You’ve probably seen it in analytics dashboards, server logs, or privacy documentation: IP addresses with their last octet zeroed out. 192.168.1.42 becomes 192.168.1.0 . For IPv6, maybe the last 64 or 80 bits are stripped. This practice is widespread, often promoted as “GDPR-compliant pseudonymization,” and implemented by major analytics platforms, log aggregation services, and web servers worldwide.
There’s just one problem: truncated IP addresses are still personal data under GDPR.
If you’re using IP address truncation thinking it makes data “anonymous” or “non-personal,” you’re creating a false sense of security that likely puts you out of compliance with GDPR. European data protection authorities, including the French CNIL, Italian Garante, and Austrian DPA, have repeatedly ruled that truncated IPs remain personal data, especially when combined with other information that most systems routinely collect.
This isn’t a matter of opinion or a marginal edge case: it’s a fundamental misunderstanding of what constitutes effective anonymization, and it’s being exploited by vendors who should know better.
What Is IP Address Truncation?
IP address truncation is the practice of zeroing out some portion of an IP address in an attempt to make it less identifiable. The most common approaches include:
IPv4 : Setting the last octet to zero, converting 192.168.1.42 to 192.168.1.0 (creating a /24 subnet mask)
: Setting the last octet to zero, converting to (creating a subnet mask) IPv6: Zeroing out various amounts of bits: sometimes 64 bits ( /64 ), sometimes 80 bits ( /48 ), sometimes arbitrary amounts depending on someone’s best guess
The logic seems sound at first glance: by removing the specific host identifier and keeping only the network portion, you’ve grouped the user with others in the same subnet, making them less identifiable. It’s simple to implement, just a bitwise operation, and it produces an output that still looks like an IP address, which is convenient for existing tools and databases.
This simplicity explains why truncation became so popular. But simplicity in implementation doesn’t equate to effectiveness in protection.
... continue reading