Are IP addresses 'personal information' under CCPA?

As companies grapple with complying with the California Consumer Privacy Act, they will need to decide whether the internet protocol addresses they collect from consumers are considered “personal information” and thus within the scope of this new law. It will not be easy.

The CCPA defines “personal information” to include online identifies such as an IP address, but only if the identifier “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” For many businesses, the collection of IP addresses provides multiple benefits from monitoring website traffic to advertising, tracking and deterring malicious activity. But are IP addresses “reasonably capable” of being associated with or “linked” to an individual or household? If not, do they still “relate[] to” or “describe” a consumer or household? These questions are critical to address, because if IP addresses are considered to be “personal information,” then businesses may find themselves subject to additional obligations under the CCPA or forced to rethink how they handle IP addresses as part of their online business.

The CCPA’s proposed regulations

The CCPA’s definition of personal information expressly contemplates including IP addresses. An IP address alone may not allow a business to identify a particular consumer or household; however, in many — if not most — cases, an ISP can link an IP address with a name, home address, phone number, email address and even payment information. To be successful, certain statutes require requests for an ISP to link an IP address to an individual to be accompanied by a court order, subpoena or a law enforcement warrant. Unfortunately, it is unclear whether such efforts would be considered “reasonably capable” of linking an IP address to an individual or household such that all IP addresses are personal information under the CCPA.

On Feb. 10, the California attorney general issued its first set of modifications to its proposed CCPA regulations. These modifications included the following guidance:

“[I]f a business collects the IP addresses of visitors to its websites but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.”

This guidance was critical in clarifying that the CCPA’s “reasonableness” inquiry was focused on the receiving entity itself — not on the ability of third parties, such as ISPs, to link information to individuals or consumers. In other words, if the business did not link the IP address to a consumer or household, and the business could not reasonably link the IP address with a particular consumer or household, the IP address would not be personal information. This interpretation aligns with the reality that even if businesses wished to link IP addresses to individuals or households, many would lack the information needed to do so themselves and would be unlikely to succeed in compelling an ISP to do so for them. However, when the attorney general revised its draft regulations for a second time March 11, the guidance was struck without explanation.