KevinNg

PII or NOT PII? - Part 1- IP Address

Blog Post created by KevinNg Employee on Mar 21, 2018

This is going to be a multi-part series of various types of data that I come across out in the field and whether they're considered PII in various international regulations.

 

Note: The following information should not be in anyway treated as formal legal advice but as suggestions and should always be verified with your data security, compliance or legal department.

 

Part 1 will start with an interesting one that I've recently come across.. are IP addresses considered PII?

 

European Union

GDPR - Yes 

Recital 30 of the General Data Protection Regulation (GDPR) states that "Natural persons may be associated with online identifiers provided by their devices... such as internet protocol addresses"

 

USA

The US has hundreds of data security laws, which makes summarizing a bit difficult, but below are some of the acts that explicitly point out IP addresses in their content.

 

HIPAA - Yes

According to the United States Code of Federal Regulations (CFR) Title 45 Section 164.514

"The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:...(O) Internet Protocol (IP) address numbers". So IP addresses are considered PHI for healthcare providers.

 

COPPA - Yes

In CFR Title 16 Section 312.2:

"Personal information means individually identifiable information about an individual collected online, including:... (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes...an Internet Protocol (IP) address...". Therefore if the business collects IP information of children under 13 then IP addresses are considered PII

 

Other interpretations - Highly Likely

In a blog post by former FTC director Jessica Rich, she reasons that "data as “personally identifiable,” and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test."

 

Canada

PIPEDA - Possible

This is a slightly more complex one. According to the Office of the Privacy Commissioner of Canada's October 2013 interpretation bulletin, "An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual." So if the IP address is stored along with other identifiers that can trace back to the individual then it's considered PII. However, in Canada, PIPEDA does not apply to business contact information of an individual, which makes the classification of IP addresses as PII susceptible for broad interpretation (e.g. Is the IP address of an individual using their work laptop at home PII?)

Outcomes