Stop overfocusing on cookies and instead remember to add this geolocation process, and why you do it, to your privacy policy. Please name the geolocation service provider (sub-processor) you share the users IP with, so your users can audit how their data is used. Please do a privacy-assessment to check if your sub-processor does anything else with that data, like selling the info "IP f.o.o was seen by our customer bar.com" to data brokers. Please ask the users for their consent to be geolocated, and don't do it for those who say no. And please offer them an option to change the geolocation data in case it is wrong.
If you decide to hire a sub-processor incorporated in a country that does not respect article 8 of the charta of fundamental rights of the european union (the right to data privacy), you have to ask the user before sharing their data (their data meaning "IP f.o.o accessed our service bar.com") with the geolocation service. See GDPR article 45ff. Please consider using a provider from a country that respects the fundamental right to data privacy. Note that the "privacy shield" collapsed due to the USAs trend towards surveillance capitalism and that the USA is not considered a safe harbor for personal data.
There are some exceptions, where you don't need consent: you could argue you need to geolocate the users to comply with embargos, because your company is american and you are not allowed to do business with people living in some geographic regions, like crimea. But even if you don't need consent you must still disclose that you process your users personal data that way, and why, in your privacy policy, so your users can decide to not use your service, if they don't agree. That may seem to contradict your business interest, but that is consumer protection in a nutshell for you.
Note that, if you now use this data to show graphs to your marketing team and have meetings about improving advertisements by targeting regions, you are in violation of GDPR article 5, because the purpose you stated (embargos) does not match what you actually do (targeted marketing). This is a principle americans often find hard to grasp: only because you have the data for some reason, that doesn't mean you can do whatever you want with it. This becomes clearer if you don't think of personal data as a thing in possession of those who collect it, but as a good that stays in possession of the person it is about and gets licensed to those who use it with a bound purpose. Consent management and privacy policy then being similar to a license agreement.
Now if you ask your users nicely for consent to be geolocated, and if you have a sane reason for wanting that data, the users may even agree. Just tell them about your awesome marketing department and how much they love region targeted marketing and if they don't bite, offer them a goody and they will agree. Hey they will even be offended by mistakes in your providers geo-ip-db and fix those for you. Note that this is a part of the right to data privacy: if you gather and process about the user the personal data that they are from somewhere, they have a right to know that and tell you "well no that is a mistake, i am from elsewhere". If you never tell them that you geolocate them, this is impossible.
The key problem is: most people who want that data (let's avoid the word "you" here) likely don't have a sane reason, they are just nosy and want to track their users out of curiosity. They know their tracking is kinda sus, so they don't want to tell the consumers about it, or ask for permission, or offer any goodies, and they don't care about a small error rate in their big data swamp. Instead they hide behind some "everyone does it" defense and act surprised if people consider them shady. Or worse, they require the data to offer user-unfriendly anti-features like content not being available in some regions (which actually could be a reason to not ask for consent: contracts with third parties like movie corporations requiring geolocation as part of online movie distribution), but in practice all that does is leading consumers to pay third parties to move their traffic around the globe, wasting resources to break the anti-feature.
But i digress, the key takeaway is: don't overfocus on cookies, state how and why you process personal data and it becomes obvious if you should ask for consent. An http-server does not need a consent banner to process the http-clients IP, it could not answer the clients request without it. The client gave it the IP for a very specific reason. But that reason and that process does not mean you can take the IPs from the servers logs and do with them whatever you want. That data does not belong to you, even if you process it. So please don't do that without asking for consent, or at least explaining why you do it. That is our fundamental right as data subjects.
> Stop overfocusing on cookies and instead remember to add this geolocation process, and why you do it, to your privacy policy. Please name the geolocation service provider (sub-processor) you share the users IP with, so your users can audit how their data is used.
Or don't be lazy/cheap and use a geolocation implementation where you don't need to share the IP at all.
Geolocation can be done without a subprocessor. It goes against the grain of outsourcing everything under the sun but all you need is a high-quality local database of IP address ranges.
And yeah, by all means, include that in your privacy policy.
I don't know details of the GDPR (as the don't apply to me) but a logged IP address belonging to the original requestor seems odd, do you also own the footprints you physically left behind on the ground as you walk around?
You may not own the physical footprints, but you have a fundamental right to the personal data encoded in them. A corporate service collecting footprints, offering insights and analysis about those who made them, creating maps and profiling their interests based on where they walk, does concern the basic right to data privacy, even if the whole thing is analog, and not out-sourced, and uses no cookies. This is why i compared it to licensing. A musician may not own every physical record, but they have rights to the music they created. Not a perfect metaphor, but good enough to better understand the concept.
If you decide to hire a sub-processor incorporated in a country that does not respect article 8 of the charta of fundamental rights of the european union (the right to data privacy), you have to ask the user before sharing their data (their data meaning "IP f.o.o accessed our service bar.com") with the geolocation service. See GDPR article 45ff. Please consider using a provider from a country that respects the fundamental right to data privacy. Note that the "privacy shield" collapsed due to the USAs trend towards surveillance capitalism and that the USA is not considered a safe harbor for personal data.
There are some exceptions, where you don't need consent: you could argue you need to geolocate the users to comply with embargos, because your company is american and you are not allowed to do business with people living in some geographic regions, like crimea. But even if you don't need consent you must still disclose that you process your users personal data that way, and why, in your privacy policy, so your users can decide to not use your service, if they don't agree. That may seem to contradict your business interest, but that is consumer protection in a nutshell for you.
Note that, if you now use this data to show graphs to your marketing team and have meetings about improving advertisements by targeting regions, you are in violation of GDPR article 5, because the purpose you stated (embargos) does not match what you actually do (targeted marketing). This is a principle americans often find hard to grasp: only because you have the data for some reason, that doesn't mean you can do whatever you want with it. This becomes clearer if you don't think of personal data as a thing in possession of those who collect it, but as a good that stays in possession of the person it is about and gets licensed to those who use it with a bound purpose. Consent management and privacy policy then being similar to a license agreement.
Now if you ask your users nicely for consent to be geolocated, and if you have a sane reason for wanting that data, the users may even agree. Just tell them about your awesome marketing department and how much they love region targeted marketing and if they don't bite, offer them a goody and they will agree. Hey they will even be offended by mistakes in your providers geo-ip-db and fix those for you. Note that this is a part of the right to data privacy: if you gather and process about the user the personal data that they are from somewhere, they have a right to know that and tell you "well no that is a mistake, i am from elsewhere". If you never tell them that you geolocate them, this is impossible.
The key problem is: most people who want that data (let's avoid the word "you" here) likely don't have a sane reason, they are just nosy and want to track their users out of curiosity. They know their tracking is kinda sus, so they don't want to tell the consumers about it, or ask for permission, or offer any goodies, and they don't care about a small error rate in their big data swamp. Instead they hide behind some "everyone does it" defense and act surprised if people consider them shady. Or worse, they require the data to offer user-unfriendly anti-features like content not being available in some regions (which actually could be a reason to not ask for consent: contracts with third parties like movie corporations requiring geolocation as part of online movie distribution), but in practice all that does is leading consumers to pay third parties to move their traffic around the globe, wasting resources to break the anti-feature.
But i digress, the key takeaway is: don't overfocus on cookies, state how and why you process personal data and it becomes obvious if you should ask for consent. An http-server does not need a consent banner to process the http-clients IP, it could not answer the clients request without it. The client gave it the IP for a very specific reason. But that reason and that process does not mean you can take the IPs from the servers logs and do with them whatever you want. That data does not belong to you, even if you process it. So please don't do that without asking for consent, or at least explaining why you do it. That is our fundamental right as data subjects.
Thank you.