Pixels and Privacy: Are IP Addresses Personal Information?

Data Privacy
Written By Hosch & Morris

 

July 18, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, amidst a growing flurry of class action lawsuits against companies for alleged wiretap and privacy violations related to the use of website tracking technologies, particularly "pixels” and session replay software, it's important to revisit the ongoing debate about whether IP addresses constitute personal information.

What is an IP Address?

An IP address (Internet Protocol address) is a unique numerical identifier assigned to each device on the  Internet. When information is sent across the Internet, IP addresses are used so that the Internet knows where the information is being sent to and from.

Defining Personal Information 

Central to many of the privacy claims in these lawsuits is the definition of "personal information" (or “personal data”). Traditionally, personal information is data that can identify an individual directly or indirectly, a core concept to data protection laws including the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) and other state privacy laws in the U.S.

Both the GDPR and the CCPA take a broad view of personal information.   Under the GDPR, IP addresses are generally considered personal data because they can be used to identify individuals when combined with other data.  Similarly, in California, “personal information” includes online identifiers such as an IP address, but only if the identifier “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Hence, the CCPA is more nuanced, often requiring a case-by-case analysis to determine whether an IP address is personal information based on how it is used and whether it can be reasonably linked to an individual.

Are IP Addresses Personal Information?

Identifying individuals based on their IP addresses presents challenges. While IP addresses can sometimes identify individuals, several factors argue against always considering them personal information.  For example:

  • Dynamic assignment: Many IP addresses are dynamically assigned by internet service providers and change frequently, making it difficult to consistently link an IP address to a specific individual.

  • Shared networks and devices: These days, there are more networks and devices than there are IP addresses. Hence, IP addresses are often shared by multiple users on the same network or device. This sharing makes it difficult to associate an IP address with a single person.

  • Use of proxies and VPNs: Use of proxy servers or virtual private networks (VPNs) masks IP addresses, further complicating the ability to link an IP address to a specific individual.

  • Technical limitations: Many websites and online services that collect IP addresses cannot trace them back to individual users without assistance from internet service providers. Thus, services that use pixels and other tracking technologies may not have the ability to independently identify the individuals associated with the IP addresses they collect.

Our Thoughts

 An IP address alone is unlikely to be considered personal information. However, when combined with other data or used to build a profile of an individual, it can become personal information, even if the individual's name remains unknown. The GDPR, CCPA, and other privacy laws provide frameworks that allow IP addresses to be treated as personal information under certain conditions. These conditions depend on the context in which the IP address is used and whether it can be linked to an individual.

Despite these frameworks, practical challenges exist in consistently linking IP addresses to specific individuals, complicating their legal status. Dynamic assignment by ISPs, shared networks and devices, and the use of proxies and VPNs all contribute to the difficulty of pinpointing an individual based solely on their IP address.

This complexity highlights the need for careful, case-by-case analysis to determine if an IP address is personal information in a particular context. Each situation presents unique circumstances that affect whether an IP address can be considered personal information under the law.

In pixel and session replay litigation, this issue intersects with another potentially more challenging question: Can individual class members be identified based on IP addresses and other collected data? The ability to identify class members is crucial for the success of class action lawsuits. However, given the challenges, this identification process can be difficult, and potentially impact the viability of the case.

Do note that plaintiffs still may take advantage of various wiretapping and anti-hacking statutes to bring claims – tracking tools may record other user-specific data that can implicate a wide variety of legal theories, including other statutory and even common law claims like breach of contract and invasion of privacy.

--- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.

 

Hosch & Morris https://hoschmorris.com
Previous

CrowdStrike Limits Liability?: "Fees Paid" vs. "Fees Paid or Payable"

Next

Navigating the Texas Data Privacy and Security Act: Insights from the Attorney General’s New Resource