> I obviously need them to provide my service. And I am fine if I store them for logging purposes and other legitimate interests for a reasonable amount of time. But what if I use a third party service for log aggregation? What if I am providing the service, but on the basis of an IaaS or PaaS service by one of the hyperscalers? What about the data I can derive from an IP address, such as an approximate location?
Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.
(not a lawyer, but this is my understanding)
> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.
> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
That I cannot answer, or have not thought about in sufficient depth.
> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.
Then you probably need Datenverarbeitungsauftraege with that third-party company, which define precise purpose of processing the data. Data collection and processing is purpose bound in Germany. The purpose needs to be stated and one is then bound to not use them for different purposes, unless one has consent by the people the data is about/from.
(not a lawyer, but this is my understanding)
> In Germany, we had lawyers sending out cease and desists just for Google Fonts being embedded on a website, nothing else.
This is good and as it should be. Google Fonts are not needed in almost all cases. They are merely a visual thing. The functionality of a website must not depend on loading Google fonts. To use them a website has to ask for consent from the user first. This can be done in a consent asking popup/dialog/whatever. If that is too cumbersome, then just don't use Google fonts. As a company host web fonts yourself, or don't use them.
> Is there a difference between IP4 and IP6 addresses? Cause behind a cg NAT, I can barely identify anyone on the basis of an IPv4 address alone. With an IPv6 address on the other hand.
That I cannot answer, or have not thought about in sufficient depth.
> There are many ways you can spin that question. Some are more, others are less reasonable questions to ask. But the point is, that even for something as fundamental as an IP address, there is a lot of compliance uncertainty around it.
Yes, there can be uncertainty, but in most cases the uncertainty is due to businesses doing things that require consent in the first place, while they don't actually have to do these things. There can of course be special cases, no question there, but then the special case is somehow integral to the business and then it should be worth it for the company to get a law person involved to clear up any uncertainties.