Commentary

GDPR Got It Wrong: IP Address Is NOT Personal Data

There is a lot of gray area within the General Data Protection Regulation (GDPR). But there's something that's black and white and, frankly, WRONG: An IP address should not be considered personal data.

Preparing for GDPR caused major headaches for basically every company that does business on the internet. Most breathed a sigh of relief on May 25, but we shouldn’t get too comfortable. Now we have to see how things unfold. Personal data, in the context of GDPR, includes a wide range of information, such as social media posts, photographs, lifestyle preferences, transaction history and, incorrectly, IP addresses. This is going to cause difficulties for all types of companies, including anti-fraud solutions.

Let’s use a small company’s office to illustrate why an IP address should not be considered personal property. There could be 20 to 25 people online, all with the same IP address. If Jenny in accounting searches for something, does that mean Johnny over in sales searched for the same thing? Of course not. An IP address is not personal to an individual. It is a shared piece of data. Some might argue that you can use IP addresses for tracking and targeting, but the truth is, they really are only useful in tandem with other data points.

Or consider mobile, which accounts for more than 50% of traffic for top websites, according to a SimilarWeb report. Your mobile IP address changes as you sign into different WiFi networks and travel within the range of new cell towers. Mobile IP addresses alone aren’t used to identify people.

Article 17 of GDPR, the Right to Erasure (“right to be forgotten”), states that anyone in the EU can request that a website delete all of their personal data, including records that correspond to their IP address.

It will take time to see how GDPR shakes out, but long-term — even short-term — considering IP addresses as personal property will cause problems for companies and could affect their analytics, targeting, tracking, advertising and engagement strategies. The user benefits don’t outweigh the difficulties.

Why would someone need an IP address “forgotten?” If they are concerned with preserving their privacy, deleting truly personally identifying information, such as their name, login information, transaction history and demographic data, should be sufficient.

Including IP addresses in the definition of personal data could even cripple anti-fraud solution tools and, in turn, negatively affect the organizations that use them.

When we think of ad fraud, we often think about nonhuman traffic, but there are people behind those bots. Fraudsters are experts at finding and poking holes in businesses’ and people’s security measures. What is to stop fraudsters from requesting anti-fraud solution providers to “forget” their nefarious IP addresses? One of the things that anti-fraud tools do is recognize and remember the IP addresses of bad actors. If GDPR requires them to delete those addresses at the users' request, it really weakens the tool.

By now, you have updated your privacy policy. You have seen how much, or how little, your competitors and industry leaders are doing to comply. And you have, hopefully, rolled out ways to seek consent from visitors in the EU. But what happens if and when people exercise the right to forget IP addresses remains to be seen.

Next story loading loading..