from our German, UK, and French entities.



You contradict yourself, either its PII or not. Common understanding in the industry is that it is. Purpose of security doesn't change if its PII or not. Although security/auditing might allow to hold on for longer because you need the PII as a feature (which you should be transparent about). For pure telemetry you don't need it, I'd claim.


IPs can be PII under certain circumstances, but not the ones I laid out.

> Purpose of security doesn't change if its PII or not.

Security is the legitimate interest, an important part of collection under GDPR.


PII is not the standard for GDPR compliance.


That's correct, but PII is what the person I replied to was talking about.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: