I am not a lawyer and this is not legal advice. Are you sending the client IP to a third party API? There are existing questions and answers about this [1] but ultimately as others said one should at least consult a lawyer. It's not even 15 minutes of their time. Consider using lookup tools that download the database [2] to your server to avoid sending the client IP anywhere even if it turns out to be in a gray area to do so. Even if not for a legal reason, technically this removes a real time dependency on a 3rd party website.
So the frontend pushes it to the backend, a backend fetches the corresponding country using the IP from ipinfo and I store the country in a database. I discard the IP
Does the IP address leave your server at any point? Are you querying ipinfo.io from their domain using their API or as others have asked, are you downloading the entire database to your server and querying your own server for the IP? If the answer is their API then you are leaking the IP address to a third party.
Are you downloading this database [1] and using it locally on your server?
This is where I would consult a lawyer. It appears that no matter how granular the data is one must ask the visitor for consent and it gets stricter if the visitor is a child [1]. The site must disclose exactly what it is collecting so in your case it would be the country of origin. Again, I am not a lawyer and will always take the conservative approach to avoid fines so unless there is an official document that states the granularity by country does not apply I would avoid it.
using ipinfo.io in the backend
I am not a lawyer and this is not legal advice. Are you sending the client IP to a third party API? There are existing questions and answers about this [1] but ultimately as others said one should at least consult a lawyer. It's not even 15 minutes of their time. Consider using lookup tools that download the database [2] to your server to avoid sending the client IP anywhere even if it turns out to be in a gray area to do so. Even if not for a legal reason, technically this removes a real time dependency on a 3rd party website.
[1] - https://law.stackexchange.com/questions/57557/does-informati...
[2] - https://ipinfo.io/products/free-ip-database
So, your server is disclosing each address to a third party, in... real time?
No it’s not. I just store the country of the visitor who initiated an action on the website. There is no login/email or name involved
So you're downloading a geolocation database from ipinfo.io, and querying it locally?
So the frontend pushes it to the backend, a backend fetches the corresponding country using the IP from ipinfo and I store the country in a database. I discard the IP
Does the IP address leave your server at any point? Are you querying ipinfo.io from their domain using their API or as others have asked, are you downloading the entire database to your server and querying your own server for the IP? If the answer is their API then you are leaking the IP address to a third party.
Are you downloading this database [1] and using it locally on your server?
[1] - https://ipinfo.io/products/free-ip-database
Yes I’m using their API. I get your point.
The only reason I collect IP is for knowing location. So if I use browser location, is it allowed?
This is where I would consult a lawyer. It appears that no matter how granular the data is one must ask the visitor for consent and it gets stricter if the visitor is a child [1]. The site must disclose exactly what it is collecting so in your case it would be the country of origin. Again, I am not a lawyer and will always take the conservative approach to avoid fines so unless there is an official document that states the granularity by country does not apply I would avoid it.
[1] - https://ico.org.uk/for-organisations/direct-marketing-and-pr...
Afaik as long as it’s not PII (personally-identifying information) you should be fine.
IP address is defined in GDPR as PII: https://www.gdpreu.org/the-regulation/key-concepts/personal-...
Many other locales say the same:
California Consumer Privacy Act: https://iapp.org/news/a/are-ip-addresses-personal-informatio...
Canada PIPEDA: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-can...
UK ICO: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
I do not store it. I use it on the fly to identify the country and then discard it.
> IP address is defined in GDPR as PII: https://www.gdpreu.org/the-regulation/key-concepts/personal-...
According to your link: "Personal data relating to GDPR does not cover: ... Properly anonymized data ..."
So OP might could hash the ip address (something better than md5, ideally) and save that.
You should hire a GDPR consultant
Hard to imagine a bigger waste of money.
They’ll just tell you to put up more banners and store less data and then they’ll charge you for it.
Evaluate the risk here. It’s a (presumably) small personal/side project. As a person based in the US, I wouldn’t give this a second thought.
It’s a side project of mine. Not worth it, probably scrap it instead of that