The Federal Trade Commission (FTC) reiterated its long-held view that hashing or pseudonymizing identifiers does not render data anonymous, in a post to its Technology Blog on July 24, 2024.
In the rather strongly worded post, while acknowledging that hashing and pseudonymizing data has the benefit of obscuring the underlying personal data, the FTC adamantly disagrees that it renders personal data anonymous, stating that:
[C]ompanies often claim that hashing allows them to preserve user privacy. This logic is as old as it is flawed – hashes aren’t “anonymous” and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized.
The FTC emphasized that this has long been the agency’s position, highlighting several prior enforcement actions on this point and also citing 2012 (FTC) Technology Blog post, “Does Hashing Make Data ‘Anonymous’? (Rather than linking to the 2012 blog post, the FTC cheekily wrote: “To save a click, the answer is no, it does not.”)
Unsurprisingly, the FTC seems focused on the use and disclosure of persistent online identifiers that are commonly used to recognize individuals and devices online, such as email addresses, phone numbers, MAC addresses, hashed email addresses, device identifiers and advertising identifiers. In the post, the FTCstresses that hashing these identifiers does not relieve a company of its privacy obligations:
Regardless of what they look like, all user identifiers have the powerful capability to identify and track people over time, therefore the opacity of an identifier cannot be an excuse for improper use or disclosure.
The FTC also made clear its position that it is deceptive for a company to claim or treat as anonymous hashed or pseudonymized identifiers that enable the tracking or targeting of an individual or device over time and indicated that this is an area of focus for enforcement:
FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.
Takeaways?
While this is not a new position or development, the FTC is indicating that it is an area of focus now. It may be a good time to remind digital, advertising, and other teams that online and other persistent identifiers—hashed or otherwise—are still personal data and subject to privacy requirements. It may also make sense to review relevant practices and areas, such as online and in-app identifiers and tracking (analytics, advertising or otherwise) and targeted advertising, including retargeting and custom audience building and list matching.
In addition, businesses may want to review privacy policies and other public-facing privacy statements to make sure they do not claim or imply that hashed or pseudonymized data is anonymous or overstate the privacy benefits of these practices.
