They’ve Got Your Number: IP Addresses as a Personal Identifier

IP data and privacy

An IP (Internet Protocol) address is a set of numbers assigned to your computer which allows packets of data transmitted over the Internet to reach you. It’s analogous to a street address on a letter; a letter is dropped in a mailbox (sent onto the Internet), then processed by successive post offices (servers), each theoretically getting them closer to their destination, until eventually, they arrive at your house’s mailbox (router). Then whoever sorts your mail (your router) passes the letter to the right person.

Sometimes, an IP address is permanently assigned by a service provider to a given router (this is called a “Static IP address”). It generally costs extra to permanently reserve one, so people mostly do this if they’re operating a business or some kind of permanent service.

The majority of IP addresses are dynamically assigned by the service provider, which means you can wind up with a new one every time you reconnect to the Internet. This kind of strains the physical mail analogy as it would be like having your street number change daily.

They’re likely to all be in the same range – providers own blocks of addresses, which we won’t go into here except to say that it’s easy to find out which provider a given IP address goes to even if you don’t know which specific customer of that provider is using it.

IP Addresses under Privacy Regulations

The basic concept of privacy regulations is that you’re trying to protect individuals from being identified and linked to information about themselves. If a data element can be linked with an individual or used to identify an individual, then it’s personal information. If it can’t, it isn’t.

This is how IP addresses are handled under both GDPR and CCPA. The GDPR doesn’t list specific data elements in Article 4, it just classifies as personal data “any information relating to an identified or identifiable natural person,” and then Recital 30 mentions IP addresses as an identifier which could be used to profile and identify a natural person.

The CCPA (Section 1798.140) lists IP addresses as an identifier in its definition of personal information if the address “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” (It’s the same under the upcoming CPRA.)

Changing data

So… given that IP addresses can change, and that they often identify a location with more than one person in it, do they count as personal identifiers? When your site collects them, are you, in fact, collecting personal data?

First off, unlike a name (“Joe Saul”) or a Social Security Number, you can’t just identify an individual from a dynamic IP address. You would need access to additional information to find out who was using it at the time. That doesn’t mean it’s not an identifier, it just means that not everyone could do it. And it creates a potential legal gray area around this issue, depending on whether someone who gets the IP address could reasonably access the additional information needed.

It’s also worth noting that, as the world moves to the newer IP address standard IPv6 (see below), dynamic addresses will increasingly be replaced with static IPv6 addresses, which could be directly looked up and thus would function as direct identifiers.

Close, but close enough

The fact that an IP address may only narrow things down to the individuals living in a house doesn’t make it less of an identifier, though. CCPA explicitly says “a particular consumer or household” in its definition of identifiers, so under CCPA, it doesn’t matter.

The GDPR doesn’t say the same thing, but it’s worth noting that when statisticians look at the identifiability of data, the tendency is to say that it’s identifiable if you can narrow the possible identities down to a small pool of individuals, in part because that’s “close enough” and in part, because you’re likely to be able to distinguish between them with other data you have on hand.

And just how “dynamic” are dynamic IP addresses? Not all that dynamic, it turns out.

In a household situation, where the Internet connection stays up for long periods, routers acquire an address from the service provider and then keep it for a while. A 2020 study found that 87% of individuals in the data set they looked at kept a dynamic IP address for more than a month. (They also found that 93% of users had distinct sets of long-lived IP addresses in their histories which could be used to identify them, which goes to the point about distinguishing individual members of a household.)

The lesson from all of this is: it is safest to treat IP addresses as an identifier and assume that you have to protect them as such. If you believe your situation is an exception, you’ll need to do your homework because the likely presumption will be that they’re identifiers.

Did You Know?

Whether you realize it or not, you’ve probably seen IP addresses around. The old format (IPv4) uses a set of four three-digit base 10 numbers (for example “35.201.92.133”). However, there are a limited number of possible combinations, and the world was going to run out of them, so a newer format (IPv6) is gradually replacing it. IPv6 addresses use a set of eight groups of four hexadecimal numbers (example: “2001:0db8:85a3:0000:0000:8a2e:0370:7334”), allowing for far more combinations. We’re unlikely to run out of those any time in the foreseeable future, but then we never expected to run out of IPv4 addresses either.

 

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.