{"id":389,"date":"2016-12-13T12:13:09","date_gmt":"2016-12-13T18:13:09","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=389"},"modified":"2016-12-13T12:13:09","modified_gmt":"2016-12-13T18:13:09","slug":"ip-mac-addresses-personal-information","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2016\/12\/13\/ip-mac-addresses-personal-information\/","title":{"rendered":"Are IP and MAC Addresses Personal Information?"},"content":{"rendered":"<p>To many, &#8220;personally identifiable information&#8221; (also &#8220;PII&#8221; or &#8220;personal information&#8221;) means information that can be used to identify an individual, such as\u00a0a person&#8217;s name, address, email address, social security number\/drivers&#8217; license number, etc.\u00a0However, in the US, there is no uniform definition of personal information. This is because the US takes a &#8220;sectoral&#8221; approach to data privacy.\u00a0In the US, data privacy is governed by\u00a0laws, rules and regulations specific to market sectors such as banking, healthcare, payment processing, and the like, as well as state laws such as breach notification statutes).\u00a0Companies,\u00a0such as Google, often include their own definition of personal information\u00a0in their\u00a0privacy policy. Even though there is no uniform definition, however, it&#8217;s clear that that more and more information is falling under the PII\/personal information umbrella.<\/p>\n<p>One category of data with potentially significant implications to US businesses if classified as PII are Internet Protocol (IP) and Media Access Control (MAC) addresses.<\/p>\n<ul>\n<li>An <strong>IP address<\/strong> is a unique numerical or hexadecimal identifier used by computing devices such as computers, smartphones and tablets\u00a0to identify themselves on a local network or the Internet, and to communicate with other devices. IP addresses can be dynamic (a temporary\u00a0IP\u00a0address\u00a0is assigned each time a device connects to a network), or static (a permanent\u00a0IP\u00a0address is assigned to a network device which\u00a0does not change if it disconnects and reconnects).\u00a0There are two types of IP addresses &#8211; the original IPv4 (e.g., &#8220;210.43.92.4&#8221;), and the newer IPv6 (e.g., &#8220;2001:0db8:85a3:0000:0000:8a2e:0370:7334&#8221;).<\/li>\n<li>A\u00a0<strong>MAC address<\/strong> is a unique identifier\u00a0used to identify a networkable device, such as a computer\/phone\/tablet\/smartwatch, as well as other connected devices such as smart home technologies, printers, TVs, game consoles, etc.\u00a0A MAC address is a 12-character hexadecimal (base 16) identifier, e.g.,\u00a0&#8220;30:0C:AA:2D:FB:22&#8221;.\u00a0The first half of the address identifies the device manufacturer, and the second half is a unique identifier for a specific device.\u00a0If a device needs to talk to other devices, it likely has a MAC address.<\/li>\n<li><em>Why do devices need both?<\/em>\u00a0There are incredibly\u00a0technical reasons for this, but at a very high level,\u00a0MAC addresses are used to identify devices on a local wired or wireless network (e.g., your home network) to transmit\u00a0data packets between devices on that\u00a0local network, and IP addresses are used to identify devices on the worldwide\u00a0Internet to transmit data packets between devices connected directly to the Internet.\u00a0Your router has an IP address assigned by your ISP, as well as a MAC address which identifies it to other devices on the local network.\u00a0Your router assigns a local IP address (e.g., 192.168.1.2-192.168.1.50) to connected devices by MAC address. Network traffic comes to your router via IP address, and the router determines what MAC device on the network to which to route\u00a0the traffic.<\/li>\n<li>Think of\u00a0a letter mailed to your attention at your corporate office address of 1234 Anyplace Street, Suite 1500, Anytown, US 12345.\u00a0The mailing address will tell the mail carrier\u00a0what address\u00a0to deliver it to, but the carrier\u00a0won&#8217;t deliver it right to you personally.\u00a0Suppose\u00a0you are in Cube 324.\u00a0Your mail room will look up your\u00a0cube number, and deliver the letter\u00a0to you.\u00a0The letter is like an online data packet, the mailing address is like an IP address, the cube number is like a MAC address, and the mail room is like a router &#8212; the router\u00a0takes the inbound packet delivered by IP address and uses the local device&#8217;s MAC address to route the packet to the right device on the network.<\/li>\n<\/ul>\n<p><em>Canada&#8217;s approach<\/em>. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines &#8220;personal information&#8221; as &#8220;information about an identifiable individual.&#8221;\u00a0The Office of the Privacy Commissioner of Canada (OPCC) has released an <a href=\"http:\/\/www.priv.gc.ca\/leg_c\/interpretations_02_e.asp\" target=\"_blank\" rel=\"noopener nofollow\">interpretation<\/a>\u00a0making clear that this definition must be given a &#8220;broad and expansive interpretation,&#8221; and that it includes information that &#8220;relates to or concerns&#8221; a data subject.\u00a0With respect to IP addresses, according to the OPCC\u00a0an Internet Protocol (IP) address is\u00a0personal information\u00a0if it can be associated with an identifiable individual.\u00a0(Note that in Canada, business contact information is not considered personal information, which implies that an IP or MAC address of a work computing device associated with an employee&#8217;s work contact information is not personal information.)<\/p>\n<p><em>The European approach.\u00a0<\/em>In Europe, the current Data Protection Directive and the proposed Data Protection Regulation both define\u00a0<a href=\"http:\/\/www.dataprotection.ie\/docs\/EU-Directive-95-46-EC-Chapter-1\/92.htm\" target=\"_blank\" rel=\"noopener nofollow\">personal data\u00a0<\/a>as &#8220;any information relating to an identified or identifiable natural person.&#8221; Individual EU member states differ on whether an IP address should be considered personal data. The <a href=\"http:\/\/eur-lex.europa.eu\/LexUriServ\/LexUriServ.do?uri=CELEX:62010CJ0070:EN:HTML\" target=\"_blank\" rel=\"noopener nofollow\">European Court of Justice (ECJ) has held<\/a> that IP addresses are protected personal information &#8220;because they allow &#8230; users to be precisely identified,&#8221; and is considering whether to adopt an even stronger position that dynamic IP addresses collected by a website operator are personal information even if though the Internet service provider, and not the website operator, has the data needed to\u00a0identify the data subject.\u00a0The same rules should apply to MAC addresses.\u00a0The new Data Protection Regulation, which will override member state implementations of the Directive, states in its findings that &#8220;[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.&#8221;<\/p>\n<p>In the US, the sectoral and state-by-state approach to data privacy does not paint a clear picture\u00a0as\u00a0to whether\u00a0an IP address or MAC address should be considered\u00a0personal information.<\/p>\n<ul>\n<li><em>Specific laws<\/em>.\u00a0The one US statute that clearly states that IP and MAC addresses are personal information is the Children&#8217;s Online Privacy Protection Act (COPPA).\u00a0In 2013, the FTC revised the COPPA Rule, which defines &#8220;personal information&#8221; as &#8220;individually identifiable information about an individual collected online,&#8221; as specifically including IP addresses, MAC addresses, and other unique device identifiers.\u00a0The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as &#8220;identifiers&#8221; that must be removed in order to de-identify protected health information.\u00a0State\u00a0security breach notification laws\u00a0define personal information, but\u00a0those\u00a0laws\u00a0do not include\u00a0IP address, MAC address, or other device identifier as PII.<\/li>\n<li><em>The FTC&#8217;s view<\/em>.\u00a0In April, Jessica Rich, the Director of the FTC&#8217;s Bureau of Consumer Protection, <a href=\"http:\/\/www.ftc.gov\/news-events\/blogs\/business-blog\/2016\/04\/keeping-online-advertising-industry\" target=\"_blank\" rel=\"noopener nofollow\">wrote on the FTC&#8217;s business blog<\/a> about cross-device tracking. In her remarks, she restated the FTC&#8217;s long-held position that data is personally identifiable, &#8220;and thus warranting privacy protections, when it can be\u00a0<em>reasonably linked<\/em> to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.&#8221;\u00a0She then specifically cited the FTC&#8217;s 2013 amendments to the COPPA Rule as an example of this in practice.\u00a0Director Rich&#8217;s comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada\u00a0&#8212;\u00a0if it can be associated with an identifiable individual, it should be considered personal information.<\/li>\n<li><em>Google&#8217;s View<\/em>.\u00a0It is also worth looking at <a href=\"http:\/\/www.google.com\/policies\/privacy\/key-terms\/#toc-terms-personal-info\" target=\"_blank\" rel=\"noopener nofollow\">Google&#8217;s definition from its privacy policy<\/a>, given Google&#8217;s prominence as a collector and user of consumer personal information.\u00a0Google defines personal information to include both information that personally identifies a person, as well &#8220;other data which can be reasonably linked to such information by Google, such as information we associate with your Google account.&#8221;\u00a0This is essentially the FTC&#8217;s view, with a reasonableness standard.<\/li>\n<\/ul>\n<p>Given all this, what should US businesses do?<\/p>\n<ul>\n<li>Consider using a term to define IP addresses, MAC addresses, and other user device identifiers which identify a <strong>thing<\/strong>, not a <strong>person<\/strong>, but can be linked to an individual depending on what information is collected or obtained\u00a0about that\u00a0individual.\u00a0I call this information\u00a0<em>linkable\u00a0information.<br \/>\n<\/em><strong>If linkable information is, or reasonably\u00a0can be, associated\u00a0or linked with an identifiable individual in your records, it becomes personal information.<br \/>\n<\/strong><\/li>\n<li>Think of your driver&#8217;s license and your license plate as things.\u00a0Your drivers&#8217; license has your name, photo, and other information, so <strong>it identifies you<\/strong>.\u00a0Therefore, a copy of your license would be personal information.\u00a0On the other hand, your license plate by itself <strong>identifies a thing<\/strong> (your vehicle), and therefore by itself is linkable information, but not personal information.\u00a0However, if your license plate is contained in\u00a0a list of names and associated\u00a0license plates maintained by a company, the license plate is\u00a0associated with you, and therefore the company should handle\u00a0it as\u00a0personal information. Similarly, your phone number <strong>identifies a\u00a0thing<\/strong> (your phone, not you, as you can let anyone use your phone) and therefore is linkable information; if your number is linked with an identifiable individual (e.g., the number is associated with\u00a0a recording\u00a0an individual&#8217;s voice on a phone call),\u00a0the phone number becomes personal information.<\/li>\n<li>An IP address in a server log, by itself, is linkable information not linked or associated with an individual, and therefore not\u00a0personal information.\u00a0However, an IP address as part of an electronic signature record, where the IP address is collected and stored with a person&#8217;s name, time\/date stamp of acceptance, and IP address are collected, would be\u00a0personal information.<\/li>\n<li>If your company&#8217;s privacy policy defines personal information to include device identifiers such as IP addresses and MAC addresses, or defines when device identifiers would be considered personal information, ensure you are doing what your privacy policy says you will do.\u00a0Failing to comply with a stated privacy policy can give rise to an FTC investigation and\/or complaint\u00a0under \u00a75 of the FTC Act, as well as state AG investigations\/actions and private litigation.<\/li>\n<li>If you collect information from European consumers, given the extra-territorial reach of the upcoming\u00a0Regulation US companies should carefully watch how IP and MAC addresses fall into the EU&#8217;s definition of personal data, and determine whether it needs to comply with Europe&#8217;s approach.<\/li>\n<li>If you collect IP address information from a child under 13\u00a0through a website or app governed by COPPA, by law it&#8217;s personal information.<\/li>\n<li>Talk to your IT group about whether you collect any device information, such as IP or MAC addresses, that could be linkable information, and analyze whether that data is linked or associated with personal information in your systems.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>To many, &#8220;personally identifiable information&#8221; (also &#8220;PII&#8221; or &#8220;personal information&#8221;) means information that can be used to identify an individual, such as\u00a0a person&#8217;s name, address, email address, social security number\/drivers&#8217; license number, etc.\u00a0However, in the US, there is no uniform &hellip; <a href=\"https:\/\/ericlambert.net\/blog\/2016\/12\/13\/ip-mac-addresses-personal-information\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4,8],"tags":[112,123,140],"class_list":["post-389","post","type-post","status-publish","format-standard","hentry","category-compliance","category-legal","category-nonlegal","tag-ip-address","tag-mac-address","tag-pii"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=389"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/389\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}