Do you capture device information (e.g., IP address, MAC address)?
Explanation
Device-level data collection is what's being asked about, namely whether you capture identifiers like IP and MAC addresses from connecting devices. Device information primarily includes IP addresses (which identify a device on a network) and MAC addresses (a hardware identifier unique to a network interface).
This is being asked in a security assessment for several important reasons:
1. Privacy implications: Device information can be considered personally identifiable information (PII) in many jurisdictions, as it can be used to identify or track individuals.
2. Regulatory compliance: Many privacy regulations (like GDPR in Europe) require disclosure and proper handling of any collected device information.
3. Data retention policies: Organizations need to have clear policies about how long they store this information and how it's protected.
4. Purpose limitation: The assessor wants to understand why you're collecting this data and ensure it's being used only for legitimate purposes.
When answering this question, you should:
- Be transparent about what device information you collect
- Explain why you collect it (security monitoring, fraud prevention, etc.)
- Mention how long you retain this information
- Describe any anonymization or pseudonymization techniques you use
- Reference your privacy policy or terms of service that disclose this collection
Even if the collection seems routine or necessary for operations, it's important to be explicit about your practices.
Guidance
Device information can be captured for a variety of reasons, from analytics to marketing to network management and security. It is important to know the details in order to be clear on the privacy implications.
Example Responses
Example Response 1
Yes, our application captures and logs IP addresses as part of our standard security practices We collect this information for several purposes: (1) to detect and prevent fraudulent access attempts, (2) to troubleshoot connectivity issues, and (3) to comply with legal requirements for audit trails We do not collect MAC addresses IP addresses are stored in encrypted log files for 90 days, after which they are automatically purged This collection is disclosed in our privacy policy, and we have implemented access controls to ensure only authorized security personnel can view this information We do not use IP addresses for marketing purposes or share them with third parties except when legally required.
Example Response 2
Yes, we capture both IP addresses and MAC addresses for devices connecting to our service IP addresses are collected for all users and stored for 12 months for security monitoring and fraud prevention MAC addresses are only collected for corporate-owned devices as part of our mobile device management (MDM) solution to ensure only authorized devices can access sensitive corporate resources All device information is stored in our encrypted database with strict access controls Users are informed about this collection in our privacy notice, and they can request information about their stored data through our privacy portal We implement data minimization principles and only use this information for the stated security purposes.
Example Response 3
No, our application does not currently capture or store device information such as IP addresses or MAC addresses While this might limit some security capabilities like detecting suspicious login patterns or enforcing location-based access controls, we've made this design choice to enhance user privacy Instead, we rely on other security mechanisms such as strong authentication requirements, behavior analytics that don't depend on device identifiers, and encrypted session tokens We recognize this creates some security trade-offs, but we've implemented compensating controls to address the risks If we need to investigate specific security incidents, we may temporarily enable IP logging with appropriate approvals and notifications to users.
Context
- Tab
- Privacy
- Category
- Privacy of Sensitive Data
Related questions
- Do you collect, process, or store demographic information?
- Do you capture or create genetic, biometric, or behaviometric information (e.g., facial recognition or fingerprints)?
- Do you combine institutional data (including "de-identified," "anonymized," or otherwise masked data) with personal data from any other sources?
- Is institutional data coming into or going out of the United States at any point during collection, processing, storage, or archiving?
- Does any part of this service/project involve a web/app tracking component (e.g., use of web-tracking pixels, cookies)?
- Does your staff (or a third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?

