Interpreting new privacy laws - NPR online privacy policy

June 30th, 2018 there will be a new privacy law regarding privacy and datamining collection notification.

Please be aware of new privacy agreements you sign with your online vendor relationships.

NPR gave a very simple explanation that point by point of the datamining practices they have- so kind of like someone telling us about the hidden cost of a free lunch…

I’m new to this awareness so my question is… after reading this statement about IP address “The Internet Protocol address (IP address) of the computer or device you used to access an NPR Service and information about your Internet Service Provider.”.
What can NPR do with this information?

Here is the link:

NPR probably has a changed privacy policy because of the GDPR privacy regulations that come into effect on 25th of May.

I have to admit that when checking the URL for you I clicked away the consent message too quickly, but it might have mentioned something about trackers (I could clear my cookies to see the message again, but do not want to do this now).

If that is the case the Privacy Policy (PP) states it uses under Disclosure of Information, which includes:

With other parties if we have disclosed such sharing to you at the time of collection of the information or if we otherwise have your consent.

Now this includes advertisers, and in the first message I gave consent to transfer my data to them. Privacy Badger says that at least Facebook and Google are trackers on the PP page, among others. What will they receive? Well, that is the information described under Information Collected Automatically Through Technology and includes your IP.

The IP is the unique address that you use when browsing the internet. If you have wifi, then all the devices using it probably use the same external IP address. If you are on a mobile network with your phone you will have another external IP address. Depending on your provider these IP addresses will be mostly fixed.

Besides the IP any device connected to the internet also has a unique Device ID (and sometimes other ID’s as well). Together they can be used to identify you personally. The GDPR therefore considers this Personally Identifyable Information (PII).

“These are just ID’s and numbers” you may say, “So, how can they personally identify me?”… This can occur in many different ways, and is where tracking, aggregating and enriching of data comes into play. You may have provided your full name and other details to another website in the past, and this data was collected sold. You may have had the same IP and Device ID when you did that. Or you had cookies in your browser that you still have on your NPR visit, which can be corresponded together.

Besides that there are also issues with location regarding IP addresses. Internet providers usually have fixed IP address ranges they provide to their customers, and they may be bound to a geographic region. Also there are companies - like Google, when they are mapping roads for Google Maps - that register the wifi networks they encounter along the way, so they can assign a more accurate geographic location to your IP.

If you are shopping, or just walking around in your town, then many shops have beacons installed. If you have the wifi on your phone switched on while walking past, then this is detected and registered as well.

1 Like