In a July 24, 2024 technology blog post, the Federal Trade Commission (FTC) reiterated its long-standing position that hashing or pseudonymizing identifiers does not make data anonymous.
In a fairly strongly worded post, the FTC acknowledged that data hashing and pseudonymization has the benefit of obscuring the underlying personal data, but firmly disagreed that it anonymizes personal data, stating:
[C]Companies often claim that hashing protects user privacy. This logic is time-honored, but it is also flawed. Hashes are not “anonymous” and can be used to identify users and can cause harm if misused. Companies should not act or claim as if hashing personal information makes it anonymous.
The FTC emphasized that this has been the agency’s position for many years, highlighting several past enforcement actions on the point, and even cited a 2012 (FTC) technology blog post, “Does Hashing Make Data ‘Anonymous’?” (Instead of linking to the 2012 blog post, the FTC brazenly wrote, “To save some clicks, the answer is no, it does not make data anonymous.”)
Not surprisingly, the FTC appears to be focused on the use and disclosure of persistent online identifiers commonly used to recognize individuals and devices online, such as email addresses, phone numbers, MAC addresses, hashed email addresses, device identifiers, advertising identifiers, etc. In its post, the FTC emphasizes that hashing these identifiers does not exempt companies from their privacy obligations.
Regardless of appearance, all user identifiers have powerful capabilities to identify and track people over time, so identifier opacity is no excuse for inappropriate use or disclosure.
The FTC also clarified its position that it is deceptive for companies to claim or treat hashed or pseudonymized identifiers as anonymous in order to track or target individuals or devices over time, and indicated that this is a focus area for enforcement.
FTC staff will continue to monitor companies to ensure they are complying with the law and will take action if privacy claims are false.
What to take home?
While this is not a new position or development, the FTC has indicated that this is now an area of focus. It may be a good time to remind digital, advertising, and other teams that online and other persistent identifiers (hashed or not) are still personal data and subject to privacy requirements. It may also make sense to review related practices and areas such as online and in-app identifiers and tracking (analytics, advertising, and more), retargeting, custom audience building, and targeted advertising such as list matching.
Additionally, companies should review their privacy policies and other public privacy statements to ensure they are not claiming or implying that hashed or pseudonymized data is anonymous or overstating the privacy benefits of such practices.
