Are tracking cookies personally identifiable information (PII)? What about IP addresses, MAC addresses, or mobile advertising identifiers — are they personal data, or can they be described as anonymous?
EU laws, as well as HIPAA and COPPA in the U.S., have labeled these identifiers personal in many cases. Yet, in most privacy policies, it remains widespread practice to describe these kinds of data points as “non-personal” or “anonymous.” The New York Times website, for example, labels in its privacy policy “non-personal” various categories of information, including device IDs, cookies, log files, reading history, and even location information.
While speaking recently to Network Advertising Initiative members, Jessica Rich, the FTC’s Consumer Protection Bureau chief, focused attention to these practices while describing the FTC’s position on persistent identifiers and privacy. In a follow-up blog post, Rich noted, “We regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
This is, of course, what the FTC has said for years. Rich pointed to both the agency’s 2009 staff report on online behavioral advertising and the 2012 Privacy Report. It’s also what Rich and other senior staff have conveyed to privacy professionals at IAPP conferences and events like the a strict view of de-identification, referring to any information that could possibly be linked to an identity as personal. In Europe, regulators avoid the term de-identification altogether, employing instead a view of anonymization that leaves little room for nuance. European regulation seems to imply that any risk of re-identification, however remote and by whichever third party, brings data under the full remit of data protection law.
[quote]Despite a broad consensus around the need for and value of de-identification, the debate as to whether and when data can be said to be truly de-identified appears interminable.[/quote]
Despite a broad consensus around the need for and value of de-identification, the debate as to whether and when data can be said to be truly de-identified appears interminable. Although academics, regulators, and other stakeholders have sought for years to establish common standards for de-identification, they have so far failed to adopt even a common terminology.
It’s this very gap between common terms and shared understandings that the Future of Privacy Forum has taken on in a new paper,Shades of Gray: Seeing the Full Spectrum of Practical Data De-Identification (forthcoming in the Santa Clara Law Review) with an accompanying