We often hear the following phrase from clients: “We are not collecting PII, we only collect IP addresses.” Companies may be surprised to hear that the law does not always support that view, and businesses must be cautious in their assessment in this area, as multiple laws govern the use of personally identifiable information (PII), which are not always consistent with regard to the classification of Internet Protocol (IP) addresses.
In In re Nickelodeon Consumer Privacy Litigation, the U.S. Court of Appeals for the Third Circuit found that IP addresses do not constitute PII under the Video Privacy Protection Act (VPPA).1 Congress passed the VPPA “[t]o preserve personal privacy with respect to the rental, purchase or delivery of videotapes or similar audiovisual materials.”2 In light of this legislative history, the court held that PII under the VPPA should be limited to “the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.”3 IP addresses and other static digital identifiers, the court noted, were likely of little help in identifying an actual person and what videos he or she may have rented, purchased or obtained. 4
The U.S. Court of Appeals for the First Circuit takes a more expansive view of PII under the VPPA. In Yershov v. Gannett Satellite Info. Network, Inc., the court held that unique identifiers, such as cellphone identification number and GPS coordinates, that could theoretically identify a user are considered PII under the VPPA.5 Yet it is unclear whether the First Circuit would find IP addresses alone to be PII, as Yershov also involved geo-location data, which makes it easier to identify an actual individual.
The majority of federal courts that have addressed the issue of whether IP addresses are PII, however, side with the Third Circuit, finding that static identifiers do not “identify” anyone because they are strings of anonymous numbers, and the possibility of matching these identifiers with other data is too hypothetical.6 Application is therefore far from uniform.
Federal statutes also vary on their approach to IP addresses. The Children’s Online Privacy Protection Act (COPPA), which regulates use of online information about children under the age of 13, classifies IP addresses as "personal information," although it does not use the term "PII."7 The Federal Trade Commission, which is responsible for defining personal information under COPPA, has expressly included persistent identifiers, such as IP addresses, in its definition of personal information under the statute.8 The Health Insurance Portability and Accountability Act (HIPPA), which regulates health information sharing, treats IP addresses slightly differently.9 HIPPA does not expressly define IP addresses as personal information, but instead states that only after IP addresses are stripped from health information can a “covered entity [under HIPPA]…determine that health information is not individually identifiable.”10 Other statutes are even less clear. The Gramm-Leach-Bliley Act (GLBA), covering information held by financial institutions, defines PII as “nonpublic personal information.”11 It is therefore uncertain whether nonpublic IP addresses may fall under this definition if they are tied to the information consumers provide to their financial institutions.
Position in the EU
Businesses should also note that EU laws generally consider IP addresses to be PII, or “personal data,” as defined under EU applicable law. There have been opinions from the Advocate General and the Article 29 Working Party (group of privacy regulators) seemingly supporting this position, and on October 19, 2016 the Court of Justice of the European Union ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites. In addition, under the General Data Protection Regulation (GDPR), which is set to replace the current law in May 2018, the definition of personal data includes “online identifiers,” which, according to Recital 30, includes IP addresses. It appears, therefore, that the EU is moving toward a more uniform approach in this area.
In the United States, guidance concerning whether IP addresses are PII is piecemeal. Decisions such as In re Nickelodeon only determine whether IP addresses are protected as PII for specific statutes in specific federal circuits. Accordingly, businesses should be cautious in making sweeping conclusions about their collection and use of IP addresses, as it varies by business type, data type and legal jurisdiction.
*Clay Venetis is a summer associate in Fenwick's litigation group.