Is the following statement true or false: Under GDPR, web cookies are considered personal data while IP addresses are not.

The statement is false because, under the General Data Protection Regulation (GDPR), both web cookies and IP addresses can be considered personal data, depending on the context in which they are used.

Web cookies are categorized as personal data because they often store information that can identify individuals or be linked to them. For instance, cookies may track user behavior, preferences, or login information, which can lead to identifying an individual.

Similarly, IP addresses are also regarded as personal data under the GDPR. They can be used to identify a device on the internet and, when combined with other data, may lead to identifying the user behind that device. The GDPR acknowledges IP addresses as part of the data that can uniquely identify a person—especially in situations where the IP address can be linked to identifiable information.

Therefore, the correct assessment of the statement recognizes that both web cookies and IP addresses can constitute personal data under GDPR rules, thereby affirming the false nature of the statement.