One of the questions we’re frequently asked is:
“Is it possible to acquire physical street addresses of website visitors?”
This question can have a “yes” or “no” answer. It depends on the situation and the purpose of use for the personal or commercial entity stress address information.
Within the scope of use of website visitor statistics and tracking services, getting a residential or commercial street address would be prohibited by the GDPR and state privacy laws. Therefore, the service specifically provides general location information. This data is provided by the governing authorities of the source of geolocation data, such as the ISP providers that host users with the IP addresses in question.
There are however methods of getting precise physical street and other personal or commercial entity information based on an IP address. Using the statistics services that provide full visitor IP addresses (where permitted by law) gives people legal rights to obtain this information if they acquire appropriate legal permission.
An example of such a procedure would be to find a true holder of an IP address that caused any illegal activity, such as online fraud or stalking. This would entail collecting evidence to prove an illegal act under a specific IP or a range of IP addresses and working with local police authorities to receive a police warrant. The police warrant would entail the holder being able to further communicate with an ISP provider that would assist in a case resolution. The provider then could release the street address and other personal information of an IP address that was assigned to a specific individual or an organization at the time when the fraud or act of stalking occurred.
The essential list of USA laws governing IP address personal or commercial information
Several laws and regulations address the privacy of internet users and prevent the unauthorized disclosure of personal information, including physical addresses linked to IP addresses.
Electronic Communications Privacy Act (ECPA)
The ECPA, enacted in 1986, includes provisions that protect the privacy of electronic communications. It restricts the government’s ability to intercept and access electronic communications without proper authorization, such as a warrant.
Stored Communications Act (SCA)
Part of the ECPA, the SCA specifically addresses the privacy of stored electronic communications and transactional records. It sets forth the conditions under which internet service providers (ISPs) can disclose information about their users, including IP addresses and associated physical addresses. Generally, ISPs cannot disclose this information without a court order, subpoena, or user consent.
Communications Assistance for Law Enforcement Act (CALEA)
CALEA requires telecommunications carriers to assist law enforcement in intercepting communications and accessing call-identifying information under specific legal procedures. However, it also includes provisions to protect user privacy, ensuring that any access to such information is conducted lawfully and with proper oversight.
General Data Protection Regulation (GDPR)
This has significant implications for US companies that handle the data of EU citizens. Companies must comply with GDPR requirements, which include strict controls on the processing and sharing of personal data. While not directly applicable to US citizens, many US companies adopt similar privacy practices to comply with international standards.
State Privacy Laws
Several states have enacted their own privacy laws that provide additional protections for residents.
Children’s Online Privacy Protection Act (COPPA)
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13. This includes the protection of the physical address information of children.
The above example of laws collectively works to prevent the unauthorized disclosure of internet users’ physical addresses by regulating how ISPs and other entities handle and share personal data associated with IP addresses.