Last month, the director of the FTC’s Bureau of Consumer Protection, Jessica Rich, made a statement which indicated that advertisers should treat all third-party IP addresses as personally identifiable information.
This statement proposes a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device, similar to the way that such data is treated in the EU. Although the FTC previously took the position that browser and device identifiers are suitable for privacy protections, the FTC usually refrains from classifying these identifiers as being equivalent to personally identifiable information (such as name, email, and address) except in the restricted context of children’s privacy .
It should be noted that this statement reiterates the FTC's long-held conception that all forms of personal information do not need the same level of protection and that the protection should be appropriate to the risks. Accordingly, companies should be able to continue to treat IP addresses and other persistent identifiers as being different from other types of personal information (such as names and addresses).
Online tracking and cross-device tracking has been, and will continue to be fast evolving surface webs. The recent blog post does not warrant any instantaneous changes but serves as a “friendly” reminder that website publishers and ad servers should continually evaluate what information they are gathering and how they are using it, and should provide notice and choice to consumers concerning interest-based advertising and tracking over time and across websites.