In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”
The Washington court’s ruling diverges from other recent rulings in the United States and Europe. In 2008, New Jersey’s Supreme Court held that Internet Service Providers (“ISPs”) are forbidden from disclosing subscriber IP addresses without a subpoena. The court held that New Jersey citizens have a “reasonable expectation of privacy” in the “subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” State v. Reid, 954 A.2d 503 (N.J. 2008).
Similarly, the European Union’s Article 29 Data Protection Working Party has noted that ISPs should “treat all IP information as personal data” unless the ISPs can “distinguish with absolute certainty that the data correspond to users that cannot be identified.” The Working Party has recommended that search engines delete or anonymize IP addresses once they are no longer needed, and should not retain the data longer than six months.
The issue of whether IP addresses are considered PII as a matter of law has significant implications for companies that collect and use consumer online information. To the extent IP addresses are considered PII, companies that use IP addresses for business purposes would be required to comply with numerous legal requirements with respect to that data.