What Is GDPR and Does It Apply to Me?

Short answer: The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law enacted in 2018. It applies to EU and European Economic Area (EEA) residents, and to any service anywhere in the world that targets or monitors EU users. Your Internet Protocol (IP) address is personal data under it.

What Is GDPR?

The General Data Protection Regulation is the EU's primary data privacy framework. It came into force on 25 May 2018, replacing the 1995 Data Protection Directive, and applies across all EU member states as directly applicable law — meaning no country-by-country implementation was required.

The GDPR governs how any organization collects, stores, processes, and shares personal data about EU residents. Violations can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher.

The full official text is published by the EU at EUR-Lex.

Does GDPR Apply to Me?

There are three common situations where GDPR applies:

You are in the EU or EEA. If you are physically located in an EU or EEA country — or are a resident there — the GDPR protects your data regardless of where the organization processing it is based. A US company collecting your data while you are in Germany must comply.

You use a service based in the EU. If a service is established in the EU, it must follow GDPR when handling your data, regardless of your location.

You run a website accessed by EU users. If you operate a website or app that offers goods or services to people in the EU, or monitors the behavior of people in the EU (for example, via analytics tracking), you must comply with GDPR for those users. This is why US-based websites show "Are you in the EU?" cookie banners.

The UK Information Commissioner's Office (ICO) provides practical compliance guidance that applies to both the EU GDPR and its UK equivalent.

Why Is My IP Address Personal Data Under GDPR?

This is a question many people find surprising. IP addresses — especially dynamic ones that change with each session — might seem anonymous. Under GDPR, they are not.

The Court of Justice of the European Union ruled in the 2016 Breyer v. Bundesrepublik Deutschland case that a dynamic IP address can constitute personal data when a website operator can obtain additional information from an Internet Service Provider (ISP) to identify the person behind it. Because ISPs can legally be compelled to provide this linkage in law enforcement contexts, the possibility alone is sufficient.

In practice, this means every website collecting your IP address — which is every website, because your IP is transmitted with every request — must have a legal basis for doing so under GDPR.

See exactly what your IP reveals about you in plain English — including the ISP it is registered to and its approximate location.

What Rights Does GDPR Give You?

GDPR grants EU residents eight core rights over their personal data:

• Access — you can request a copy of your data
• Rectification — you can correct inaccurate data
• Erasure — you can request deletion ("right to be forgotten") in certain circumstances
• Restriction — you can limit how your data is used
• Portability — you can receive your data in a machine-readable format
• Object — you can object to processing based on legitimate interests or for direct marketing
• Not be subject to solely automated decisions — including profiling that produces legal effects
• Withdraw consent — at any time, where consent was the legal basis for processing

So What Does This Mean for You?

If you are located in the EU or EEA, your IP address is personal data. Every website you visit — including this one — must have a lawful basis for processing it. Common bases are "legitimate interest" (the site needs your IP to serve you content) and "consent" (you clicked an accept button).

Here is the uncomfortable reality: many websites list dozens of advertising partners in their consent interfaces and rely on "legitimate interest" to avoid seeking your consent for processing your IP address in ways you might not expect. Enforcement by national data protection authorities exists but is slow, under-resourced, and inconsistent across member states.

Practically speaking, GDPR gives you meaningful rights on paper — especially the right to request deletion and the right to object to direct marketing. Whether those rights are efficiently honored depends heavily on the organization involved.

Frequently Asked Questions

Does GDPR apply to US websites?

Yes, if they serve EU users. GDPR's reach is explicitly extraterritorial: any organization targeting EU residents — regardless of where that organization is based — must comply. That is why US-based services show cookie consent banners specifically for European visitors.

Is the UK still covered by GDPR?

The UK left the EU but incorporated GDPR into national law as the UK GDPR, which came into effect on 1 January 2021. Compliance requirements are nearly identical to the EU version. The UK ICO is the enforcement authority. See ico.org.uk for UK-specific guidance.

Does GDPR mean my data can't be shared?

No. GDPR regulates how data may be shared, not whether it can be shared at all. Organizations can share personal data if they have a lawful basis — consent, legitimate interest, legal obligation, contract, vital interests, or public task. The regulation requires transparency about what is shared with whom, and it gives you the right to object in many cases.

Sources

• GDPR full text — EUR-Lex (Regulation EU 2016/679) — official EU law text
• European Data Protection Board — GDPR guidelines and opinions — authoritative interpretive guidance
• UK ICO — UK GDPR guidance and resources — UK implementation guidance