“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision.
Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft’s user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don’t include people’s names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals.
Interesting decision. Of course it is fairly true. Since most IP addresses are doled out to consumers on a random rotating basis using DHCP, it would be easy to argue that a particular IP address does not “belong” to a particular person, so it is not a way of identifying them. In reality, IP addresses do stick around and often can be attached to a particular person. SOunds like a need for balance here.