In a putative class action suit against Microsoft relating to anti-piracy tools built into its Windows operating system (Johnson v. Microsoft Corp., W.D. Wash., No. 06-0900), a Washington federal district court held that IP addresses are not "personally identifiable information." The issue arose in a summary judgment motion on the plaintiff's claim that Microsoft violated the contract between the consumer plaintiffs and Microsoft – that contract was the End User License Agreement ("EULA") that consumers must agree to when first using Microsoft Windows XP.
Windows XP includes the Windows Genuine Advantage tool, which sends certain information from the user's computer to Microsoft to enable Microsoft to identify pirated versions of Windows. The EULA states that Microsoft will not transmit "personally identifiable information" without the user's consent (but did not define the term). Among the information transmitted is the user's IP address, leading to the parties dispute regarding whether an IP address constitutes personally identifiable information.
The court relied on case law from the 6th Circuit Court of Appeals and a California district court in finding that an IP address does not qualify as "personally identifiable information" because (1) an IP address identifies only a computer (but not a specific person) and (2) IP addresses generally change over time as ISPs periodically assign new IP addresses to users' computers.
Companies should exercise caution when relying on this and similar holdings, however. European data protection authorities have taken the opposite view.