Are IP addresses, OpenID-URLs/XRIs PII?
There is an interesting debate emerging in the EU whether IP addresses should be treated as personally identifiable information (PII). A consequence, if this was to be the case, would be extending all the privacy and data protection requirements to IP addresses.
Extending this debate, should an OpenID identifier be treated as PII and protected similarly?
IP addresses are meant to be locators for devices on a network and often do not map to being a unique identifier (for example, where the IP address is dynamically assigned or NAT is being used for an external connection).
Yet, ISPs and online services routinely log IP addresses and use it for tracking users. Search engines use IP addresses to provide location-aware results, advertising, and detecting click fraud.
The answer is far from clear cut.
As a privacy counsel for Google told the EU meeting, “There is no black and white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals.”
On the other hand, Germany’s data protection commissioner believes that when someone is identified by an IP address “then it has to be regarded as personal data.”
This is going to be an interesting debate. To spice things up, lets thrown in things like persistent cookies and ISP/OP logs into the mix.