Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Data Protection >  IP addresses and the Data Protection Act

IP addresses and the Data Protection Act

This guide is based on UK law. It was written in March 2007.

An IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual's name is unknown.

What is an IP address?

Computers and other devices that are connected to the internet are assigned unique identifiers known as Internet Protocol (IP) addresses to identify and communicate with each other.

The internet's authority for names and numbers is ICANN, based in California. It delegates authority for the management and creation of IP addresses to a body called the Internet Assigned Numbers Authority (IANA). IANA allocates blocks of addresses to one of five Regional Internet Registries, including RIPE in Europe. In turn, these regional bodies allocate smaller blocks of addresses to ISPs and organisations.

The most common type of IP address is displayed as four numbers between zero and 255, e.g. 83.29.144.255. This format – known as IP version 4 – will accommodate a maximum of 4.3 billion addresses. The growing number of devices connected to the internet is driving the adoption of IP version 6 – a format that will accommodate more devices (it displays an IP address as eight groups of four hexadecimal digits, e.g. 2001:0db8:0000:0000:0000:0000:1428:57ab), though it is not yet widely supported.

When an individual connects his computer to the internet it is either with the same IP address each time, known as a static IP address; or with a different number each time, known as a dynamic IP address. Some ISPs allocate dynamic IP addresses, others allocate static IP addresses. Visiting an IP lookup site will tell you what IP address you are currently using. You can determine whether it is dynamic or static if you disconnect your internet connection, reconnect and then check your IP address again.

What can be determined from an IP address?

As soon as you visit a website your IP address will be available to that site. It is common for websites to keep a record of all IP addresses that visited with the data and time of the visit, even if this record is never used. Your ISP also has a record of your internet activity. Even if your IP address is a dynamic address – i.e. it changes every time you connect to the internet – your ISP will be able to identify your browsing activity because it knows what number was allocated to which customer and when.

Limited information is freely available about any IP address. Because IP addresses are allocated in batches, your IP address, be it static or dynamic, will be in a particular range that typically reveals your choice of ISP and your geographic location – though at best this will identify a city, not a street, and it won't always identify the right city or even the right country, depending on your ISP and its system for allocating IP addresses.

When accessing a website from an office computer, you might share one IP address with numerous colleagues. It is likely that your office can identify which computer on its network accessed a particular site, though, even if that site's access records show a shared IP address.

Data protection and IP addresses

The Data Protection Act regulates the collection and use of personal data. If data is not personal data it is not caught by the Act – but it is not always obvious whether data is personal data or not. An IP address in isolation is not personal data because it is focused on a computer and not an individual. This reasoning was applied by the Hong Kong Privacy Commissioner in a complaint about Yahoo!'s disclosure of information about a journalist to Chinese authorities (Hong Kong clears Yahoo! of privacy breach over jailed journalist, OUT-LAW News, 15/03/2007). The Commissioner wrote in his report: "an IP address per se does not meet the definition of 'personal data'".  

In the hands of an ISP an IP address becomes personal data when combined with other information that is held – which will include a customer's name and address. In the hands of a website operator, it can become personal data through user profiling.

Most sites do not profile their users using IP addresses. They typically use IP addresses for demographic purposes such as counting visitors, their countries of origin and their choice of ISP. Their organisation might also be identifiable.

Sites typically gather statistical data about the path that users take through a website and the page from which they left the site. Banking websites might also use IP addresses as a security measure – for example, if a customer regularly accesses his account from an IP address in London, access to that customer's account from an IP address in Moscow might indicate fraud.

The most common privacy concern surrounding IP addresses is their use in marketing. A visitor's path through a website could be followed and any adverts that are clicked can be identified. On the next visit, that user could be shown ads that are similar to those he clicked on the previous visit. But this fails when the user has a dynamic IP address: the user will be unknown.

Accordingly, most websites prefer to use cookies to track users for personalised marketing purposes in preference to IP addresses. A cookie is a small text file that is sent from a website to a visitor's computer. The cookie file can be used to identify an individual and a website operator can build a detailed profile of that person's activity at its site. Users can set their web browsers to refuse cookies but most users accept them, often unwittingly.

The Commissioner on IP addresses

In 2001, the then Information Commissioner, Elizabeth France, acknowledged the difficulty of using IP addresses to build up personalised profiles. "It is hard to see how the collection of dynamic IP addresses without other identifying information would bring a website operator within the scope of the Data Protection Act 1998," she wrote.

She continued: "Static IP addresses are different. As with cookies they can be linked to a particular computer which may actually or by assumption be linked to an individual user. If static IP addresses were to form the basis for profiles that are used to deliver targeted marketing messages to particular individuals they, and the profiles, would be personal data subject to the Data Protection Act 1998. However, it is not easy for a website operator to distinguish between dynamic and static IP addresses. Thus the scope for using IP addresses for personalised profiling is limited."

France concluded: "If dynamic or static IP addresses are collected simply to analyse aggregate patterns of website use they are not necessarily personal data. They will only become personal data if the website operator has some means of linking IP addresses to a particular individual, perhaps through other information held or from information that is publicly available on the internet. ISPs will of course be able to make this link but the information they keep will not normally be available to a website operator."

Similar guidance came from an independent EU advisory body called the Article 29 Data Protection Working Party. It wrote in November 2000: "The possibility exists in many cases, however, of linking the user’s IP address to other personal data (which is publicly available or not) that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, using cookies containing a unique identifier) or modern data mining systems linked to large databases containing personally-identifiable data on internet users."

How this affects your web operations

If you collect IP addresses and analyse them collectively – e.g. identifying the number of visitors from Japan or the most popular ISP – you should disclose this in your privacy policy, e.g. "When you visit our site we may automatically log your IP address, a unique identifier for your computer or other access device." To reassure visitors, you could add: "We will not use your IP address to identify you in any way."

If you wish to use IP addresses to identify or build a profile on each of your visitors as an individual, even if they are never identified by name, you should assume that the Data Protection Act applies. Only a court can decide for certain whether or not this is a processing of personal data to which the Act applies and there have been no court rulings on this point to date. The safest course is to assume that the Act does apply in these circumstances. A court will be influenced by the Information Commissioner's guidance on this point. Therefore you should make visitors aware of your intentions to use IP addresses and, where possible, gain consent before processing an IP address for these purposes, for example, via a data protection notice.

Links:

EU Data Protection Working Party Guidance (99-page / 510KB PDF)

Please note: The UK Commissioner's guidance appeared in a set of Website FAQ published in 2001 and no longer available at the Commissioner's site.

Contacts: Louise Townsend or Rosemary Jay (Manchester, 0161 250 0100)

OUT-LAW Recommends

Advert: free OUT-LAW Breakfast Seminars - 1. Making your contract work: pitfalls and best practices; 2. Transferring data: the information security issues

Winner at 2008 Webby Awards

This week's podcast
Are ISPs about to betray our trust?

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.