Ideas, debates, analysis et al.

IP addresses: Personal Data?

Tomás F. Serna

February 26, 2008

There has been some debate lately at this side of the Atlantic on whether IP addresses should be considered as personal data.

The EU Civil Liberties Committee recently held a hearing on various issues surrounding privacy on the Internet, where apparently this one surfaced as key amongst the different that were reviewed.

For some interesting background on what IP addresses are, as well as privacy issues surrounding them I’ll refer you to this post that was published on Feb. 22nd. on Google’s Public Policy blog. While the post is slightly biased -which is only natural and was to be expected-, it still contains useful information as well as some nice discussion on the comments section that certainly provide for a very interesting read.

This debate is taking place at EU institutions while in some member states such as Spain, the national regulator long time ago established its own criteria on the subject matter. In short, and as far as Spain is concerned, IP addresses are to be regarded as personal data. (1)

Without getting into too much detail, what this means is that files/databases containing such data would need to be dealt with in strict observance and accordance with European ‘data protection’ laws. If such data were combined with other data that could point to any kind of health record, political ideology or sexual preference… well, you just got yourself into some really tricky and very risky business.

It was many years ago (at least many in Internet years), that it was made clear that in order for services on the net to become mainstream and successful, they would have to invest heavily on personalization. Building a technological framework to provide an ever growing array of services, and then tailoring those to each and every individual within your user base sure sounded (and still sounds today), like the recipe for ultimate success.

I could be wrong, but if memory serves, Yahoo! was the one who first showed the way with ‘my Yahoo!‘. Many tried to build upon that early concept. Recent somewhat successful iterations of this are, to name just two, Netvibes and iGoogle.

The business model has undeniably evolved. Now it is no longer just about to get people to visit -traffic-, and spend time -page views-, within your website, but to collect as much information about them (within reason), as possible.

It is a win-win proposition. You will come to my all-for-free service/s which would be of value to you because while providing you with a service you demand (e.g. on-line news feed reader), they would be completely tailored to your tastes and interests. On the other hand this gives me, the service provider, a lot of valuable information about my users, so that I would be able to make a case before advertisers to invest in my targeted advertising business. That is fair enough.

So why not recognize the obvious and then move on? Why not recognize that IP addresses (amongst every other possible bit of information), are recorded precisely because be it directly or be it potentially, they ultimately lead to real people, their habits, tastes and interests?

I can only think of a reason. Business, but of course. Perhaps because higher operating costs are foreseen in order to comply with these regulations… Maybe because some current and/or future projected areas of business would face some extra hurdles when not be wiped right off the realm of what can be done without breaking the law on certain jurisdictions… Perhaps also because these businesses main source of revenue could potentially be to some degree threatened, as the whole selling argument to advertisers relies on how well they are able to target ads to their user base.

It may very well be a combination of the three above that scares them beyond belief as being Internet businesses, that while operating on a global scale were built from the ground up in a much more lax legal environment with regard to the understanding of the right to privacy… and that is most probably embedded in their corporate DNAs.

Should that be the case… well, lets just say that probably these foreign ‘data protection laws’ are something that you would better see avoided altogether… or at least their influence and effects limited whenever possible as well as to any possible extent.

(1) Regardless of them being dynamically or statically assigned, and without initial regard to the fact of whether they identify a single computer or a potential group of ‘n’ computers behind a router or similar device using network address translation capabilities.

Article submitted for publication to, a publication of Madrid’s Data Protection Agency.

Comments (3) 12:00 am |


  1. If IP addresses are to be regarded as personal data, I would like to know your opinion about cookies, are to be regarded as personal data too or they have a different consideration?

    Comment by IGC — February 26, 2008 @ 2:05 pm

  2. Thanks for reading, as well as for your question.

    As you know, ‘cookies’ are tiny text files that store various tracking information regarding any given website visitor-user. In that regard, under EU data protection law in-force, they should be regarded as containing personal data.

    The following is the definition of ‘personal data’, as provided by the 95/46/EC Directive:

    (…) “‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;(…) “

    While behind a single IP address you could have a bunch of different computers, in all situations cookies store information about users, (i.e. persons). Either identified or identifiable.

    There are different ‘kinds’, if you will, of cookies. In some situations they’re used for security purposes (session cookies) like when you log in to your bank’s website, other times cookies are used towards providing a ‘better’ user experience… so that this or that website are able to remember the general preferences you have defined towards for instance a defined look and feel, and so on…

    And now for those amongst you fans of conspiracy theories… Yes, there could be other uses of cookies that could potentially put at risk users privacy.

    Say that you run an advertising serving system that places banners in a couple of hundred thousand websites. This advertising network would most probably place cookies in your browser of choice to build certain metrics such as the number of clicks that a certain ad or ad format gets, what ads have already been shown to you, etc.

    But let’s say that I start tracking you across the different websites that you visit, some of which are serving ads through this third party advertising network. Let’s say that you click on a banner from a political campaign… Let’s say that either knowingly or by accident, you end up in one of those websites that would better be (at least at your home…), blocked under some sort of parental lock…

    Would you say I would be in a position that would enable me to start building a thorough profile on your web surfing habits… tastes… ideology…

    Let’s go a step further… What if I own both your webmail app. of choice as well as this ad network?

    This isn’t out of the realm of what is already possible… Cookies are very effective tracking devices. The combination of IP addresses + cookies are a step further in the same direction.

    Comment by tfserna — February 27, 2008 @ 11:40 am

  3. […] There is no doubt that this is a setback for search engines. Some of the reasons in which I base this judgement on were outlined here. […]

    Pingback by » EU to Internet search engines: six months seem more than enough. — April 7, 2008 @ 3:18 am

RSS feed for comments on this post. | TrackBack URI | bookmark on

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .

Advertencia de Protección de Datos:

Los datos personales capturados con ocasión de la utilización del formulario de comentarios (nombre/apodo, dirección de correo electrónico, sitio web y dirección IP), serán incluidos en un fichero del propietario del sitio web y se publicarán (excepto su dirección de correo electrónico y su dirección IP) en esta página con la finalidad de permitir opinar públicamente al lector, así como para en su caso contestar al comentario o consultas que formule. Podrá ejercitar sus derechos de acceso, de rectificación, de cancelación y de oposición en lo referido a dichos datos personales dirigiendo un correo electrónico a la dirección:


Privacy notice:

Please be informed that by using the comments form, your personal data (name/nickname, e-mail address, website and IP address), will be included in a file owned by the website proprietor and published along your comment (except for your e-mail and IP addresses), in order for the reader to publicly comment, as well as -should that be the case-, to respond to any comment or query that readers may have made. You will be able to exercise your rights to access, rectify, cancel and oppose such personal data by sending an e-mail to the following address: