EU Says IP Addresses Are Personal Data

The European Union’s data privacy regulator group said this week that an IP address “has to be regarded as personal data” when it’s used to identify a person. Although this has no bearing on how IP addresses are used in the United States, it might trigger a change in data collection policies for companies like Google that use IP addresses in order to serve relevant search results and ads.

Google and Microsoft track users differently—Google is the bigger culprit when it comes to storing IP addresses that could potentially identify a person, while Microsoft relies on its Passport network to track users.

Google has taken steps over the past year to reduce the length of time it stores data—the Washington Post says search info is now deleted after 18 months, and Google’s tracking cookies now expire after two years instead of 30. It’s still facing criticism, though, from privacy types:

A privacy advocate at the nonprofit Electronic Privacy Information Center said it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.

“It’s one of the things that make computer people giggle,” the center’s executive director, Marc Rotenberg, said. “The more the companies know about you, the more commercial value is obtained.”

Regardless of how the search engine companies collect or store data, the EU wants them to make their privacy policies clearer and easy for the layperson to understand:

Neither of the search engines received a pat on the back from Spain’s data protection regulator, Artemi Rallo Lombarte, who criticized them for not trying to make their privacy policies accessible to normal people.

Their privacy policies “could very well be considered virtual or fictional . . . because search engines do not sufficiently emphasize their own privacy policies on their home pages, nor are they accessible to users,” he said, describing the policies as “complex and unintelligible to users.”

“IP Addresses Are Personal Data, E.U. Regulator Says” [Washington Post]
(Photo: Getty)


Edit Your Comment

  1. Imaginary_Friend says:

    There’s no good reason on earth for a company to store 30 year tracking cookies! Even two years is bad unless the user fully gives consent … and gets a cut of the action.

  2. insomniac8400 says:

    “absurd for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations”
    Of course it’s absurd the last number can only be out of 254 “configurations”.
    And that only is true if by “last two figures” they mean the last number. If they mean the last two numbers that bumps the possible “configuration” count up to 64,770.

  3. loueloui says:


    Actually, I think it’s even slightly less then 256. In a class C IP block, all addresses share the first 3 octets, mike only the last octet unique. I am assuming that they are stripping away the last 2 DIGITS for example

    Some of these addresses however are invlaid such as .0 and multicast making the total combination 254. A piddling distinction I know but if this is correct it is very likely that eventually you will be able to be identified. That is if you had a static IP address for a long period of time.

  4. mac-phisto says:

    god, this makes me wish that in the u.s., 1) we had intellectuals working in gov’t & 2) we actually listened to their recommendations.

  5. darkened says:

    @mac-phisto: We do, they’re trying to figure out how to start a war with iran when iran has done pretty much nothing wrong and for a long time was our biggest supporter in that region of the world sans isreal.

  6. Curiosity says:

    Obviously though the utility of using an IP address an identifier has to do with the strength it can be associated with one person and their personal habits.

    Somehow I just think it may be better to make it anonymous or random and remove the correlation between specific IP addresses and people.

  7. aikoto says:

    Google’s privacy “efforts” are crap. They have no need to tie IP to personal data after 5 seconds let alone 18 months.

  8. Adam Rock says:

    If the EU wants to consider IP addresses information that people shouldn’t store and analyze, then they should provide a free proxy for anyone who wants to “opt out” of IP address information storing.

  9. mac-phisto says:

    @Adam Rock: or they could just fine the hell out of anyone that doesn’t comply with their rules. i like that idea better.

  10. Skiffer says:

    Down with the Google-opoly!!!!!!!!