Earlier this month at the National Advertising Initiative’s Summit, Jessica Rich, the director of the Federal Trade Commission’s (“FTC”) Bureau of Consumer Protection, made a statement indicating that advertisers should be treating all third party IP addresses as personally identifiable information.
Taken at face value, the repercussions of that statement would be significant because not all IP addresses can be used to identify an individual, and therefore, are not always treated with the same level of scrutiny and protection as other information, such as an address or name. The FTC has taken the position that, under certain circumstances, IP addresses can constitute personally identifiable information. Specifically in the FTC’s 2013 amendments to the Children’s Online Privacy and Protection Act, the FTC defined "personal information" to include "persistent identifiers," such as IP addresses, but only when such persistent identifiers are used to track users over time and across websites or online services.
There are many instances where an IP address cannot be used to identify an individual. An IP address is an address for a computer or a device on the Internet, which exists to allow data to be delivered to that computer or device. An individual’s IP address can change frequently and one IP address can have several unique users. For example, an internet service provider may have a block of 10,000 IP addresses and 20,000 customers. Not all customers are connected at the same time, enabling the internet service provider to assign an IP address to a computer or device when it connects, and reassign that same IP address to a different computer or device when the initial computer or device disconnects. These are commonly referred to as dynamic IP addresses. Consequently, one IP address may be assigned to multiple computers or devices owned by different users over any amount of time. Under the current definition of “personal information”, when an IP address cannot be used to link to a specific user, it does not constitute personally identifiable information, but if the test Ms. Rich articulated were to apply, all IP addresses, even those that cannot be linked to a specific individual, would be considered personally identifiable information.
On the other hand, IP addresses can, when coupled with other information, be used to identify an individual. For example, if you are an internet service provider and you assign an IP address to a computer that connects under a particular subscriber's account, and you know the name and address of that subscriber, then that IP address is now linked to a specific name and address and can be used to recognize that subscriber over time. In addition, social media companies like Facebook or Twitter may be able to recognize people with whom they have an established relationship via IP addresses. Further, some service providers use only static IP addresses, which are unique to a user and can provide additional information, such as a user’s location. In any situation where the IP address can be combined with other information to recognize a specific user, the IP address would likely be treated as personally identifiable information under both the current definition and the test Ms. Rich articulated.
Ms. Rich followed up her talk with a blog post on the FTC’s website. Her post sought to clarify her comments at the NAI Summit, and focused not just on IP addresses, but on the use of all persistent identifiers, particularly in the area of cross device tracking. Specifically, she stated “if you’re collecting persistent identifiers, be careful about making blanket statements to people assuring them that you don’t collect any personal information or the data you collect is anonymous. And as you assess the risks to the data you collect, consider all of your data, not just the data associated with a person’s name or email address.” See “Keeping Up with the Online Advertising Industry,” April 21, 2016.
Online tracking and cross device tracking has been, and will continue to be a fast evolving area. Ms. Rich’s comments and recent blog post don’t warrant any immediate changes but serve as a friendly reminder that website publishers and ad servers should constantly assess what information they are collecting and how they are using it, and should provide notice and choice to consumers regarding interestbased advertising and tracking over time and across websites.