Is obtaining Mac Address illegal?

Question

Just wondering, in the US, if a retailer or restaurant wants to collect user's data through obtaining mac address, is it illegal?

Answer 1

Specific laws

The one US statute that clearly states that IP and MAC addresses are personal information is the Children's Online Privacy Protection Act (COPPA). In 2013, the FTC revised the COPPA Rule, which defines "personal information" as "individually identifiable information about an individual collected online," as specifically including IP addresses, MAC addresses, and other unique device identifiers. The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as "identifiers" that must be removed in order to de-identify protected health information. State security breach notification laws define personal information, but those laws do not include IP address, MAC address, or other device identifier as PII.

The FTC's view

In April, Jessica Rich, the Director of the FTC's Bureau of Consumer Protection, wrote on the FTC's business blog about cross-device tracking. In her remarks, she restated the FTC's long-held position that data is personally identifiable, "and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test." She then specifically cited the FTC's 2013 amendments to the COPPA Rule as an example of this in practice. Director Rich's comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada -- if it can be associated with an identifiable individual, it should be considered personal information.

Reference