The European Union’s data privacy regulator group said this week that an IP address “has to be regarded as personal data” when it’s used to identify a person. Although this has no bearing on how IP addresses are used in the United States, it might trigger a change in data collection policies for companies like Google that use IP addresses in order to serve relevant search results and ads.
Google and Microsoft track users differently—Google is the bigger culprit when it comes to storing IP addresses that could potentially identify a person, while Microsoft relies on its Passport network to track users.
Google has taken steps over the past year to reduce the length of time it stores data—the Washington Post says search info is now deleted after 18 months, and Google’s tracking cookies now expire after two years instead of 30. It’s still facing criticism, though, from privacy types:
A privacy advocate at the nonprofit Electronic Privacy Information Center said it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.
“It’s one of the things that make computer people giggle,” the center’s executive director, Marc Rotenberg, said. “The more the companies know about you, the more commercial value is obtained.”
Regardless of how the search engine companies collect or store data, the EU wants them to make their privacy policies clearer and easy for the layperson to understand:
Neither of the search engines received a pat on the back from Spain’s data protection regulator, Artemi Rallo Lombarte, who criticized them for not trying to make their privacy policies accessible to normal people.
Their privacy policies “could very well be considered virtual or fictional . . . because search engines do not sufficiently emphasize their own privacy policies on their home pages, nor are they accessible to users,” he said, describing the policies as “complex and unintelligible to users.”
“IP Addresses Are Personal Data, E.U. Regulator Says” [Washington Post]