26. October 2021

GDPR-compliant IP address anonymization.

When it is really GDPR-compliant and when it is not.

Intro

The GDPR in combination with the recent Schrems II decision have a real disruptive potential – everybody that follows these topics closely is well aware of that. It changes the way data can be collected on websites and will take it even further in the months to come.

What most people would also agree to is that establishing a 100% legally compliant data collection and data orchestration is a huge challenge for most (if not any) data-driven companies.

Unfortunately, very few companies act – most often due to a lack of options and solutions (so they believe).

In this article we want to explain why you might be at risk for not complying with GDPR – especially when it comes to your users’ IP addresses – a personally identifiable information (short “PII”) and thus within the scope of the GDPR.

Potentially, you might be at risk even though you are already doing anonymization. You might ask yourself why? Read below for the answer.

Why do we need IP addresses?

IP addresses uniquely identify a device or network connected to the internet. They are based on the internet protocol (“IP”), which is basically the foundation of the internet. IP addresses are needed for every data transfer – without them, a connection and use of the internet is simply not possible.

What do you need to know about handling users' IP addresses?

Due to this inevitable identifiability, IP addresses have been decided to be personal data and therefore are regulated by GDPR. That means that some form of justification like user consent would always be needed as soon as the IP address is processed – which it is 100% of the time with client-side tracking. Additionally for international data transfer to unsecure third countries the company must ensure that this type of data isn’t shown to third party providers. 

The obvious facilitation is the anonymization of the IP address. Anonymization in this case means to irreversibly alter the IP address in a way that no conclusion as to the user’s identity is possible by the third party recipient. 

But how would that work? And is anonymization really always the solution?

Short background: How does the anonymization of the IP address work?

The two most common options are hashing and truncating.

How to hash an IP address:
By using special cryptographic algorithms (the current Standard is the SHA-256) the IP address is transformed. Additionally, a random “salt value” can be added, to improve the safety. This procedure ensures that the original value is hard to be retrieved.

How to truncate an IP address:
The last part of the IP address is exchanged with another value (e.g. “0”). Therefore there is no possibility to retrieve the original IP address.

This way once anonymization is ensured one would believe they are in the clear for compliant tracking. But is that really the case?

How does Google for its analytics approach it?

Since Google Analytics is the most widely used tool for the capture and analysis of data, let’s have a look at their approach.

Google Analytics users have the option to automatically anonymize the IP addresses by using the truncation method: setting the last part of the address to 0. This way from this altered value no conclusion about the identity of the user is possible anymore.

Sounds great? But let us explain why this still doesn’t comply with GDPR!

What is the problem with the Google Analytics “IP anonymization”?

Although Google is promising to anonymize the IP address before it gets processed further, it is still not in compliance with GDPR. 

Where is the hitch you may ask yourself? 

Google relied on the Privacy Shield framework for data transfers between the EU and the US. But this framework became invalid in 2020 because of the lack of data protection in the US as you most likely know. In this regard the US cloud act which enables American secret service agencies to access any data of American organisations (that includes US and international locations !!!) without jurisdictional confirmation. 

That’s where it gets interesting.  

Because the GDPR handles the collection and processing of personal information and the US cloud act enables American secret services agencies to access data in the Google Cloud (American Company) even in the EU, the Google IP anonymization is happening too late. It happens already on “US company grounds”. This way, the privacy of the website user is not protected according to the GDPR.

How to solve the problem really?

Good news is, there is an easy solution for this specific case:
The anonymization must be conducted within the EU.

With JENTIS, the anonymization can be done in a simple and clean way.

We capture the data from the website with our hybrid tracking technology. We stream it to our partner Exoscale, a security-first cloud provider which is an EU-based entity and thus clearly within the scope of the GDPR. After the anonymization, the data can be transferred safely and in compliance with GDPR to third party providers from the US like Google. 

Conclusion

A lot of different “expert opinions” are currently heralded on social media, in newspapers and on TV. 

The fundamental problem of client-side tracking is that the IP address is always sent and received by your chosen third party providers.

IP anonymization is the solution to use third party providers from unsecure third party countries. However, exact attention must be paid to the location of the process itself.

Anonymizing data in the US, even if it is stored there only for milliseconds, is just as good as sending it directly there in the eye of the law. And the result is thus also the same – non-compliant tracking

Instead, you have to ensure that the IP addresses of your users need to be anonymized within the EU and only then transferred to third party providers from the US.

We at JENTIS work with the best legal councils in Europe which have assessed our solution thoroughly and tested our infrastructure. Their conclusion is that JENTIS can actually help you solve the Schrems II problem and make your international data transfer compliant.

Don’t believe us? Download the executive summary to their memorandum here.


We believe that companies in Europe start to take the privacy of their customers more seriously than they used to. Sometimes they are just missing the technology to really comply with regulations. That’s where we would like to help you. 

We hope to speak to you soon.