Skip to content

Maybe.

Personal information is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[1] While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably linked” with a particular person.[2] The CPRA does not impact the extent to which IP addresses are, or are not, considered personal information.

In order to determine whether an IP address is linked to a person, it is important to understand what an IP address represents.  Computers that access the internet are assigned either a static or a dynamic Internet Protocol (IP) address.  A static IP address does not change over time (i.e., it is dedicated to a particular computer, network, or user).  A dynamic IP address is assigned by a network when a computer connects and, thus, changes over time (e.g., each time that the user reconnects to the network).

The California Attorney General was asked to clarify that IP addresses, could not, by themselves, constitute personal information under the CCPA, but refused to do so, stating only that such determination is a “fact-specific and contextual” determination.[3] When examining whether a static or a dynamic IP address constitutes personal information, California courts may look to how European regulators viewed IP addresses in the context of the European GDPR’s definition of “personal data” which is similar to (but not identical with) the CCPA’s definition of “personal information.”[4] The Article 29 Working Party took the position that because static IP addresses do not change, and IP addresses can be used to identify the computer (or user), “[t]he possibility exists in many cases . . . of linking the user’s IP address to other personal data . . . that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, using cookies containing a unique identifier)….”[5] The Working Party further recognized that, because of the nature of dynamic IP addresses, in some cases “a third party can get to know the dynamic IP address of a user but not be able to link it to other data concerning this person that would make his/her identification possible.”[6]

[1] CCPA, Article 1798.140 (v)(1).

[2] CCPA, Article 1798.140 (v)(1).

[3] FSOR Appendix A at 4 (Response 15), 124 (Response 401), 236 (Response 689); FSOR Appendix E at 7 (Response 11).

[4] GDPR, Article 4(1).

[5] Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 21, adopted on Nov. 21, 2000.

[6] Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 21, adopted on Nov. 21, 2000.