FTC Warns Against Misleading Anonymization Claims Through Hashing

 

In a blog post on 24 July 2024, the FTC underscores that hashed data is not anonymous. Hashing converts data, such as email addresses, into fixed numerical values. While this process can obscure the original data, it does not anonymize it, as hashed values can still uniquely identify individuals. The FTC has highlighted several cases demonstrating the misuse of hashed data and other pseudonymous identifiers, emphasizing the need for companies to accurately represent their data privacy practices.

 

The Mechanism of Hashing

• • Hashing transforms data like email addresses into a numerical hash.

• • Example: The phone number “123-456-7890” becomes “2813448ce6316cb70b38fa29c8c64130”.

• • Despite appearing meaningless, hashes can still uniquely identify users.

 

Notable FTC Cases

• • Nomi (2015): The FTC alleged that Nomi used hashed MAC addresses to track users in stores, which still allowed user identification.

• • BetterHelp (2022): The FTC charged BetterHelp for sharing hashed email addresses with Facebook, which could then identify users seeking mental health counseling.

• • Premom (2023): Premom allegedly shared unique advertising and device identifiers, enabling third-party tracking contrary to its privacy claims.

• • InMarket (2024): The FTC alleged InMarket used unique mobile device identifiers for user tracking without informed consent.

 

What to keep in mind

• • Hashes and other unique identifiers can be used for persistent tracking.

• • Companies must not claim that hashing anonymizes data – pseudonymization is not anonymization.

• • This issue applies also in the EU – the concept of personal data under the GDPR is broad and as long as there is any possibility to single out an individual, even if the data does not seem to make sense in itself, then the data is personal and GDPR applies. See recital 26 GDPR which says “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”

A couple of recommended readings on this topic:

• Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation, by Frederik Borgesius (available at SSRN)
• FPF’s Visual Guide to Practical Data De-Identification (here).