U.S. Federal Judge Upholds IP Addresses are Not PII, Part 2 – What Online Businesses Can Learn From This
July 15th, 2009 by Greg PiersonIn a class action lawsuit involving Microsoft, a U.S District Court judge ruled that IP addresses are not personally identifiable information (PII). If you read my first post on this issue, you know that I support this decision and believe that IP addresses should be treated as very weakly associated with identity.
While the never-ending ‘discussion’ about the balance of online security and privacy rages on, what can online businesses learn from this?
Microsoft dodged a bullet here. While the case was dismissed before trial, defending yourself is expensive. While harder to quantify than attorney’s fees, there are other ‘costs’ that are often more significant, including the distraction to the business and all the ripple effects of negative publicity for customers, business partners, employees and shareholders. Dodging bullets is good, but it’s even better to avoid getting shot at in the first place.
In this particular case, a group of consumers claimed that Microsoft violated its user agreement by collecting IP addresses. Consumers claimed that Microsoft’s user agreement didn’t give the company permission to gather personally identifiable information. Consumers argued that IP addresses were personal information and pointed to a security glossary on Microsoft’s own website that defined “personally identifiable information” as:
Oops.
If you’re wondering how Microsoft got out of this sticky situation, they argued that IP address is in fact NOT personally identifiable information and that their own security glossary was not referenced in their user agreement and is therefore not relevant. Attorneys reading this are thinking “Makes perfect sense,” and normal individuals (sorry, couldn’t help myself) are thinking, “That makes no sense.”
In Microsoft’s defense, you can see how this could easily happen. User agreements could be written by one part of the organization, in isolation from another part of the organization responsible for writing an online security glossary. The bigger the organization, the more likely these kind of disconnects, and the harder it is to keep everyone on the same page. This may explain it, but it doesn’t excuse it.
BTW, as of the date of this post, this definition of PII on Microsoft’s website remains unchanged.
While big companies with deep pockets have bigger targets on their back, small companies are not immune to these types of problems.
A little common sense goes a long way. Consumers don’t care about technical legal arguments. If you say one thing and do something else, you shouldn’t be surprised when some of your customers are confused or irritated. Try to be consistent and encourage your customers and employees to point out real and apparent inconsistencies.
Treat all information gathered from your customers with the appropriate level of care. I certainly understand this is a loaded statement. Ask three experts for their opinion on what you should do with various data types and you’re likely to get at least three. But a little common sense goes a long way here too. The greater the likelihood that information could allow access by unauthorized users, reveal individual users or enable identity theft, the more careful you should be.
Review your privacy policies periodically and compare them to other businesses that consumers respect. When in doubt, disclose it. Let’s face it, the vast majority of your users don’t care and are never going to read it. For the extremely vocal minority that does care, they will appreciate transparency. The individual that actually cares that you “maintain IP addresses associated with site traffic for up to X years” will either appreciate the disclosure (which they knew anyway) or was never doing business with you in the first place.
As Microsoft, Google and many other businesses continue to learn the hard way, even the appearance of improper conduct can be terribly damaging. When in doubt, disclose.
