FTC’s Jessica Rich Argues IP Addresses and Other Persistent Identifiers Are “Personally Identifiable”
In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:
“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device. The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy. (The FTC’s rule implementing the Children’s Online Privacy Protection Act defines “personal information” to include a “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.”)
For example, the FTC staff’s 2009 Self-Regulatory Principles for Online Behavioral Advertising state:
In many cases, the information collected is not personally identifiable in the traditional sense – that is, the information does not include the consumer’s name, physical address, or similar identifier that could be used to identify the consumer in the offline world. Instead, businesses generally use “cookies” to track consumers’ activities and associate those activities with a particular computer or device. . . . [H]owever, it may be possible to link or merge the collected information with personally identifiable information – for example, name, address, and other information provided by a consumer when the consumer registers at a website.
The FTC’s 2012 Report on Protecting Consumer Privacy in an Era of Rapid Changeavoided classifying browser and device identifiers as “personally identifiable” information. Instead, the Commission concluded that privacy protections apply “even if the individual pieces of data do not constitute PII,” as long as the consumer data “can be reasonably linked to a specific consumer, computer, or other device.”
Notably, a blanket characterization of browser and device identifiers as “personally identifiable” information for purposes of Section 5 of the FTC Act is in tension with certain privacy statutes as interpreted by the federal courts. For instance:
Section 631 of the Cable Communications Policy Act of 1984 defines the term “personally identifiable information” in the negative to “not include any record of aggregate data which does not identify particular persons.” 47 U.S.C. 551(a)(2)(A). Courts interpreting this statute have concluded that device identifiers, on their own, are not “personally identifiable information.” See Klimas v. Comcast Cable Communications, Inc., Case No. 02-CV-72054-DT, 2003 WL 23472182, *5 (E.D. Mich. July 1, 2003) (“[U]nless an IP address is correlated to some other information, such as Comcast’s log of IP addresses assigned to its subscribers (or a hotel registry in the analogy of hotel room numbers), it does not identify any single subscriber by itself. In other words, an IP address, by itself, is not ‘specific information about the subscriber.’ Therefore, Comcast’s collection of IP-URL linkages cannot constitute PII unless it is linked to the IP address/subscriber log.”); Pruitt v. Comcast Cable Holdings, LLC, 100 Fed. Appx. 713, 716 (10th Cir. 2004) (“Without [additional information] one cannot connect the [information contained in the converter box] with a specific consumer”).
Courts interpreting the definition of “personally identifiable information” in the Video Privacy Protection Act (VPPA) have found that browser and device identifiers do not constitute “personally identifiable” information. See, e.g.,Robinson v. Disney Online (ruling that information is personally identifiable only if it is “information which itself identifies a particular person”); In Re Hulu Privacy Litigation (“That being said, considering the ordinary meaning of the plain language of the statute, the language supports the conclusion that the disclosure must be pegged to an identifiable person (as opposed to an anonymous person).”).
Notably, the post reiterates the Commission’s long-held view that “all forms of personal information don’t need the same level of protection” and that the protections should be “appropriate to the risks.” Consequently, companies should be able to continue to treat IP addresses and other persistent identifiers different than other types of personal information (such as names and addresses).