To many, “personally identifiable information” (also “PII” or “personal information”) means information that can be used to identify an individual, such as a person’s name, address, email address, social security number/drivers’ license number, etc. However, in the US, there is no uniform definition of personal information. This is because the US takes a “sectoral” approach to data privacy. In the US, data privacy is governed by laws, rules and regulations specific to market sectors such as banking, healthcare, payment processing, and the like, as well as state laws such as breach notification statutes). Companies, such as Google, often include their own definition of personal information in their privacy policy. Even though there is no uniform definition, however, it’s clear that that more and more information is falling under the PII/personal information umbrella.
One category of data with potentially significant implications to US businesses if classified as PII are Internet Protocol (IP) and Media Access Control (MAC) addresses.
- An IP address is a unique numerical or hexadecimal identifier used by computing devices such as computers, smartphones and tablets to identify themselves on a local network or the Internet, and to communicate with other devices. IP addresses can be dynamic (a temporary IP address is assigned each time a device connects to a network), or static (a permanent IP address is assigned to a network device which does not change if it disconnects and reconnects). There are two types of IP addresses – the original IPv4 (e.g., “210.43.92.4”), and the newer IPv6 (e.g., “2001:0db8:85a3:0000:0000:8a2e:0370:7334”).
- A MAC address is a unique identifier used to identify a networkable device, such as a computer/phone/tablet/smartwatch, as well as other connected devices such as smart home technologies, printers, TVs, game consoles, etc. A MAC address is a 12-character hexadecimal (base 16) identifier, e.g., “30:0C:AA:2D:FB:22”. The first half of the address identifies the device manufacturer, and the second half is a unique identifier for a specific device. If a device needs to talk to other devices, it likely has a MAC address.
- Why do devices need both? There are incredibly technical reasons for this, but at a very high level, MAC addresses are used to identify devices on a local wired or wireless network (e.g., your home network) to transmit data packets between devices on that local network, and IP addresses are used to identify devices on the worldwide Internet to transmit data packets between devices connected directly to the Internet. Your router has an IP address assigned by your ISP, as well as a MAC address which identifies it to other devices on the local network. Your router assigns a local IP address (e.g., 192.168.1.2-192.168.1.50) to connected devices by MAC address. Network traffic comes to your router via IP address, and the router determines what MAC device on the network to which to route the traffic.
- Think of a letter mailed to your attention at your corporate office address of 1234 Anyplace Street, Suite 1500, Anytown, US 12345. The mailing address will tell the mail carrier what address to deliver it to, but the carrier won’t deliver it right to you personally. Suppose you are in Cube 324. Your mail room will look up your cube number, and deliver the letter to you. The letter is like an online data packet, the mailing address is like an IP address, the cube number is like a MAC address, and the mail room is like a router — the router takes the inbound packet delivered by IP address and uses the local device’s MAC address to route the packet to the right device on the network.
Canada’s approach. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner of Canada (OPCC) has released an interpretation making clear that this definition must be given a “broad and expansive interpretation,” and that it includes information that “relates to or concerns” a data subject. With respect to IP addresses, according to the OPCC an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual. (Note that in Canada, business contact information is not considered personal information, which implies that an IP or MAC address of a work computing device associated with an employee’s work contact information is not personal information.)
The European approach.ÂIn Europe, the current Data Protection Directive and the proposed Data Protection Regulation both define personal dataÂas “any information relating to an identified or identifiable natural person.” Individual EU member states differ on whether an IP address should be considered personal data. The European Court of Justice (ECJ) has held that IP addresses are protected personal information “because they allow … users to be precisely identified,” and is considering whether to adopt an even stronger position that dynamic IP addresses collected by a website operator are personal information even if though the Internet service provider, and not the website operator, has the data needed to identify the data subject. The same rules should apply to MAC addresses. The new Data Protection Regulation, which will override member state implementations of the Directive, states in its findings that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In the US, the sectoral and state-by-state approach to data privacy does not paint a clear picture as to whether an IP address or MAC address should be considered personal information.
- Specific laws. The one US statute that clearly states that IP and MAC addresses are personal information is the Children’s Online Privacy Protection Act (COPPA). In 2013, the FTC revised the COPPA Rule, which defines “personal information” as “individually identifiable information about an individual collected online,” as specifically including IP addresses, MAC addresses, and other unique device identifiers. The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as “identifiers” that must be removed in order to de-identify protected health information. State security breach notification laws define personal information, but those laws do not include IP address, MAC address, or other device identifier as PII.
- The FTC’s view. In April, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, wrote on the FTC’s business blog about cross-device tracking. In her remarks, she restated the FTC’s long-held position that data is personally identifiable, “and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” She then specifically cited the FTC’s 2013 amendments to the COPPA Rule as an example of this in practice. Director Rich’s comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada — if it can be associated with an identifiable individual, it should be considered personal information.
- Google’s View. It is also worth looking at Google’s definition from its privacy policy, given Google’s prominence as a collector and user of consumer personal information. Google defines personal information to include both information that personally identifies a person, as well “other data which can be reasonably linked to such information by Google, such as information we associate with your Google account.” This is essentially the FTC’s view, with a reasonableness standard.
Given all this, what should US businesses do?
- Consider using a term to define IP addresses, MAC addresses, and other user device identifiers which identify a thing, not a person, but can be linked to an individual depending on what information is collected or obtained about that individual. I call this information linkable information.
If linkable information is, or reasonably can be, associated or linked with an identifiable individual in your records, it becomes personal information. - Think of your driver’s license and your license plate as things. Your drivers’ license has your name, photo, and other information, so it identifies you. Therefore, a copy of your license would be personal information. On the other hand, your license plate by itself identifies a thing (your vehicle), and therefore by itself is linkable information, but not personal information. However, if your license plate is contained in a list of names and associated license plates maintained by a company, the license plate is associated with you, and therefore the company should handle it as personal information. Similarly, your phone number identifies a thing (your phone, not you, as you can let anyone use your phone) and therefore is linkable information; if your number is linked with an identifiable individual (e.g., the number is associated with a recording an individual’s voice on a phone call), the phone number becomes personal information.
- An IP address in a server log, by itself, is linkable information not linked or associated with an individual, and therefore not personal information. However, an IP address as part of an electronic signature record, where the IP address is collected and stored with a person’s name, time/date stamp of acceptance, and IP address are collected, would be personal information.
- If your company’s privacy policy defines personal information to include device identifiers such as IP addresses and MAC addresses, or defines when device identifiers would be considered personal information, ensure you are doing what your privacy policy says you will do. Failing to comply with a stated privacy policy can give rise to an FTC investigation and/or complaint under §5 of the FTC Act, as well as state AG investigations/actions and private litigation.
- If you collect information from European consumers, given the extra-territorial reach of the upcoming Regulation US companies should carefully watch how IP and MAC addresses fall into the EU’s definition of personal data, and determine whether it needs to comply with Europe’s approach.
- If you collect IP address information from a child under 13Â through a website or app governed by COPPA, by law it’s personal information.
- Talk to your IT group about whether you collect any device information, such as IP or MAC addresses, that could be linkable information, and analyze whether that data is linked or associated with personal information in your systems.