A number of companies Seguro work with handle MAC addresses in their solutions, these are the unique numbers (theoretically) that identify a network interface on an electronic device (theoretically), laptops, servers, PCs, mobile devices, home voice assistances, Internet-connected fridges – most things that talk over a network have them.
A question we see posed and debated all the time is whether these addresses should be considered personal data, because they are unique to a device and so could be specific to the owner of a device.
The answer is – as you would expect – it depends on circumstance.
One of our consultants reached out to the ICO (Information Commissioners Office) in the UK, asking for a definitive answer and receiving the following back:
Article 4(1) of the UK GDPR, provides the definitions, and states that personal data is any information that directly or indirectly relates to an identified or identifiable individual. For example, their name, location data or an online identifier. Recital 30 of the UK GDPR expands on this and gives examples of online identifiers such as cookie identifiers, IP addresses and also MAC addresses.
MAC addresses may be personal data but are not necessarily always personal data. It depends on the circumstances.
It will become personal data if the MAC address can be linked to other information that your organisation holds which results in the individual being distinguished from other individuals and identifiable. For example, there may be a sign-in process for the passenger and your organisation keeps a record of the sign-in information. In this instance, it is likely that the MAC address linked with the additional sign-in information will become personal data.
If you are unsure whether particular information constitutes personal data then as good practice, you should always treat the information as personal data. As our guidance explains, this includes being transparent with individuals as to how you are collecting the information, keeping it secure and also protecting it from inappropriate disclosure.
Many discussions online about the status of MAC addresses assume that because it could be possible to identify an individual from a MAC address alone that it must be private data, for example law-enforcement authorities could follow the procurement chain by contacting manufacturers, distributors, retail units and then ultimately the individual.
Do organisation store MAC addresses?
Almost certainly for a short period of time: MAC addresses are necessary for network components to function and most modern networks temporarily store them (caching) and their IP address counterpart on the network in a table called an ARP cache. In most discussions, this fact seems to be completely disregarded so even when discussed caching a MAC address to block a malicious user, organisations push back because of their fear of storing private data (despite the fact that their network switches and routers are doing this anyway and on it’s own, a MAC address isn’t personal data).
What’s the big flaw in all this?
As is so often the case, laws and regulations pertaining to technology do not easily keep up with the pace of change and evolution. Law enforcement agencies in some countries are spending large sums of money (or forcing others to do so) to store huge volumes of data logs of MAC addresses and their activity. This is a huge waste of resources/money because while MAC addresses are preset on devices, not only are they easily changed, many modern devices actually randomly change their MAC address every time they connect to a new network to protect the privacy of their users.
As an example, all of Apple’s iOS 14 operating systems (released in 2020 and available to iPhones from version 6 upwards) use a random MAC address by default, similarly the Android 10 operating system (released in 2019) also uses a random MAC address by default. Finally, Windows 10 devices can also use a random MAC address simply by turning it on in the options for their device.
Clearly, not only does this mean the vast majority of users won’t be using a MAC address that could identify them but also, criminals could easily be using the MAC address of a completely difference device and person.