• by Wendy Davis , Staff Writer @wendyndavis, April 8, 2008

There's been a lot of debate about whether IP addresses should be considered personally identifiable information, but that issue now appears to be settled in Europe -- and the answer is yes.

In a new report, Europe's privacy regulators state that IP addresses are personal data and propose that search engines should destroy or irreversibly anonymize them after six months.

While there's not a perfect correspondence between specific users and IP addresses -- the same person can connect from more than one location, and more than one person can use the same computer to sign on -- it's possible to figure out many people's identities based on clicks from an IP. In fact, the European report mentioned AOL's "Data Valdez" -- the privacy breach that occurred when the company posted the search histories of 650,000 users. The IP addresses were "anonymized," but that wasn't enough to protect AOL users because queries alone were enough to reveal some users' identities.

In the U.S., whether IP addresses are considered personally identifiable is still an open question, but legislators appear increasingly aware of the various potential ways that marketers can compromise people's online.

Bills are pending in New York and Connecticut that would regulate behavioral targeting. These bills, still in early stages, would require companies to allow consumers to opt out of having their Web surfing activity tracked online. While those laws don't currently address targeting via IP address, surely it's only a matter of time until IP-tracking becomes prevalent enough to draw the attention of lawmakers. Already two companies, Phorm and NebuAd, have garnered much press about their new behavioral targeting programs that serve ads to people based Web activity originating from particular IP addresses.

Meantime, Google, Microsoft and Yahoo will likely need to decide whether to change their practices of storing IP addresses in the U.S. Certainly, deleting European users' data after six months, while holding onto U.S. users data for two to three times as long, would pose a giant public relations problem for the companies. Giving European users more privacy protections than U.S. users isn't likely to go over well with lawmakers or advocates.