IP addresses (Internet Protocol addresses) have entered into recent conversations about privacy, as the European Union’s General Data Protection Regulation (GDPR) laws take effect. In the law, the EU includes IP addresses as potentially referencing “Personal Identifiable Information”.

We thought we’d clean up some confusion on a few questions:

  • What is an IP address?
  • What can you learn from someone’s IP address?
  • How are companies using your IP address?

What is an IP Address?

First, what is an “IP address”? It’s a unique number-like identifier that everyone connected to the Internet must have. It works much like a phone number in that you have a two-way connection, with both ends having unique “numbers”.  

On the Internet, IP addresses identify networks of computers (or specific computers in a network) connected to the internet. Businesses and homes both have these public addresses that work, in a sense, like phone numbers. At DBS, ours is 216.253.111.162.

Most businesses would have “static” public ip addresses assigned by their service providers. These do not change (unless you change providers). Most home users would have “sticky” public ip addresses. These could theoretically change at any time, but typically don’t unless you upgrade your home router or change ISP’s.

What can you learn from someone’s IP address?

So what information is being exposed?  By itself, not much. Location is typically available down to the city level. In the case of business IP addresses, you can typically match an IP address with a business name and street address. That is not the case for home IP addresses, nor is it the case for individuals at businesses.  

Why do companies capture IP addresses?

Most websites capture IP addresses from visitors, and that’s not necessarily a bad thing. IP addresses are used by back-end web developers to identify malicious site visits, which they can then blacklist, making websites safer.

Fraud protection efforts rely on IP addresses. Day in and day out, a bank may ignore IP addresses, until an unusual IP address appears in the server logs. An IP address from a far-off location might indicate a hacking attempt. Take for example a user routinely visiting an online banking account from Louisville, Kentucky. When an IP address from Russia suddenly appears, that may trigger further investigation to identify potential fraud.

Of course, advertisers are often using anonymous IP address data to serve you ads. IP-targeting, as it is called, is far less frequent than traditional cookie-based targeting for advertisements. But it is growing in popularity.

Banner Ad on Desktop Computer

One common IP-targeting advertising tactic involves targeting a large event. For example, if you attend a music festival and use the free public WiFi, advertisers may show you ads relevant to you (maybe for an artist’s album release or a music streaming service subscription). Then, even after you’ve left the festival, you would still get ads relevant to that event.

In this scenario, your IP address remains completely anonymous. Advertisers can’t download a list of all the people they showed an ad to. They can know how many people saw and clicked on an ad, but not who saw the ad or clicked on the ad.

Conflicts are inevitable.

Under the GDPR, a user has the right to request all information about them tied to IP addresses and other personal identifiable information. A company, however, does not have to divulge proprietary derivative information if it would reveal corporate or trade secrets. The exercise of IP rights is not a shield that can be used to deny a request for the raw personal identifiable information.

As GDPR discussions continue (and as inevitable future litigation arises), we’ll get more details about how IP addresses fit within the context of personally-identifiable information protections. Until then, rest assured knowing that while many companies may be collecting your IP address, it’s almost always anonymized.