The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Is an IP address considered “personal information” under the CCPA?
Personal information is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.2
In order to determine whether an IP address is linked to a person, it is important to understand what an IP address represents. Computers that access the internet are assigned either a static or a dynamic Internet Protocol (“IP”) address. A static IP address does not change over time (i.e., it is dedicated to a particular computer to that network or user). A dynamic IP address is assigned by a network when a computer connects and, thus, changes over time (e.g., each time that the user reconnects to the network).
When examining whether a static or a dynamic IP address constitutes personal information, California courts may look to how European regulators viewed IP addresses in the context of the European GDPR’s definition of “personal data” which is substantially similar to the CCPA’s definition of “personal information.”3 The Article 29 Working Party took the position that because static IP addresses do not change, and IP addresses can be used to identify the computer (or user), “[t]he possibility exists in many cases . . . of linking the user’s IP address to other personal data . . . that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, using cookies containing a unique identifier)….”4 The Working Party further recognized that because of the nature of dynamic IP addresses in some cases “a third party can get to know the dynamic IP address of a user but not be able to link it to other data concerning this person that would make his/her identification possible.”5