Search "is IP tracking legal" and the first page of Google gives you six contradictory answers. A VPN company says it's always illegal. A legal forum says it's always fine. A tech blog hedges with "it depends." None of them cite a single statute by name.
Here's what the law actually says — with section numbers, real court decisions, and practical answers to the eight questions people actually ask. We've pulled from the text of the GDPR, the Computer Fraud and Abuse Act, the California Consumer Privacy Act, the Electronic Communications Privacy Act, the Canadian Charter of Rights and Freedoms, and over a dozen court opinions across four countries. This is the article those search results should have been.
In this article
- The short answer: 8 scenarios
- Is an IP address "personal data"? It depends where you are
- US law: the patchwork
- EU/UK: IP addresses are personal data. Period.
- The rest of the world
- Courts have said: an IP address is not a person
- When IP tracking becomes a crime
- What website operators actually need to do
- Frequently asked questions
The Short Answer: 8 Scenarios
Before we get into statute numbers and case law, here are the eight scenarios people actually ask about. Each one has a direct answer, then the rest of the article explains the reasoning.
| Scenario | Legal? | Key Detail |
|---|---|---|
| Logging visitor IPs on your website | Yes, with disclosure | Every web server does this by default. GDPR requires privacy policy disclosure. No US federal law prohibits it. |
| Sending someone a tracking link | Generally yes (US); gray area (EU) | Legal for legitimate purposes (analytics, security). Deceptive use for stalking may violate state wiretap statutes. |
| Looking up someone's IP location | Yes | IP geolocation databases are public. Looking up an IP is not illegal in any jurisdiction. |
| Employer tracking employee IPs | Yes, with notice in most states | CT (§31-48d), NY (§52-c*202-l), DE (§705A) require written notice. Company vs. personal device matters. |
| Police getting your IP from an ISP | Needs warrant (varies) | Carpenter v. US (2018) raised the bar. R v. Bykovets (Canada, 2024) requires warrant. EU requires judicial authorization. |
| Using an IP to DDoS someone | Felony | CFAA 18 U.S.C. §1030. Up to 10 years federal prison. UK Computer Misuse Act 1990 §3, up to 10 years. |
| Publishing someone's IP to harass them | Potentially criminal | Doxxing laws in CA (Penal Code §653.2), TX (Penal Code §42.074), and a growing number of states. |
| IP grabbing in gaming (Xbox, PSN) | Legal to obtain, illegal to misuse | Capturing IPs through P2P game connections is not illegal. Using them for DDoS attacks or doxxing is a federal crime. |
Is an IP Address "Personal Data"? It Depends Where You Are
This is the question that makes legal analysis difficult: whether an IP address counts as personal data (or "personally identifiable information") determines which laws apply and what obligations you have. Different countries have reached genuinely different conclusions.
United States (federal level)
There is no single federal statute that classifies IP addresses as personally identifiable information. The Federal Trade Commission has stated that persistent identifiers "warrant privacy protections," but this is agency guidance, not binding statute. The result is that at the federal level, collecting IP addresses is largely unregulated — which is why every website in America logs them without asking permission.
California (CCPA/CPRA)
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, defines IP addresses as "personal information" when they are "reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household" (Cal. Civ. Code §1798.140(v)). The California Attorney General has called this determination "fact-specific," which means a website that merely logs IPs without connecting them to user accounts may have different obligations than one that ties IPs to purchase histories.
European Union (GDPR)
The GDPR settled this question unambiguously. Recital 30 states: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses." The Court of Justice of the European Union confirmed this in Breyer v. Bundesrepublik Deutschland (Case C-582/14, 2016), holding that even dynamic IP addresses constitute personal data when the website operator has the legal means to obtain additional information from the ISP to identify the user.
United Kingdom
The UK GDPR (retained from EU membership) mirrors the EU position. The Information Commissioner's Office (ICO) has stated that an IP address alone "may not always" be personal data, but when combined with other information it becomes so. The Court of Appeal in Vidal-Hall v Google [2015] EWCA Civ 311 established that individuals can claim damages for distress alone from IP-linked browser tracking, without needing to prove financial loss.
Canada
The Supreme Court of Canada issued a landmark ruling in R v. Bykovets (2024 SCC 6) holding that IP addresses attract a reasonable expectation of privacy under section 8 of the Canadian Charter of Rights and Freedoms. The Court reasoned that an IP address can reveal "a user's online activity" and, through it, "a great deal of personal information." Police now need judicial authorization (a production order or warrant) to obtain IP subscriber information from third parties like ISPs. For civilian website operators, the Personal Information Protection and Electronic Documents Act (PIPEDA) treats IPs as personal information when they can identify an individual.
Australia
Australia's 2024 Privacy Act reforms expanded the definition of "personal information" to include technical identifiers. The new framework uses a contextual test: an IP address is personal information if it can, in context, identify a person. A new statutory tort for serious invasions of privacy, effective June 2025, creates a cause of action that could be triggered by IP-based tracking in certain circumstances.
US Law: The Patchwork
There is no single "IP tracking law" in the United States. Instead, several overlapping statutes each cover part of the picture. Understanding which one applies to your situation is the key to understanding your legal position.
The Computer Fraud and Abuse Act (18 U.S.C. §1030)
The CFAA prohibits "unauthorized access" to protected computers. It does not prohibit collecting IP addresses from visitors to your own website — that's the opposite of unauthorized access; they came to you. The Supreme Court narrowed the scope of CFAA in Van Buren v. United States (2021), holding that "exceeds authorized access" means accessing information on a computer that the person is not entitled to access, not using authorized access for improper purposes. This ruling made it harder to stretch CFAA to cover ordinary IP logging.
Where CFAA does apply: using a collected IP address to launch a DDoS attack, which constitutes intentionally causing damage to a protected computer. Penalties reach up to 10 years imprisonment for a first offense causing damage, and up to 20 years for repeat offenders.
The Electronic Communications Privacy Act / Wiretap Act (18 U.S.C. §§2510-2522)
Title III of ECPA prohibits the interception of the content of communications. Collecting IP address metadata (sender, recipient, timestamp) from visitors to your own site generally does not trigger Title III because IP addresses are routing information, not content. The Pen Register Act (18 U.S.C. §§3121-3127) covers the collection of routing and addressing information, but it applies to government use, not private parties.
However, there is active and aggressive litigation under California's Invasion of Privacy Act (CIPA, Cal. Penal Code §631). Between 2024 and 2025, a wave of lawsuits argued that website tracking technologies — including tracking pixels and session replay tools — constitute illegal "wiretapping" under CIPA. Plaintiffs argue these tools function as "pen registers" that capture user interactions without consent. Several cases have survived motions to dismiss. California SB 690 attempted to clarify that CIPA does not apply to standard website analytics, but the bill stalled in committee.
CCPA / CPRA (Cal. Civ. Code §1798.100 et seq.)
The CCPA requires businesses that meet certain thresholds (annual revenue over $25 million, data on 100,000+ consumers, or deriving 50%+ of revenue from selling personal information) to disclose the categories of personal information they collect — which includes IP addresses. Consumers have the right to know what's collected, request deletion, and opt out of the sale or sharing of their data. Enforcement by the California Privacy Protection Agency has focused on large-scale data brokers and major platforms, not individual website operators with basic server logs.
State employee monitoring laws
Several states require employers to provide written notice before monitoring employee electronic activity, which includes IP tracking:
- Connecticut §31-48d: Requires prior written notice to employees about electronic monitoring of their internet use
- New York Civil Rights Law §52-c*202-l: Requires employers to notify employees upon hiring if telephone or email monitoring occurs
- Delaware §705A: Requires notice that electronic mail and internet usage may be monitored
If you're an employer tracking employee IP addresses through company systems, check your state's notification requirements. The monitoring itself is generally permissible; the issue is disclosure.
EU/UK: IP Addresses Are Personal Data. Period.
The case that settled it: Breyer v. Germany (2016)
Patrick Breyer, a German politician and privacy advocate, sued the German federal government over its practice of logging visitor IP addresses on government websites. The case reached the Court of Justice of the European Union, which held that a dynamic IP address recorded by an online media service provider constitutes personal data in relation to that provider when the provider has the legal means to obtain additional data — such as requesting subscriber information from the ISP — that would allow identification of the user.
The practical impact was enormous. Before Breyer, some organizations argued that because they couldn't personally identify a user from a dynamic IP, it wasn't personal data. After Breyer, that argument is dead in the EU. If you could obtain the information to identify the user (which any website operator could, through legal process directed at the ISP), the IP is personal data.
What this actually requires from website operators
The GDPR does not prohibit collecting IP addresses. It requires you to have a lawful basis for doing so and to handle the data responsibly. For most websites, the analysis works like this:
- Server access logs: Lawful basis is "legitimate interest" under Article 6(1)(f). You have a legitimate interest in maintaining server security and diagnosing technical issues. This does not require consent. You do need to mention it in your privacy policy.
- Website analytics: If using IP addresses for analytics (visitor counts, geographic breakdowns), legitimate interest typically applies. If you're using analytics that create detailed user profiles, consent may be required under the ePrivacy Directive.
- Tracking links and pixels: Depends on purpose. For security or fraud prevention, legitimate interest applies. For marketing purposes, particularly if creating user profiles, consent is the safer basis.
UK post-Brexit
The UK retained EU GDPR as the "UK GDPR" after Brexit. The practical requirements are identical. The significant UK-specific development is Vidal-Hall v Google [2015] EWCA Civ 311, where the Court of Appeal held that Google's use of cookies to track Safari browser users without consent constituted misuse of private information — and crucially, that claimants could recover damages for distress alone, without proving financial loss. This case established that IP-linked browser tracking can give rise to actionable claims even where the harm is emotional rather than financial.
The Rest of the World
Canada
The Supreme Court of Canada's decision in R v. Bykovets (2024 SCC 6) was the most significant IP privacy ruling outside Europe in recent years. Andrei Bykovets was accused of online fraud. Police obtained his IP address from a third-party payment processor without judicial authorization, then used it to obtain his subscriber information from the ISP (with a production order). The Supreme Court held that obtaining the IP address in the first place required judicial authorization because IP addresses carry a reasonable expectation of privacy under section 8 of the Canadian Charter.
For civilian website operators, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. Under PIPEDA, IP addresses are personal information when they can reasonably be used to identify an individual. Standard website logging is permissible with appropriate privacy policy disclosure.
Australia
Australia's 2024 Privacy Act reforms, building on the recommendations of the Attorney-General's Department review, expanded "personal information" to include technical identifiers under a contextual test. The new statutory tort for serious invasions of privacy, effective June 2025, creates civil liability for conduct that a reasonable person would consider highly offensive. Routine IP logging for website operations would not meet this threshold, but systematic IP-based tracking for harassment or surveillance could.
Brazil (LGPD)
Brazil's Lei Geral de Proteção de Dados, effective since 2020, follows a GDPR-like framework. IP addresses are personal data when they can identify or make identifiable a natural person. The lawful bases mirror GDPR: consent, legitimate interest, compliance with legal obligation, among others. Website operators need a privacy policy and a documented legal basis.
Japan (APPI)
Japan's Act on the Protection of Personal Information treats IP addresses as personal information when they can be combined with other data to identify a specific individual. The 2022 amendments strengthened cross-border transfer restrictions. Standard website logging with a privacy notice is compliant.
Courts Have Said: An IP Address Is Not a Person
This is the nuance that most articles on IP tracking legality miss entirely. While courts have increasingly recognized IP addresses as data worthy of privacy protection, they have simultaneously and consistently held that an IP address alone does not identify a specific person. These are not contradictory positions — they're complementary ones.
Cobbler Nevada v. Gonzales (9th Cir., 2018)
In this copyright infringement case, the copyright holder identified an IP address associated with illegal downloading and subpoenaed the ISP for subscriber information. The Ninth Circuit held that an IP address alone is insufficient to establish that the subscriber was the person who committed the infringement. The subscriber is the person who pays the bill, not necessarily the person who used the connection. Other people in the household, guests, or anyone on the WiFi network could have been responsible.
VPR Internationale v. Does 1-1017 (S.D. Ill., 2011)
Judge Harold Baker offered the clearest analogy in copyright trolling jurisprudence: knowing who rents a car does not tell you who was driving it at a particular time. An IP address identifies a connection point, not a human being. This reasoning has been adopted by courts across the country when evaluating whether an IP address alone establishes personal liability.
Carpenter v. United States (2018) — and what it doesn't cover
The Supreme Court held in Carpenter that accessing seven days of historical cell-site location information (CSLI) constitutes a search under the Fourth Amendment, requiring a warrant. Privacy advocates hoped this logic would extend to IP address collection. It largely hasn't. The Seventh Circuit, joining three other circuits, has held that the Carpenter warrant requirement does not extend to IP address "pen register" data — the request for an IP subscriber's identity from an ISP. The reasoning: CSLI reveals a comprehensive record of a person's movements over time; a single IP address does not.
When IP Tracking Becomes a Crime
The crime is never "collecting the IP." It is always what happens next. Here are real prosecutions where IP address collection was a link in a criminal chain.
Tyler Barriss: 20 years for fatal swatting
In 2017, a dispute over a $1.50 Call of Duty wager led Casey Viner to recruit serial swatter Tyler Barriss. Using IP-derived approximate location data, Barriss called in a false hostage report — but to the wrong address. Police responded to the home of Andrew Finch, a 28-year-old father of two uninvolved in the gaming dispute, and an officer shot and killed Finch when he opened his front door. Barriss was sentenced to 20 years in federal prison on charges including conspiracy, making hoax bomb threats, and cyberstalking. Viner received 15 months. The chain started with grabbing a gamer's IP address.
DDoS prosecutions under CFAA
Multiple federal prosecutions have targeted individuals who obtained IP addresses (often through game sniffers or IP grabbers) and then used DDoS-for-hire "booter" services to flood those IPs with traffic. Penalties under 18 U.S.C. §1030 reach up to 10 years per violation. The UK Computer Misuse Act 1990 §3 carries equivalent penalties for impairing the operation of a computer. In 2024, the FBI's "Operation PowerOFF" seized 27 booter/stresser service domains, reinforcing that both the attackers and the service operators face criminal liability.
Doxxing statutes
A growing number of states are criminalizing the publication of personal information — which can include IP addresses — with intent to harass or incite harassment:
- California Penal Code §653.2: Makes it a misdemeanor to distribute personal identifying information electronically with intent to cause harassment by a third party
- Texas Penal Code §42.074: Criminalizes publishing personal information with intent to harass, intimidate, or threaten
- Illinois (§720 ILCS 5/26.5-2): Specific prohibition on publishing personal information to incite third-party harassment
- Federal: No specific doxxing statute, but 18 U.S.C. §2261A (cyberstalking) and 18 U.S.C. §875 (interstate threats) have been used in doxxing prosecutions
What Website Operators Actually Need to Do
If you run a website, use analytics, send marketing emails, or operate any online service, here is a practical compliance framework for IP address handling. This is not theoretical — it's the minimum that covers you across major jurisdictions.
Minimum requirements (everywhere)
- Have a privacy policy that specifically mentions you collect IP addresses
- State your purpose: "for security, analytics, and service delivery"
- Include contact information for privacy inquiries
If you have EU/UK visitors (most sites do)
- Document your lawful basis — for server logs and basic analytics, "legitimate interest" under GDPR Article 6(1)(f) is standard
- Set data retention limits — don't keep IP logs forever; 90 days is common for server logs, 26 months for analytics
- Be prepared to respond to data subject access requests (DSARs) and erasure requests
- If using tracking pixels for marketing, consider whether consent is required (it often is for marketing-specific tracking)
If you have California users
- If you meet CCPA thresholds, provide a "Do Not Sell or Share My Personal Information" link
- Honor opt-out requests for any data sharing or selling that involves IP addresses
- Respond to consumer requests to know, delete, or correct their data within 45 days
If you track employees
- Check notification requirements in your state (CT, NY, DE require written notice at minimum)
- Company device vs. personal device matters — broader monitoring is permissible on company-owned equipment
- Include monitoring disclosure in employee handbook and onboarding documents
If you use tracking links or pixels
- Disclose the tracking in your terms of service or privacy policy
- Don't use deceptive link shorteners designed to trick people into clicking
- For email pixels, follow your email service provider's compliance guidance and monitor the evolving CIPA litigation
- Retain tracking data only as long as needed for your stated purpose
Never, under any circumstances
- Use collected IPs to launch DDoS attacks (federal felony, up to 10 years)
- Use IP-derived location data for swatting (sentences from 15 months to 20 years)
- Publish IP addresses with intent to harass or incite harassment (state criminal statutes)
- Stalk or cyberstalk someone using IP tracking data (18 U.S.C. §2261A)
Frequently Asked Questions
Is it illegal to look up someone's IP address?
No. IP geolocation databases are publicly available, and looking up an IP address is no different from looking up a phone area code. The data returned is approximate — city-level at best — and does not identify individuals. You can look up any IP address without legal risk. No jurisdiction criminalizes the act of performing a geolocation lookup.
Can I get in trouble for using an IP logger?
Using a legitimate IP logging service for website analytics, marketing measurement, or cybersecurity is legal in virtually all jurisdictions with proper disclosure (a privacy policy). Problems arise when tracking links are used deceptively for harassment, stalking, or to build profiles for malicious purposes. The tool is legal; certain uses of the data are not. This is analogous to a camera — owning and operating one is legal; using it for voyeurism is not.
Are tracking pixels in email legal?
Generally yes with disclosure. Every major email marketing platform — Mailchimp, HubSpot, Constant Contact, Salesforce — uses tracking pixels for open-rate measurement. However, this is an active litigation area. California CIPA cases in 2024–2025 have challenged email tracking pixels as potential "wiretap" violations, and several have survived motions to dismiss. The law is evolving. Best practice: disclose pixel tracking in your privacy policy and monitor the CIPA developments.
Can police trace my IP address?
Police can see your public IP in server logs if you visit a website — server logs are evidence that can be subpoenaed. To connect that IP to your identity, they need to obtain subscriber information from your ISP. In Canada, after the Supreme Court's 2024 Bykovets decision, police need judicial authorization (a warrant or production order) to obtain IP subscriber information. In the EU, GDPR requires a lawful basis, which in practice means judicial authorization for law enforcement. In the US, the picture is more complex — most federal circuits have held that IP pen register data does not require a warrant under the Fourth Amendment, though a subpoena to the ISP is required.
What happens if someone tracks my IP without permission?
In most cases, nothing legally actionable. Website server logs capture your IP automatically as part of how the TCP/IP protocol works — no permission is needed or expected. If someone sends you a tracking link and you click it, they received your IP because you initiated a connection to their server. That is not interception; it is how the internet works. However, if they use the IP to harass, threaten, DDoS, dox, or stalk you, those actions are independently criminal regardless of how the IP was obtained. If you're concerned about your IP being collected, a VPN will mask your real address.
Is IP tracking more regulated than cookie tracking?
In some ways, less. Cookie consent under the EU's ePrivacy Directive requires active opt-in before placing non-essential cookies on a user's device. IP logging under GDPR can use "legitimate interest" as a lawful basis, which does not require a consent popup — just a privacy policy disclosure. In the US, there is no federal cookie law, and IP logging is unregulated at the federal level. The key technical difference: cookies involve placing data on a user's device (active storage), while IP logging is passive collection of routing information from network traffic. The ePrivacy Directive specifically targets the former.
Try Our IP Tools
Look up any IP address for free geolocation data, or create a tracking link to see who visits your content.
IP Lookup IP LoggerLegal sources referenced: GDPR Recital 30 and Article 6; Cal. Civ. Code §1798.140(v) (CCPA); 18 U.S.C. §1030 (CFAA); 18 U.S.C. §§2510-2522 (ECPA/Wiretap Act); Cal. Penal Code §631 (CIPA); Cal. Penal Code §653.2; Texas Penal Code §42.074; Connecticut §31-48d; CJEU Case C-582/14 Breyer v. Bundesrepublik Deutschland (2016); Vidal-Hall v Google [2015] EWCA Civ 311; R v. Bykovets 2024 SCC 6; Cobbler Nevada v. Gonzales (9th Cir., 2018); VPR Internationale v. Does 1-1017 (S.D. Ill., 2011); Van Buren v. United States, 593 U.S. 374 (2021); Carpenter v. United States, 585 U.S. 296 (2018). This article is for informational purposes only and does not constitute legal advice.