Can websites log my IP address?
Verdict: For security, briefly: yes · For tracking: consent rules apply
Your IP is personal data — but security logging is the textbook legitimate interest. The line runs at purpose and retention: defending the server yes, profiling the visitor no.
Settle the premise first: an IP address is personal data (CJEU Breyer, C-582/14 — indirect identifiability through the ISP suffices). That doesn’t make logging unlawful — it makes it need a basis. The accepted case: short-term logging for security — abuse detection, DDoS defence, fraud prevention, debugging — is the canonical legitimate interest, blessed in Breyer itself. The honest implementation: defined retention (days to a few weeks), access-restricted logs, and truncation/anonymisation where full addresses aren’t needed. Where it tips over: using IPs to build visitor profiles, feeding them to ad-tech, geo-personalizing prices, or keeping years of logs “just in case” — those are different purposes needing their own bases, and purpose limitation blocks the quiet slide from security log to marketing asset. IP-based tracking via third-party scripts rides the same consent rules as cookies and fingerprinting. The famous edge case: embedding fonts or scripts from US servers ships visitor IPs abroad — a German court’s Google-Fonts ruling triggered a wave of claims and pushed half of Europe to self-host fonts; the transfer angle lives in your data in the US. Your practical stance as a user: a site logging IPs for security isn’t your fight; a privacy policy claiming indefinite IP retention “for analytics” is — one access request asking “retention period and purposes for IP logs” sorts sites into the two camps fast.
Verified against the sources above on 18 July 2026. Information, not legal advice.