IP Addresses and the GDPR
The term "IP address" (or "Internet Protocol address") has entered recent conversations surrounding online privacy, as the European Union’s General Data Protection Regulation (GDPR) laws have taken effect. Within GDPR, the EU includes IP addresses as “Personal Identifiable Information” potentially subject to privacy laws.
We thought we’d clear up some confusion stemming from a few common questions about IP addresses:
- What is an IP address?
- What can you learn from an IP address?
- How are companies using your IP address?
What is an IP Address?
First: What is an IP address? It’s a unique numeric identifier that every device connected to the Internet must have. It works much like a phone number in that you have a two-way connection, with both ends having unique “numbers”.
On the Internet, IP addresses identify networks of computers (or specific computers in a network) connected to the internet. Businesses and homes both have these public addresses that work, in a sense, just like phone numbers. Here at DBS, our IP address is 216.253.111.162.
Most businesses would have “static” public ip addresses assigned by their service providers. These do not change (unless you change providers). Most home users would have “sticky” public ip addresses. These could theoretically change at any time, but typically don’t unless you upgrade your home router or change your own ISP.
What can you learn from an IP address?
With an understanding of what IP addresses are, now you may wonder: What information is being exposed by an IP address? By itself, an IP address does not expose very much. Its location is typically available, down to the city level. And in the case of a business IP address, you can typically match it with a business name and street address. Still, it's important to note this is not the case for home IP addresses, nor is it the case for individuals at businesses.
Why do companies capture IP addresses?
Most websites capture IP addresses from visitors, and that’s not necessarily a bad thing. Why? Because IP addresses are often used by back-end web developers to identify malicious site visits, helping them identify hacking attempts so they can blacklist threatening sites to protect the website's data and traffic, making it safer for anyone visiting and using those websites––including you.
Fraud protection efforts typically rely on IP addresses in this way. Consider banks, for example: Day in and day out, banks may generally ignore the IP addresses of site visitors or mobile app users––until an unusual IP address appears in the server logs, one that's located in an unusual, dangerous, or distant place. This might signal a hacking attempt, if it seems out of the ordinary. Let's say the bank's IT team regularly sees a user visit their online banking account from Louisville, Kentucky, then suddenly sees a visit originating from an IP address in Russia; this unusual activity might activate red flags that prompt a deeper investigation to help them identify potential fraud.
Of course, advertisers are often using anonymous IP address data to serve you ads. IP-targeting, as it is called in digital marketing, is far less frequent than traditional cookie-based targeting for advertisements. But it is growing in popularity, as more users opt to block ads and cookies when they browse the internet.
One common IP-targeting advertising tactic involves targeting a large event. For example, if you attend a music festival and use the free public WiFi, advertisers may show you ads relevant to you (maybe for an artist’s album release or a music streaming service subscription). Then, even after you’ve left the festival, you would still get ads relevant to that event.
In this scenario, your IP address remains completely anonymous. Advertisers can’t download a list of all the people they showed an ad to. They can know how many people saw and clicked on an ad, but not who saw the ad or clicked on the ad.
Conflicts are inevitable.
Under the GDPR, a user has the right to request all information about them tied to IP addresses and other personal identifiable information. A company, however, does not have to divulge proprietary derivative information if it would reveal corporate or trade secrets. The exercise of IP rights is not a shield that can be used to deny a request for the raw personal identifiable information.
As GDPR discussions continue (and as inevitable future litigation arises), we’ll get more details about how IP addresses fit within the context of personally-identifiable information protections. Until then, rest assured knowing that while many companies may be collecting your IP address, it’s almost always anonymized.