IP Addresses Not “Personally Identifiable Information”

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Microsoft’s installation of software onto consumers’ computers that sent information about the computers to Microsoft—including the computers’ Internet Protocol (IP) addresses—did not violate the end user license agreement (EULA) entered into when consumers installed the Windows XP operating system, the federal district court in Seattle has ruled. The software—called “Windows Genuine Advantage”—was used to verify the validity of a user’s version of Windows XP.

The EULA prohibited Microsoft from transmitting “personally identifiable information” from the user’s computer to Microsoft without the user’s consent. One consumer, on behalf of a purported class of similarly situated consumers, asserted that collection of IP addresses violated this prohibition.

An IP address is a number that enables data to be transmitted via the Internet to a particular computer. Computers are assigned IP addresses by users’ Internet service providers. Some IP addresses are “static,” and remain constant, but many are “dynamic,” and change each time the user connects to the Internet.

An IP address is not personally identifiable information (PII), the court said. In order for information to be “personally identifiable,” it must identify a person. An IP address, however, identifies a computer, and it can only do that after matching the IP address to a list of particular Internet service provider’s subscribers. Thus, Microsoft’s IP addresses did not breach the EULA, the court concluded. Summary judgment in Microsoft’s favor was granted.

Further details on Johnson v. Microsoft Corp. , WD Wash., Case No. C06-0900RAJ, June 23, 2009, will appear in an upcoming issue of CCH Privacy Law in Marketing.

“Protections”

Many privacy laws and regulations provide greater protection to PII than non-PII, with the greatest degree of protection afforded to “sensitive” consumer information, such as a consumer’s Social Security number, financial account numbers, and medical history.

Federal Trade Commission Staff Report

A February 2009 Federal Trade Commission staff report (Self-Regulatory Principles for Online Behavioral Advertising, CCH Privacy Law in Marketing ¶60,300; CCH Trade Regulation Reporter ¶50,240) stated that the advertising industry has traditionally considered IP addresses to be non-PII, but new technologies are likely to make it easier to link IP addresses to specific individuals.

European Union Privacy Directives

Some European Union privacy and data protection officials have taken the position that IP addresses are “personal data,” for purposes of EU privacy directives.

In May 2008, the Article 29 Working Party—an independent advisory body on data protection and privacy—noted that “in most cases—including cases with dynamic IP address allocation—the necessary data will be available to identify the user(s) of the IP address.”

Therefore, the Working Party said, “unless [an] Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side” (Article 29 Data Protection Working Party, Opinion on the review of the Directive 2002/58/EC on privacy and electronic communications, CCH Privacy Law in Marketing, ¶60,211).

In a February 2009 opinion, the Working Party said, “IP addresses relate to identifiable persons in most cases. Identifiability means identifiable by the access provider or by other means, with the help of additional identifiers such as cookies or in interactions with internet services with which the data subject is identified explicitly or implicitly” (Article 29 Data Protection Working Party, Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications, CCH Privacy Law in Marketing, ¶60,297).