AnonymFlow
outils-diagnosticINFO

What is my IP address? What it really reveals in 2026 (complete analysis)

Your public IP isn't just a string of numbers. Here's what sites deduce in under 50 ms - ISP, country, city, traceability - and how to decide whether to hide it.

By Eric Gerard · Editor · AnonymFlow10 min readPhoto: Taylor Vick - Unsplash

You see your IP at the top of this page via our My IP tool. It's three or four numbers split by dots. On IPv6, it's a long hexadecimal string. It looks mundane. But this string alone tells a site roughly where you are, who provides your internet, and - if you come back tomorrow - that it's probably you. This article shows what your public IP tells sites in under 50 milliseconds. It explains why you stay traceable even without cookies. And it covers when hiding it actually changes something in 2026.

What your public IP enables sites to deduce - the 3 data layers

When you open a web page, your browser sends an HTTP request. This request reaches the site's server with your public exit IP in its network header (TCP/IP layer). It's the IP your ISP assigned you. It's not your computer's IP behind the box (typically 192.168.1.x or 10.0.0.x), which stays private and invisible to the internet.

From this public IP, the server can query three types of databases in under 50 milliseconds. It needs no consent and no cookie to do so.

Layer 1 - WHOIS and RIR databases. Regional Internet Registries (RIPE for Europe, ARIN for North America, APNIC for Asia-Pacific) keep public registers. Each one links an IP range to its owning operator. A simple WHOIS query on your IP instantly reveals your ISP - Orange (AS3215), Free (AS12322), SFR (AS15557), Bouygues Telecom (AS5410). It's free public infrastructure.

Layer 2 - GeoIP databases. Bases like MaxMind GeoIP2, IP2Location, or DB-IP link the IP to a country, a region, and sometimes a city. Typical precision: 99% at country level, ~85% at region/department level, 50-70% at city level. These bases update monthly from operator declarations and active latency tests. An ISP can route a whole department via the same IP - hence the city imprecision.

Layer 3 - Specialized and anti-fraud lists. These cover known datacenters (AWS, Azure, OVH publicly listed by ASN), Tor exits (list kept by Tor Project), known VPN IP ranges (MaxMind Anonymous IP, IP2Proxy), and IPs flagged for spam (Spamhaus DROP/EDROP lists). That's how Netflix instantly detects that an IP belongs to a VPN service - the IP sits in the matching blacklist. These flows cost an average site €100-1,000/month depending on volume. Any serious company can access them.

Why it's traceable even without cookies - the trap

A common argument goes: "I browse privately, I accept no cookies, so I'm anonymous." Your IP partly breaks this logic.

The browser incognito window stops local cookie storage on your machine. But it changes nothing about the IP you show to remote servers. Incognito doesn't hide your IP - that's a frequent confusion. To the sites that read your IP, you stay just as identifiable as in normal browsing.

Say you visit three different sites from the same IP within an hour. Those three sites can rebuild your journey if they cross-reference data via a shared ad network or analytics tool (Google Analytics 4 and Adobe Analytics often share data between client sites). Most of the time, they don't even need cookies. The pair IP + user-agent is enough to rebuild your path across sessions. The user-agent is the browser identifier, and it carries your OS, version, language, and installed fonts.

On a classic European residential connection, your IP rarely changes. It's typically once a month on Orange Fibre, and never on some business offers. So it's stable enough to act as a "quasi-identifier" over several days, even several weeks. IP-based traceability therefore survives private browsing. It also survives cookie blocking via uBlock Origin or Privacy Badger.

IP is legally personal data in France

Here's a legal point that often gets ignored. Since 2016, the CNIL and French case law have treated IP as personal data under GDPR article 4. The reference ruling is Cour de cassation Civ. 1, November 3, 2016. It holds that an IP address, even a dynamic one, counts as personal data once it lets you identify a person, directly or indirectly, by cross-referencing it with other data held by the data controller.

Here are the practical consequences:

Sites that collect your IP face GDPR obligations: prior information, a legal basis, a limited retention duration, and a right of access and deletion. "Technical" IP collection via server logs is allowed for 12 months without consent (legitimate security interest). But any use for marketing needs explicit consent.

Your ISP keeps the IP↔subscriber link for at least 12 months under the Hadopi 2.0 law and the European directive on electronic data retention. This link is accessible upon judicial request as part of investigations. It's the technical basis used to identify illegal downloads by ARCOM (former Hadopi).

The IP address is considered personal data under GDPR article 4 as soon as the data controller has or can reasonably acquire the means to identify the data subject.

- Commission nationale de l'informatique et des libertés, CNIL - IP address and personal data (2024)

IP address and geolocation - real vs advertised precision

Lines of source code on a dark screen
Lines of source code on a dark screen

On our My IP tool, we show the detected country and sometimes the city. Precision varies a lot by analysis layer and connection type.

Country: almost always accurate. It only fails if you exit via an atypical datacenter or a VPN without GeoIP declaration. MaxMind documents 99% precision here.

Region or department: approximate. GeoIP databases update monthly from operator declarations. An ISP can route a whole department via the same IP. Free does this on a large scale in the Île-de-France region, where several million subscribers share a limited number of IP blocks routed via Bobigny.

Precise address: impossible from IP alone. Sites that claim to locate you to 50 m actually use the HTML5 Geolocation API, which needs explicit consent via a system popup. Or they use GPS on mobile, which needs app authorization. IP alone never reaches this precision. It's a myth repeated by some marketing sites.

Special case of 4G/5G mobile: your public IP is shared with hundreds or even thousands of other subscribers via CGNAT (Carrier-Grade NAT) technology. Mobile IP geolocation usually points to the carrier's headquarters (Bouygues at Sèvres, SFR at Saint-Denis), not your real position. It's an implicit technical protection on mobile that you don't get on fixed fiber.

When hiding your IP actually matters - and when it doesn't

Hiding your IP via VPN really changes the game in four concrete cases in 2026:

Case 1 - Untrusted Wi-Fi network (hotel, airport, café, transport). The network admin and other connected clients can no longer read your traffic via Evil Twin or MITM. See our VPN hotel Wi-Fi scenario, which documents attacks observed at 12 Paris hotels in May 2026.

Case 2 - Geo-restriction or censorship. You can reach content restricted to another country - Netflix US from Europe, BBC iPlayer from the Americas, political content blocked in China or Russia. See our complete VPN streaming guide and VPN China scenario.

Case 3 - IP-based cross-site trackers. You break the "stable IP" angle used to rebuild your journey across sites for hours or days. The VPN's IP rotates and is shared with other users. So a site can no longer identify you durably by IP alone.

Case 4 - ISP throttling. Some operators have throttled peer-to-peer traffic (BitTorrent) or certain streaming services during peak hours to manage congestion. A VPN wraps your traffic and hides the protocol. So your ISP can no longer throttle it selectively.

In several other cases, hiding your IP brings nothing:

If you're logged into your Google, Meta, Microsoft, or Apple account, your identity passes via the session cookie, not the IP. The VPN doesn't make you anonymous on these services. Google knows it's you connecting from a US IP if your Gmail account is open.

If you do something illegal while thinking you're anonymous, be careful. International cooperation between serious VPNs and authorities exists in case of a judicial warrant. This is especially true if the VPN's jurisdiction cooperates (United States, France, United Kingdom). VPNs based in Panama (NordVPN) or the British Virgin Islands (ExpressVPN) are less cooperative, but they aren't immune.

Editorial pick
4.6 / 5

Test NordVPN on your connection

30-day money-back · Verify IP effect via our tool

Deloitte audit 202430-day guarantee14M+ users
See the offer

How to verify yourself in 3 minutes

Here's a quick check-list to see what your connection exposes. These 4 steps take about 3 minutes and tell you exactly where you stand.

Step 1 - Open the My IP tool without a VPN. Note your IP, the displayed ISP, the detected region, and the user-agent your browser sends. That's what every site sees of you on every visit.

Step 2 - Turn on your VPN if you have one, then reload the page. The IP must change completely. The ISP must switch to a name like Tefincom (NordVPN), Tata Communications, M247, or OVH. If only the IP changes but the ISP stays your residential provider, you have a configuration problem.

Step 3 - Open our DNS Leak Test tool to check that WebRTC doesn't leak your real IP despite the VPN. It's the classic trap documented in our complete VPN audit guide.

Step 4 - If the displayed IP differs between the two tools, you have a WebRTC leak. In your VPN settings, look for a "block WebRTC" or "WebRTC Leak Protection" option, then turn it on.

What to remember

An IP address is not anonymous in 2026. It reveals your carrier via public WHOIS databases. It gives your country with 99% precision via GeoIP, and your region with ~85%. On residential fixed connections, it stays stable enough to act as a pseudo-identifier over several days. Cross-referenced with the user-agent and a timestamp, it's enough to rebuild your journey across sites even without cookies. Private browsing changes nothing in this IP-based traceability.

Legally, IP is personal data under GDPR per the CNIL and French case law. Your ISP keeps the IP↔subscriber link at least 12 months, accessible upon judicial request.

Hiding it via VPN changes this in practice, but it doesn't make you invisible. Other tracking channels stay active: logged Google/Meta/Microsoft accounts, browser fingerprint, and WebRTC leaks to check. The VPN is the simplest and most effective angle to close first. It's rarely enough on its own, but it's often the place to start. Our complete VPN audit in 7 steps covers all the leak channels.

Editorial pick
4.6 / 5

Test NordVPN - masked IP + 0 leak guaranteed

30-day money-back · PwC 2023 + Deloitte 2024 audits · 40% off

Deloitte audit 202430-day guarantee14M+ users
See the offer

Going further. Related reading on these topics: what to do when your IP is exposed, what a digital footprint is and our VPN & privacy glossary.

Going further. Related reading: Test your VPN speed in 2026.

Read next


Independent editorial assessment based on documented service capabilities, published independent audits and public benchmarks, with checks via standard tools (iperf3, dnsleaktest.com, browserleaks). Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to the reader and with no influence on the rating.

Editorial pick
4.6 / 5

Fix the leak - encrypt everything with NordVPN

Secure DNS · kill switch · Threat Protection · 30-day money-back

Deloitte audit 202430-day guarantee14M+ users
See the offer
Everything you need to know.

Frequently asked questions

Does my IP address change on its own?

On most residential French connections, yes, but rarely. Each box reboot or DHCP lease renewal (typically 14-30 days depending on ISP) can change your public IP. On mobile (4G/5G), it changes almost constantly because carriers use CGNAT (Carrier Grade NAT). In enterprise or VPN setups, it's often static. In practice, the IP changes once a month on Orange Fibre, and several times a week on Free per DHCP triggers. Test with our [My IP tool](/en/tools/my-ip) at different times to see your own change frequency.

Is an IP address alone enough to identify me personally?

Not alone, but yes once it's cross-referenced with your carrier, a precise timestamp, and cookies. The [CNIL](https://www.cnil.fr/) and French case law confirmed in 2016 (Cour de cassation Civ. 1, Nov 3 2016) that **IP is personal data under GDPR article 4**. Concretely, your ISP keeps the IP↔subscriber link for at least 12 months per the Hadopi 2.0 law. A site that logs your IP plus a timestamp can obtain your full civil identity via a judicial request to your ISP. It's the technical basis used to identify illegal downloads by ARCOM (former Hadopi).

Does a VPN completely hide my IP?

Yes for the public IP seen by visited sites. That's the main and guaranteed effect of a good VPN. But other channels can leak your real IP if the VPN isn't set to block them: (1) [WebRTC](https://datatracker.ietf.org/doc/html/rfc8826) revealing your IP via JavaScript, (2) authoritative DNS revealing your domain history to your ISP, (3) IPv6 exiting outside the tunnel on certain configurations. Our [integrated tools](/en/tools/dns-leak-test) let you check these leaks in 30 seconds. The major paid VPNs (NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad, CyberGhost) generally block these leaks by default, but it's worth checking your own setup.

How precise is IP-based geolocation?

It varies by data layer and connection type. **Country**: 99% precision on residential connections. **Region/department**: ~85%. **City**: 50-70% depending on the database (MaxMind GeoIP2 is the reference). **Precise address**: impossible from IP alone. Sites that claim to locate you to 50 m use the HTML5 Geolocation API (which needs explicit consent via a popup) or GPS on mobile (which needs app authorization). On French 4G/5G, the IP geolocates to the carrier headquarters (Bouygues at Sèvres, Free at Paris), not your real position. CGNAT makes mobile IP geolocation imprecise.