As companies grapple with complying with the California Consumer Privacy Act, they will need to decide whether the internet protocol addresses they collect from consumers are considered “personal information” and thus within the scope of this new law. It will not be easy.
The CCPA defines “personal information” to include online identifies such as an IP address, but only if the identifier “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” For many businesses, the collection of IP addresses provides multiple benefits from monitoring website traffic to advertising, tracking and deterring malicious activity. But are IP addresses “reasonably capable” of being associated with or “linked” to an individual or household? If not, do they still “relate[] to” or “describe” a consumer or household? These questions are critical to address, because if IP addresses are considered to be “personal information,” then businesses may find themselves subject to additional obligations under the CCPA or forced to rethink how they handle IP addresses as part of their online business.
The CCPA’s proposed regulations
The CCPA’s definition of personal information expressly contemplates including IP addresses. An IP address alone may not allow a business to identify a particular consumer or household; however, in many — if not most — cases, an ISP can link an IP address with a name, home address, phone number, email address and even payment information. To be successful, certain statutes require requests for an ISP to link an IP address to an individual to be accompanied by a court order, subpoena or a law enforcement warrant. Unfortunately, it is unclear whether such efforts would be considered “reasonably capable” of linking an IP address to an individual or household such that all IP addresses are personal information under the CCPA.
On Feb. 10, the California attorney general issued its first set of modifications to its proposed CCPA regulations. These modifications included the following guidance:
“[I]f a business collects the IP addresses of visitors to its websites but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.”
This guidance was critical in clarifying that the CCPA’s “reasonableness” inquiry was focused on the receiving entity itself — not on the ability of third parties, such as ISPs, to link information to individuals or consumers. In other words, if the business did not link the IP address to a consumer or household, and the business could not reasonably link the IP address with a particular consumer or household, the IP address would not be personal information. This interpretation aligns with the reality that even if businesses wished to link IP addresses to individuals or households, many would lack the information needed to do so themselves and would be unlikely to succeed in compelling an ISP to do so for them. However, when the attorney general revised its draft regulations for a second time March 11, the guidance was struck without explanation.
Europe’s treatment of IP addresses
So how has the IP address question played out in Europe, where the EU General Data Protection Regulation — which undoubtedly inspired the CCPA — is in effect?
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” Recital 26 of the GDPR provides that “[t]o determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.” And in determining whether the means are “reasonably likely to be used,” one must consider “all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
In Breyer v. Bundesrepublik Deutschland, the European Court of Justice addressed whether dynamic IP addresses — i.e., IP addresses that are newly issued to a device upon its reconnection to the internet — collected by publicly accessible websites constituted “personal data” if a third party ISP could link the dynamic IP addresses to data subjects. The court recognized two potential approaches: an objective or relative one.
Under the objective approach, whether information is personal data would require considering whether any entity could link the information to an individual. In other words, under this approach, if any ISP could tie an IP address to an individual, the IP address would be personal data irrespective of the possessor’s technological savvy or resources. In contrast, the relative approach would focus on whether the possessor of the IP address could link it to an individual. Without expressly rejecting the objective approach, the court appeared to adopt the relative approach. Applying the language contained in Recital 26, the court recognized it needed to first “determine[] whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.” Ultimately, the court held the website provider had the means likely reasonably to tie dynamic IP addresses back to individuals because it had legal means for compelling ISPs to do so. Therefore, it held that dynamic IP addresses collected by a publicly accessible website constituted personal data “in relation to that provider.”
If a court or regulator interpreting the CCPA were to adopt the Breyer court’s reasoning, it would focus on whether the business that possesses the IP address data — and not an unrelated third party, such as an ISP provider — could link an IP address to a particular individual or household. The attorney general appeared to adopt such an approach in Section 999.302 of the First Modifications, which has now been retracted. However, even assuming the attorney general or California courts were to adopt this approach, one important question would remain: Does the availability of legal means to compel ISPs to link an IP address to an individual or household constitute a “reasonable” means of doing so under the CCPA? The Breyer court seemed to think so, at least under Europe’s Directive 95/46. Notably, however, in so holding, the court did not engage in an analysis of objective factors set out in Recital 26, such as the costs, time and effort that would be required to compel an ISP to cooperate. And one could plausibly argue that, upon consideration of these objective factors, exhaustion of such legal remedies in the U.S. would be unreasonable.
The attorney general’s removal of its guidance on how to interpret whether “personal information” includes IP addresses that the business could not reasonably link to a particular consumer or household now leaves the business community with tremendous uncertainty. It remains unclear whether IP addresses collected by a business would constitute personal information under the CCPA and what considerations are relevant, if any, in making that determination. Indeed, the deletion may be an early signal that the attorney general intends to take an expansive view of personal information, one that looks closer to the objective approach set out in Breyer. Considering that a website receiving a mere 137 unique visits per day from California residents would subject the website host to the CCPA’s requirements, additional guidance from the attorney general on this question would be very welcome. But if such guidance does not come soon, businesses would be wise to carefully consider how they handle IP addresses, whether they possess the tools internally to link such addresses to individual consumers or households, and how they would be impacted if IP addresses were to be considered personal information under the CCPA.
Photo by Enrique Ortega Miranda on Unsplash