Is an IP address PII? The answer is nuanced.

Is an IP address PII?

For network administrators who deal in thousands of IP addresses daily, the question has real implications. Does an internet protocol (IP) address constitute personal data that can be used to identify a specific individual? And, as such, do organizations have to protect it?

The legal boundaries and technical requirements involved in safeguarding personally identifiable information (PII) are relatively clear. As part of general data protection activities, many lump IP address information into this category by default.

The question is whether it truly belongs there.

This post will first examine what, exactly, an IP address contains. Then it will delve into past court rulings in both the U.S. and Europe that have attempted to answer this question. Finally, it will offer some guidance for companies and explain how BlueCat protects IP address data.

What’s in an IP address?

Each device connected to a network requires a unique IP address. The Domain Name System (DNS) translates human-readable domain names (like bluecatnetworks.com) to computer-friendly IP addresses, like 192.0.2.146.

By itself, an IP address merely indicates which device sent a DNS query. This information is not very useful if you don’t know where that computer is and who’s using it. The picture only becomes clearer when it is correlated with user logs, query patterns, location data, and other contextual information.

Even then, using proxy servers and VPNs can throw trackers off the scent. DHCP also frequently re-assigns them, known as dynamic IP addresses. That makes it difficult to track a single computer or user over time.

So, does an IP address act as an online identifier or contain your personal information?

Court cases weigh in: Is an IP address PII?

U.S. court rulings

This was the logic behind a 2009 court ruling in Johnson v. Microsoft Corp. The judge declined to provide PII-level protection for addresses by themselves. The ruling states that “[in] order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

However, not everyone agrees that this is the end of the story.

Guidance from the U.S. Federal Trade Commission is more nuanced. It says, “We regard data as ‘personally identifiable,’ and thus warranting privacy protections when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

In 2008, New Jersey’s supreme court agreed that the bar for correlating addresses with other data sources was low. The court said in State vs. Reid that IP address information forms part of the “reasonable expectation of privacy.” And that users are entitled to it when using a commercial ISP.

The California Consumer Privacy Act (CCPA) of 2018 also defines personal information to include IP addresses. But only if it “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

What that means as a practical matter for businesses is rather unclear, according to the International Association of Privacy Professionals.

Europe’s approach

And then there’s Europe. The European Union’s General Data Protection Regulation (GDPR), largely considered the paragon of personal privacy protections, likely inspired the CCPA.

The EU’s Directive on personal data has a broader scope. It defines PII as data that can identify an individual “directly or indirectly”. This raises the question of how the term “indirectly” would be applied.

In 2016, the Court of Justice of the European Union provided an answer. In Breyer v. Germany, the court ruled that IP addresses can be considered PII—in certain circumstances. The court ruled that an ISP had enough correlating customer data to make an IP address de facto PII.

However, the court limited its ruling, protections associated with the Directive wouldn’t apply to just an IP address alone. This essentially splits the difference over whether it is a unique identifier, much like the U.S. courts.

If an IP address is PII, what should companies do?

All of this nuance isn’t very helpful for compliance officers and network administrators. Both typically deal with more concrete standards.

Many of them default to stricter PII privacy standards for IP address information. It’s easier and the guidance is clearer.

BlueCat strives to protect information while using it in the service of network security and DNS management. It has complied with requirements even as they constantly change. BlueCat’s enterprise-level DNS platforms protect IP address information through anonymization, encryption, and restricted forms of access. Furthermore, BlueCat customers assign a wide variety of controls and restrictions to IP address information.

These methods ensure robust data protection regardless of your organization’s view.