Snip…..”Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term personal information,” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses, other types of information that, with some effort, could become identifiable.”
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.”…….
— Let’s quit debating whether IP addresses are PII. Lets’s just agree that they are more significant than some less personal information and arrange to not log them when we dont need to or let’s obscure or delete IP addresses at an earlier date. For example, consider Yahoo’s example – they anonimyze search and adserving logfiles, deleting IP addresses, after 6 months. (and it doesnt appear to have shut down their business). Others retain for 9 months or a year, but many don’t yet have public policies around such data retention. Time for everyone else to follow.