Is IP Tracking Legal? What the Law Actually Says in 2026

March 5, 2026 | 15 min read | Security
Home / Blog / Is IP Tracking Legal?

Search "is IP tracking legal" and the first page of Google gives you six contradictory answers. A VPN company says it's always illegal. A legal forum says it's always fine. A tech blog hedges with "it depends." None of them cite a single statute by name.

Here's what the law actually says — with section numbers, real court decisions, and practical answers to the eight questions people actually ask. We've pulled from the text of the GDPR, the Computer Fraud and Abuse Act, the California Consumer Privacy Act, the Electronic Communications Privacy Act, the Canadian Charter of Rights and Freedoms, and over a dozen court opinions across four countries. This is the article those search results should have been.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and are subject to change. For questions about your specific situation, consult a qualified attorney in your jurisdiction.

The Short Answer: 8 Scenarios

Before we get into statute numbers and case law, here are the eight scenarios people actually ask about. Each one has a direct answer, then the rest of the article explains the reasoning.

Scenario Legal? Key Detail
Logging visitor IPs on your website Yes, with disclosure Every web server does this by default. GDPR requires privacy policy disclosure. No US federal law prohibits it.
Sending someone a tracking link Generally yes (US); gray area (EU) Legal for legitimate purposes (analytics, security). Deceptive use for stalking may violate state wiretap statutes.
Looking up someone's IP location Yes IP geolocation databases are public. Looking up an IP is not illegal in any jurisdiction.
Employer tracking employee IPs Yes, with notice in most states CT (§31-48d), NY (§52-c*202-l), DE (§705A) require written notice. Company vs. personal device matters.
Police getting your IP from an ISP Needs warrant (varies) Carpenter v. US (2018) raised the bar. R v. Bykovets (Canada, 2024) requires warrant. EU requires judicial authorization.
Using an IP to DDoS someone Felony CFAA 18 U.S.C. §1030. Up to 10 years federal prison. UK Computer Misuse Act 1990 §3, up to 10 years.
Publishing someone's IP to harass them Potentially criminal Doxxing laws in CA (Penal Code §653.2), TX (Penal Code §42.074), and a growing number of states.
IP grabbing in gaming (Xbox, PSN) Legal to obtain, illegal to misuse Capturing IPs through P2P game connections is not illegal. Using them for DDoS attacks or doxxing is a federal crime.
The pattern is consistent across every jurisdiction: collecting an IP address is almost never the crime. The crime is what you do with it afterward — harassment, attacks, doxxing, swatting, stalking. The tool is neutral; the intent determines legality.

Is an IP Address "Personal Data"? It Depends Where You Are

This is the question that makes legal analysis difficult: whether an IP address counts as personal data (or "personally identifiable information") determines which laws apply and what obligations you have. Different countries have reached genuinely different conclusions.

How Different Jurisdictions Classify IP Addresses Not inherently personal data Contextual / depends Always personal data United States (federal) No single federal law classifies IPs as PII. FTC guidance says persistent identifiers "warrant privacy protections" but not binding. California (CCPA/CPRA) IP addresses are "personal information" when reasonably linkable to a person or household. Fact-specific analysis. European Union (GDPR) Explicitly personal data (Recital 30). Breyer v. Germany (2016): even dynamic IPs count when operator could theoretically identify user via ISP. Canada R v. Bykovets (2024 SCC 6): IPs attract reasonable expectation of privacy under Charter s.8. Police need warrant. PIPEDA treats IPs as PI. United Kingdom UK GDPR mirrors EU. ICO: IP alone "may not" be personal data, but combined with other data it becomes so. Vidal-Hall v Google (2015) established damages.

United States (federal level)

There is no single federal statute that classifies IP addresses as personally identifiable information. The Federal Trade Commission has stated that persistent identifiers "warrant privacy protections," but this is agency guidance, not binding statute. The result is that at the federal level, collecting IP addresses is largely unregulated — which is why every website in America logs them without asking permission.

California (CCPA/CPRA)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, defines IP addresses as "personal information" when they are "reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household" (Cal. Civ. Code §1798.140(v)). The California Attorney General has called this determination "fact-specific," which means a website that merely logs IPs without connecting them to user accounts may have different obligations than one that ties IPs to purchase histories.

European Union (GDPR)

The GDPR settled this question unambiguously. Recital 30 states: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses." The Court of Justice of the European Union confirmed this in Breyer v. Bundesrepublik Deutschland (Case C-582/14, 2016), holding that even dynamic IP addresses constitute personal data when the website operator has the legal means to obtain additional information from the ISP to identify the user.

United Kingdom

The UK GDPR (retained from EU membership) mirrors the EU position. The Information Commissioner's Office (ICO) has stated that an IP address alone "may not always" be personal data, but when combined with other information it becomes so. The Court of Appeal in Vidal-Hall v Google [2015] EWCA Civ 311 established that individuals can claim damages for distress alone from IP-linked browser tracking, without needing to prove financial loss.

Canada

The Supreme Court of Canada issued a landmark ruling in R v. Bykovets (2024 SCC 6) holding that IP addresses attract a reasonable expectation of privacy under section 8 of the Canadian Charter of Rights and Freedoms. The Court reasoned that an IP address can reveal "a user's online activity" and, through it, "a great deal of personal information." Police now need judicial authorization (a production order or warrant) to obtain IP subscriber information from third parties like ISPs. For civilian website operators, the Personal Information Protection and Electronic Documents Act (PIPEDA) treats IPs as personal information when they can identify an individual.

Australia

Australia's 2024 Privacy Act reforms expanded the definition of "personal information" to include technical identifiers. The new framework uses a contextual test: an IP address is personal information if it can, in context, identify a person. A new statutory tort for serious invasions of privacy, effective June 2025, creates a cause of action that could be triggered by IP-based tracking in certain circumstances.

US Law: The Patchwork

There is no single "IP tracking law" in the United States. Instead, several overlapping statutes each cover part of the picture. Understanding which one applies to your situation is the key to understanding your legal position.

The Computer Fraud and Abuse Act (18 U.S.C. §1030)

The CFAA prohibits "unauthorized access" to protected computers. It does not prohibit collecting IP addresses from visitors to your own website — that's the opposite of unauthorized access; they came to you. The Supreme Court narrowed the scope of CFAA in Van Buren v. United States (2021), holding that "exceeds authorized access" means accessing information on a computer that the person is not entitled to access, not using authorized access for improper purposes. This ruling made it harder to stretch CFAA to cover ordinary IP logging.

Where CFAA does apply: using a collected IP address to launch a DDoS attack, which constitutes intentionally causing damage to a protected computer. Penalties reach up to 10 years imprisonment for a first offense causing damage, and up to 20 years for repeat offenders.

The Electronic Communications Privacy Act / Wiretap Act (18 U.S.C. §§2510-2522)

Title III of ECPA prohibits the interception of the content of communications. Collecting IP address metadata (sender, recipient, timestamp) from visitors to your own site generally does not trigger Title III because IP addresses are routing information, not content. The Pen Register Act (18 U.S.C. §§3121-3127) covers the collection of routing and addressing information, but it applies to government use, not private parties.

However, there is active and aggressive litigation under California's Invasion of Privacy Act (CIPA, Cal. Penal Code §631). Between 2024 and 2025, a wave of lawsuits argued that website tracking technologies — including tracking pixels and session replay tools — constitute illegal "wiretapping" under CIPA. Plaintiffs argue these tools function as "pen registers" that capture user interactions without consent. Several cases have survived motions to dismiss. California SB 690 attempted to clarify that CIPA does not apply to standard website analytics, but the bill stalled in committee.

What this means practically: If you operate a website with California visitors and use tracking pixels, session replay, or similar technology, the CIPA litigation wave is worth monitoring. Having a clear privacy policy that discloses your tracking practices is now more important than ever, even though the underlying technology has been standard practice for two decades.

CCPA / CPRA (Cal. Civ. Code §1798.100 et seq.)

The CCPA requires businesses that meet certain thresholds (annual revenue over $25 million, data on 100,000+ consumers, or deriving 50%+ of revenue from selling personal information) to disclose the categories of personal information they collect — which includes IP addresses. Consumers have the right to know what's collected, request deletion, and opt out of the sale or sharing of their data. Enforcement by the California Privacy Protection Agency has focused on large-scale data brokers and major platforms, not individual website operators with basic server logs.

State employee monitoring laws

Several states require employers to provide written notice before monitoring employee electronic activity, which includes IP tracking:

If you're an employer tracking employee IP addresses through company systems, check your state's notification requirements. The monitoring itself is generally permissible; the issue is disclosure.

Is My IP Tracking Legal? Decision Flowchart What are you doing? Logging visitor IPs Do you have a privacy policy? Yes LEGAL Everywhere No RISKY in EU Add one now Sending tracking links What's the purpose? Analytics / security LEGAL With disclosure Stalking / harassment ILLEGAL State/federal crimes Using collected IP data How are you using it? Geolocation lookup LEGAL Always DDoS / swatting FELONY Up to 20 years The Legal Spectrum of IP Tracking Activities Always Legal IP geolocation lookup Server access logs Fraud detection Legal with Conditions Tracking links (needs disclosure) Email pixels (evolving law) Employee monitoring (needs notice) Criminal DDoS attacks (CFAA) Doxxing / swatting Stalking / cyberstalking Collection Collection + use without disclosure Weaponization The line between legal and illegal is almost always about intent and subsequent use, not the collection itself.

EU/UK: IP Addresses Are Personal Data. Period.

The case that settled it: Breyer v. Germany (2016)

Patrick Breyer, a German politician and privacy advocate, sued the German federal government over its practice of logging visitor IP addresses on government websites. The case reached the Court of Justice of the European Union, which held that a dynamic IP address recorded by an online media service provider constitutes personal data in relation to that provider when the provider has the legal means to obtain additional data — such as requesting subscriber information from the ISP — that would allow identification of the user.

The practical impact was enormous. Before Breyer, some organizations argued that because they couldn't personally identify a user from a dynamic IP, it wasn't personal data. After Breyer, that argument is dead in the EU. If you could obtain the information to identify the user (which any website operator could, through legal process directed at the ISP), the IP is personal data.

What this actually requires from website operators

The GDPR does not prohibit collecting IP addresses. It requires you to have a lawful basis for doing so and to handle the data responsibly. For most websites, the analysis works like this:

The important thing to understand about GDPR and IP logging: having a privacy policy that discloses the collection, a documented lawful basis (usually legitimate interest), and a data retention policy covers the vast majority of standard website operations. The GDPR created obligations around how you handle IPs, not a prohibition on collecting them.

UK post-Brexit

The UK retained EU GDPR as the "UK GDPR" after Brexit. The practical requirements are identical. The significant UK-specific development is Vidal-Hall v Google [2015] EWCA Civ 311, where the Court of Appeal held that Google's use of cookies to track Safari browser users without consent constituted misuse of private information — and crucially, that claimants could recover damages for distress alone, without proving financial loss. This case established that IP-linked browser tracking can give rise to actionable claims even where the harm is emotional rather than financial.

The Rest of the World

Canada

The Supreme Court of Canada's decision in R v. Bykovets (2024 SCC 6) was the most significant IP privacy ruling outside Europe in recent years. Andrei Bykovets was accused of online fraud. Police obtained his IP address from a third-party payment processor without judicial authorization, then used it to obtain his subscriber information from the ISP (with a production order). The Supreme Court held that obtaining the IP address in the first place required judicial authorization because IP addresses carry a reasonable expectation of privacy under section 8 of the Canadian Charter.

For civilian website operators, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. Under PIPEDA, IP addresses are personal information when they can reasonably be used to identify an individual. Standard website logging is permissible with appropriate privacy policy disclosure.

Australia

Australia's 2024 Privacy Act reforms, building on the recommendations of the Attorney-General's Department review, expanded "personal information" to include technical identifiers under a contextual test. The new statutory tort for serious invasions of privacy, effective June 2025, creates civil liability for conduct that a reasonable person would consider highly offensive. Routine IP logging for website operations would not meet this threshold, but systematic IP-based tracking for harassment or surveillance could.

Brazil (LGPD)

Brazil's Lei Geral de Proteção de Dados, effective since 2020, follows a GDPR-like framework. IP addresses are personal data when they can identify or make identifiable a natural person. The lawful bases mirror GDPR: consent, legitimate interest, compliance with legal obligation, among others. Website operators need a privacy policy and a documented legal basis.

Japan (APPI)

Japan's Act on the Protection of Personal Information treats IP addresses as personal information when they can be combined with other data to identify a specific individual. The 2022 amendments strengthened cross-border transfer restrictions. Standard website logging with a privacy notice is compliant.

Courts Have Said: An IP Address Is Not a Person

This is the nuance that most articles on IP tracking legality miss entirely. While courts have increasingly recognized IP addresses as data worthy of privacy protection, they have simultaneously and consistently held that an IP address alone does not identify a specific person. These are not contradictory positions — they're complementary ones.

Cobbler Nevada v. Gonzales (9th Cir., 2018)

In this copyright infringement case, the copyright holder identified an IP address associated with illegal downloading and subpoenaed the ISP for subscriber information. The Ninth Circuit held that an IP address alone is insufficient to establish that the subscriber was the person who committed the infringement. The subscriber is the person who pays the bill, not necessarily the person who used the connection. Other people in the household, guests, or anyone on the WiFi network could have been responsible.

VPR Internationale v. Does 1-1017 (S.D. Ill., 2011)

Judge Harold Baker offered the clearest analogy in copyright trolling jurisprudence: knowing who rents a car does not tell you who was driving it at a particular time. An IP address identifies a connection point, not a human being. This reasoning has been adopted by courts across the country when evaluating whether an IP address alone establishes personal liability.

Carpenter v. United States (2018) — and what it doesn't cover

The Supreme Court held in Carpenter that accessing seven days of historical cell-site location information (CSLI) constitutes a search under the Fourth Amendment, requiring a warrant. Privacy advocates hoped this logic would extend to IP address collection. It largely hasn't. The Seventh Circuit, joining three other circuits, has held that the Carpenter warrant requirement does not extend to IP address "pen register" data — the request for an IP subscriber's identity from an ISP. The reasoning: CSLI reveals a comprehensive record of a person's movements over time; a single IP address does not.

What this means practically: knowing an IP address tells you an approximate city and an ISP. It does not tell you a person's name, street address, or identity. Only the ISP can connect IP to person, and that connection requires a court order. This is exactly why IP geolocation is legal for analytics but insufficient for identification — and why courts reject IP-address-alone evidence in infringement cases.

When IP Tracking Becomes a Crime

The crime is never "collecting the IP." It is always what happens next. Here are real prosecutions where IP address collection was a link in a criminal chain.

Tyler Barriss: 20 years for fatal swatting

In 2017, a dispute over a $1.50 Call of Duty wager led Casey Viner to recruit serial swatter Tyler Barriss. Using IP-derived approximate location data, Barriss called in a false hostage report — but to the wrong address. Police responded to the home of Andrew Finch, a 28-year-old father of two uninvolved in the gaming dispute, and an officer shot and killed Finch when he opened his front door. Barriss was sentenced to 20 years in federal prison on charges including conspiracy, making hoax bomb threats, and cyberstalking. Viner received 15 months. The chain started with grabbing a gamer's IP address.

DDoS prosecutions under CFAA

Multiple federal prosecutions have targeted individuals who obtained IP addresses (often through game sniffers or IP grabbers) and then used DDoS-for-hire "booter" services to flood those IPs with traffic. Penalties under 18 U.S.C. §1030 reach up to 10 years per violation. The UK Computer Misuse Act 1990 §3 carries equivalent penalties for impairing the operation of a computer. In 2024, the FBI's "Operation PowerOFF" seized 27 booter/stresser service domains, reinforcing that both the attackers and the service operators face criminal liability.

Doxxing statutes

A growing number of states are criminalizing the publication of personal information — which can include IP addresses — with intent to harass or incite harassment:

The pattern in every case: The collection of the IP address was legal or at least unremarkable. What triggered criminal liability was the subsequent action — the DDoS attack, the swatting call, the publication with intent to harass. This distinction is critical: tools like IP loggers are legal. Using the data they collect to harm someone is not.

What Website Operators Actually Need to Do

If you run a website, use analytics, send marketing emails, or operate any online service, here is a practical compliance framework for IP address handling. This is not theoretical — it's the minimum that covers you across major jurisdictions.

Minimum requirements (everywhere)

  • Have a privacy policy that specifically mentions you collect IP addresses
  • State your purpose: "for security, analytics, and service delivery"
  • Include contact information for privacy inquiries

If you have EU/UK visitors (most sites do)

  • Document your lawful basis — for server logs and basic analytics, "legitimate interest" under GDPR Article 6(1)(f) is standard
  • Set data retention limits — don't keep IP logs forever; 90 days is common for server logs, 26 months for analytics
  • Be prepared to respond to data subject access requests (DSARs) and erasure requests
  • If using tracking pixels for marketing, consider whether consent is required (it often is for marketing-specific tracking)

If you have California users

  • If you meet CCPA thresholds, provide a "Do Not Sell or Share My Personal Information" link
  • Honor opt-out requests for any data sharing or selling that involves IP addresses
  • Respond to consumer requests to know, delete, or correct their data within 45 days

If you track employees

  • Check notification requirements in your state (CT, NY, DE require written notice at minimum)
  • Company device vs. personal device matters — broader monitoring is permissible on company-owned equipment
  • Include monitoring disclosure in employee handbook and onboarding documents

If you use tracking links or pixels

  • Disclose the tracking in your terms of service or privacy policy
  • Don't use deceptive link shorteners designed to trick people into clicking
  • For email pixels, follow your email service provider's compliance guidance and monitor the evolving CIPA litigation
  • Retain tracking data only as long as needed for your stated purpose

Never, under any circumstances

  • Use collected IPs to launch DDoS attacks (federal felony, up to 10 years)
  • Use IP-derived location data for swatting (sentences from 15 months to 20 years)
  • Publish IP addresses with intent to harass or incite harassment (state criminal statutes)
  • Stalk or cyberstalk someone using IP tracking data (18 U.S.C. §2261A)

Frequently Asked Questions

Is it illegal to look up someone's IP address?

No. IP geolocation databases are publicly available, and looking up an IP address is no different from looking up a phone area code. The data returned is approximate — city-level at best — and does not identify individuals. You can look up any IP address without legal risk. No jurisdiction criminalizes the act of performing a geolocation lookup.

Can I get in trouble for using an IP logger?

Using a legitimate IP logging service for website analytics, marketing measurement, or cybersecurity is legal in virtually all jurisdictions with proper disclosure (a privacy policy). Problems arise when tracking links are used deceptively for harassment, stalking, or to build profiles for malicious purposes. The tool is legal; certain uses of the data are not. This is analogous to a camera — owning and operating one is legal; using it for voyeurism is not.

Are tracking pixels in email legal?

Generally yes with disclosure. Every major email marketing platform — Mailchimp, HubSpot, Constant Contact, Salesforce — uses tracking pixels for open-rate measurement. However, this is an active litigation area. California CIPA cases in 2024–2025 have challenged email tracking pixels as potential "wiretap" violations, and several have survived motions to dismiss. The law is evolving. Best practice: disclose pixel tracking in your privacy policy and monitor the CIPA developments.

Can police trace my IP address?

Police can see your public IP in server logs if you visit a website — server logs are evidence that can be subpoenaed. To connect that IP to your identity, they need to obtain subscriber information from your ISP. In Canada, after the Supreme Court's 2024 Bykovets decision, police need judicial authorization (a warrant or production order) to obtain IP subscriber information. In the EU, GDPR requires a lawful basis, which in practice means judicial authorization for law enforcement. In the US, the picture is more complex — most federal circuits have held that IP pen register data does not require a warrant under the Fourth Amendment, though a subpoena to the ISP is required.

What happens if someone tracks my IP without permission?

In most cases, nothing legally actionable. Website server logs capture your IP automatically as part of how the TCP/IP protocol works — no permission is needed or expected. If someone sends you a tracking link and you click it, they received your IP because you initiated a connection to their server. That is not interception; it is how the internet works. However, if they use the IP to harass, threaten, DDoS, dox, or stalk you, those actions are independently criminal regardless of how the IP was obtained. If you're concerned about your IP being collected, a VPN will mask your real address.

Is IP tracking more regulated than cookie tracking?

In some ways, less. Cookie consent under the EU's ePrivacy Directive requires active opt-in before placing non-essential cookies on a user's device. IP logging under GDPR can use "legitimate interest" as a lawful basis, which does not require a consent popup — just a privacy policy disclosure. In the US, there is no federal cookie law, and IP logging is unregulated at the federal level. The key technical difference: cookies involve placing data on a user's device (active storage), while IP logging is passive collection of routing information from network traffic. The ePrivacy Directive specifically targets the former.

Try Our IP Tools

Look up any IP address for free geolocation data, or create a tracking link to see who visits your content.

IP Lookup IP Logger

Legal sources referenced: GDPR Recital 30 and Article 6; Cal. Civ. Code §1798.140(v) (CCPA); 18 U.S.C. §1030 (CFAA); 18 U.S.C. §§2510-2522 (ECPA/Wiretap Act); Cal. Penal Code §631 (CIPA); Cal. Penal Code §653.2; Texas Penal Code §42.074; Connecticut §31-48d; CJEU Case C-582/14 Breyer v. Bundesrepublik Deutschland (2016); Vidal-Hall v Google [2015] EWCA Civ 311; R v. Bykovets 2024 SCC 6; Cobbler Nevada v. Gonzales (9th Cir., 2018); VPR Internationale v. Does 1-1017 (S.D. Ill., 2011); Van Buren v. United States, 593 U.S. 374 (2021); Carpenter v. United States, 585 U.S. 296 (2018). This article is for informational purposes only and does not constitute legal advice.

Need more lookups? View Pricing