iProbably not.
Most modern state privacy laws attempt to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. While the specific thresholds differ between states, many of the new statutes only apply to organizations that control or process personal information relating to at least 100,000 state residents.[1] Many organizations struggle to quantify the number of state residents about whom they have personal information, and often consider whether analytics reports that show the number of “visits” to their website from certain regions (e.g., a specific state) suggest they have met, or exceeded, the thresholds.
As an initial matter, ambiguity exists as to whether IP addresses are considered personal information. For example, under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[2] While the Act provides a list of examples of personal information that explicitly includes “Internet Protocol Address,” it qualifies the examples by stating that they fall within the definition of personal information only if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably linked” with a particular person.[3] In order to determine whether an IP address is linked to a person, it is important to understand what an IP address represents. Computers that access the internet are assigned either a static or a dynamic Internet Protocol (IP) address. A static IP address does not change often over time (i.e., it is dedicated for an indefinite time to a particular computer, network, or user). A dynamic IP address is assigned by a network when a computer connects and, thus, changes over time (e.g., each time the user reconnects to the network). The California Attorney General was asked to clarify that IP addresses could not, by themselves, constitute personal information under the CCPA, but he refused to do so, stating only that such determination is a “fact-specific and contextual” determination.[4] In other words, whether a specific IP address relates to a person and, as a result, constitutes personal information, is itself a fact-specific question.
Many websites receive aggregated reports from third party analytics companies that display how many IP addresses accessed a website from a specific region (e.g., Colorado). In providing a total volume of IP addresses that accessed a website from a region, such reports are functionally aggregating thousands (sometimes millions) of fact-specific situations. In other words, it is difficult, if not impossible, for an organization that receives a report of a website being accessed from one million IP addresses associated with Colorado to know what percentage of those addresses fall within the following situations or buckets:
| Situation | Likelihood IP address represents a unique state resident | Explanation |
|---|---|---|
| Visits initiated by bots. | Unlikely | The IP address would not be personal information, nor would it relate to a state resident and, as a result, would not be relevant when determining whether a particular state volume threshold had been reached |
| Visits initiated by individuals physically within the state, but who are not state residents (e.g., tourists). | Unlikely | The IP address might be personal information depending on whether the IP address resolves to a specific person (i.e., was a static IP address). Even if it were personal information, however, it would not count against the volume threshold in states where the volume threshold relates to state residents. |
| Multiple visits initiated by the same person who accesses a website from different devices (e.g., home computer and a smartphone). | Unlikely | The IP addresses might be personal information depending on whether they resolve to a specific person (i.e., were static IP addresses). Assuming they are static IP addresses, while the first visit might count against the volume threshold, subsequent visits should not as the thresholds refer to the number of state residents, not the number of times state residents access a website. |
| Visits initiated by the same person accessing a website from the same device (but with a different IP address assigned each time). | Unlikely | If a different IP address is assigned each time (i.e., dynamic IP address) the IP address may not constitute personal information. Furthermore, even if it did constitute personal information, multiple visits from a single person should not count against the volume threshold, as the threshold refers to the number of state residents, not the number of times state residents access a website. |
| Visits initiated by an out-of-state resident utilizing a Colorado-associated IP address (i.e., via a VPN) | Unlikely | The IP address is unlikely to be personal information as VPN systems typically assign a dynamic IP address each time an individual logs on. Even if it were considered personal information, the volume threshold relates only to residents of a state, not simply individuals that utilize IP addresses associated with a state. |
| Visits initiated by businesses, or individuals acting in an employment context | Unlikely in states that do not apply their privacy statutes to individuals acting in an employment context (e.g., Colorado, Connecticut, Virginia, etc.). | The IP address might be personal information depending on whether the IP address resolved to a specific person (i.e., was a static IP address). Even if it were personal information, however, it may not count against the volume threshold in states that exclude residents acting in a commercial capacity.[5] |
| Visits initiated by an in-state resident utilizing a dynamic IP address | Unlikely | If a different IP address is assigned each time (i.e., dynamic IP address) the IP address may not, in fact, constitute personal information. |
| Visits initiated by an in-state resident utilizing a static IP address | Likely | Assuming the IP address is associated with a particular person, and that person is an in-state resident, it is possible the IP address would count toward the state’s volume threshold. |
If a state attorney general were to bring an enforcement action under one of the modern state privacy laws, the attorney general would bear the burden of establishing that the state statute applies to the company. Given the difficulty for either party – an organization or the attorney general – to determine the percentage of website visitors that fall into each of the categories above with any certainty, it may be unlikely that an attorney general would base the applicability of the statute on the number of website visits associated with in-state IP addresses.
[1] See, e.g., C.R.S. 6-1-1304(1)(b)(I), (II). For a comparison of the jurisdictional triggers of the modern state privacy statutes see our previous blog post, “Understanding the Delta Among State Privacy Statutes: Jurisdictional Triggers.” Note that most modern state statutes include a volume-threshold step-down wherein a smaller quantity of in-state residents is required if an organization sells personal information.
[2] Cal. Civ. Code § 1798.140 (v)(1) (West 2023).
[3] Cal. Civ. Code § 1798.140 (v)(1) (West 2023).
[4] FSOR Appendix A at 4 (Response 15), 124 (Response 401), 236 (Response 689); FSOR Appendix E at 7 (Response 11).
[5] See, e.g., C.R.S. 6-1-1303(6)(b) (2023).
