You see your IP displayed at the top of this page via our My IP tool. Three or four numbers separated by dots, or a long hexadecimal string if you're on IPv6. Mundane. Except this string contains, on its own, enough information for a site to know roughly where you are geographically, who provides your internet, and — if you come back tomorrow — that it's probably you. This article dissects what your public IP tells visited sites in under 50 milliseconds, why it's traceable even without cookies, and in which cases hiding it actually changes something in 2026.
What your public IP enables sites to deduce — the 3 data layers
When you open a web page, your browser sends an HTTP request. This request arrives at the site's server with, in its network header (TCP/IP layer), your public exit IP. It's the IP your ISP assigned you — not your computer's IP behind the box (typically 192.168.1.x or 10.0.0.x, which is private and invisible to the internet).
From this public IP, the server can consult three types of databases in under 50 milliseconds, without any consent or required cookie.
Layer 1 — WHOIS and RIR databases. Regional Internet Registries (RIPE for Europe, ARIN for North America, APNIC for Asia-Pacific) maintain public registers associating each IP range with its owning operator. A simple WHOIS query on your IP instantly reveals your ISP — Orange (AS3215), Free (AS12322), SFR (AS15557), Bouygues Telecom (AS5410). It's free public infrastructure.
Layer 2 — GeoIP databases. Bases like MaxMind GeoIP2, IP2Location, or DB-IP associate the IP with a country, region, and sometimes city. Typical observed precision: 99% at country level, ~85% at region/department level, 50-70% at city level. Bases are updated monthly from operator declarations and active latency measurement tests. An ISP can route an entire department via the same IP — hence city imprecision.
Layer 3 — Specialized and anti-fraud lists. Known datacenters (AWS, Azure, OVH publicly listed by ASN), Tor exits (list maintained by Tor Project), referenced VPN IP ranges (MaxMind Anonymous IP, IP2Proxy), IPs flagged for spam (Spamhaus DROP/EDROP lists). That's what lets Netflix instantly detect that an IP belongs to a VPN service — the IP is in the corresponding blacklist. Cost of these flows for an average site: €100-1,000/month depending on volume — accessible to any serious company.
Why it's traceable even without cookies — the trap
Frequent argument: "I browse privately, I accept no cookies, so I'm anonymous". IP partially overturns this logic.
The browser incognito window prevents local cookie storage on your machine. It changes nothing about the IP you present to remote servers — incognito doesn't hide IP, a frequent confusion. You remain identifiable in the same way as in normal browsing from the IP-revealing standpoint of sites.
If you visit three different sites from the same IP within an hour, these three sites can — if they cross-reference data via a common ad network or analytics tool (Google Analytics 4, Adobe Analytics often share data between client sites) — reconstruct your journey. Most of the time, they don't need cookies for this: IP + user-agent (browser identifier containing OS, version, language, installed fonts) suffices to reconstruct cross-session.
On a classic European residential connection, your IP rarely changes — typically once a month on Orange Fibre, even never on some business offers. It's plenty stable enough to serve as a "quasi-identifier" over several days, even several weeks. IP-based traceability therefore resists private browsing and cookie blocking via uBlock Origin or Privacy Badger.
IP is legally personal data in France
Important legal aspect often ignored: the CNIL and French case law have considered since 2016 that IP is personal data under GDPR article 4. Reference ruling: Cour de cassation Civ. 1, November 3, 2016, establishing that an IP address, even dynamic, constitutes personal data once it enables direct or indirect identification of a person via cross-referencing with other data held by the data controller.
Practical consequences:
Sites that collect your IP are subject to GDPR obligations: prior information, legal basis, limited retention duration, right of access and deletion. "Technical" IP collection via server logs is authorized for 12 months without consent (legitimate security interest), but use for marketing requires explicit consent.
Your ISP keeps the IP↔subscriber association for at least 12 months under the Hadopi 2.0 law and the European directive on electronic data retention. This association is accessible upon judicial request as part of investigations. It's the technical basis for identifying illegal downloads by ARCOM (former Hadopi).
The IP address is considered personal data under GDPR article 4 as soon as the data controller has or can reasonably acquire the means to identify the data subject.
IP address and geolocation — real vs advertised precision
On our My IP tool, we display the detected country and sometimes city. Precision varies enormously by analysis layer and connection type.
Country: almost always accurate, unless you exit via an atypical datacenter or VPN without GeoIP declaration. 99% precision documented by MaxMind.
Region or department: approximate. GeoIP databases are updated monthly from operator declarations. An ISP can route an entire department via the same IP — Free does this massively in Île-de-France region where several million subscribers share a limited number of IP blocks routed via Bobigny.
Precise address: impossible from IP alone. Sites claiming to locate you to 50 m actually use the HTML5 Geolocation API (requiring explicit consent, system popup) or GPS on mobile (requiring app authorization). IP alone never gives this precision — it's a myth repeated by some marketing sites.
Special case of 4G/5G mobile: your public IP is shared with hundreds or even thousands of other subscribers via CGNAT (Carrier-Grade NAT) technology. Mobile IP geolocation generally points to the carrier's headquarters (Bouygues at Sèvres, SFR at Saint-Denis), not your real position. It's an implicit technical protection on mobile that you don't have on fixed fiber.
When hiding your IP actually matters — and when it doesn't
Hiding your IP via VPN really changes the game in four concrete cases in 2026:
Case 1 — Untrusted Wi-Fi network (hotel, airport, café, transport). Your traffic is no longer readable by the network admin or other connected clients via Evil Twin or MITM. See our VPN hotel Wi-Fi scenario documenting attacks observed at 12 Paris hotels in May 2026.
Case 2 — Geo-restriction or censorship. You can access content restricted to another country — Netflix US from Europe, BBC iPlayer from Americas, political content blocked in China or Russia. See our complete VPN streaming guide and VPN China scenario.
Case 3 — IP-based cross-site trackers. You break the "stable IP" angle used to reconstruct your journey across multiple sites for hours or days. The VPN's IP rotates and is shared with other users — a site can no longer durably identify you by IP alone.
Case 4 — ISP throttling. Some operators have historically throttled peer-to-peer traffic (BitTorrent) or certain streaming services during peak hours to manage network congestion. A VPN encapsulates traffic and hides protocol — your ISP can no longer selectively throttle.
Conversely, in several cases, hiding your IP brings nothing:
If you're logged into your Google, Meta, Microsoft, Apple account, your identity passes via session cookie, not by IP. The VPN doesn't make you anonymous on these services — Google knows it's you connecting from US IP if your Gmail account is open.
If you do something illegal thinking you're anonymous: international cooperation between serious VPNs and authorities exists in case of judicial warrant, particularly if the VPN's jurisdiction cooperates (United States, France, United Kingdom). VPNs based in Panama (NordVPN) or British Virgin Islands (ExpressVPN) are less legally cooperative but aren't immune.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Test NordVPN on your connection30-day money-back · Verify IP effect via our tool→How to verify yourself in 3 minutes
Here's the quick check-list to understand what your connection exposes. These 4 steps take ~3 minutes and tell you exactly where you stand.
Step 1 — Open the My IP tool without VPN. Note your IP, displayed ISP, detected region, user-agent sent by your browser. That's what every site sees of you on every visit.
Step 2 — Activate your VPN if you have one, reload the page. IP must change completely, ISP must switch to a name like Tefincom (NordVPN), Tata Communications, M247, OVH. If only IP changes but ISP stays your residential provider, it's a configuration problem.
Step 3 — Open our DNS Leak Test tool to verify WebRTC doesn't leak your real IP despite VPN. It's the classic trap documented in our complete VPN audit guide.
Step 4 — If the displayed IP differs between the two tools, you have a WebRTC leak. Look in VPN settings for "block WebRTC" or "WebRTC Leak Protection" option and activate it.
What to remember
An IP address is not anonymous in 2026: it reveals your carrier via public WHOIS databases, your country with 99% precision via GeoIP, your region with ~85%, and stays sufficiently stable on residential fixed connections to serve as a pseudo-identifier over several days. Cross-referenced with user-agent and timestamp, it suffices to reconstruct your journey across different sites even without cookies — private browsing changes nothing in this IP-based traceability.
Legally, IP is personal data under GDPR per CNIL and French case law. Your ISP keeps the IP↔subscriber association at least 12 months, accessible upon judicial request.
Hiding it via VPN changes this in practice, but doesn't make you invisible — other tracking channels remain active (logged Google/Meta/Microsoft accounts, browser fingerprint, WebRTC leaks to check). The VPN is the simplest and most effective angle to close first. It's rarely sufficient on its own, but often the place to start. Our complete VPN audit in 7 steps covers all leak channels.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Test NordVPN — masked IP + 0 leak guaranteed30-day money-back · PwC 2023 + Deloitte 2024 audits · 40% off→Read next
- My IP tool — real-time display →Check what sites see of you in 30 seconds
- DNS + WebRTC leak test tool →Detect hidden leaks even with active VPN
- Complete VPN audit in 7 steps →DNS, WebRTC, IPv6, kill switch, logs
- Verify your VPN works in 5 minutes →Quick IP + DNS + WebRTC + IPv6 check
- NordVPN review after 8 months of use →Complete test speed + leaks + unblock
- Complete DNS leak test guide →Causes and fixes by OS
Article published on May 27, 2026, updated on May 28, 2026. Methodology: tests performed on French residential connection (Orange 1 Gbps fiber Paris 15th district, Free 500 Mbps fiber suburbs, Bouygues 4G mobile), exit via 6 tested VPNs (NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad, CyberGhost), with Firefox 125 and Chrome 124 up-to-date. Log captures and WHOIS tests preserved in internal archives, available on editorial request via contact.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Get NordVPN30 jours satisfait ou remboursé→
