Listen to this post

In a recent blog post, the FTC again cautioned entities that hashing data does not make that data anonymous. Hashing is a process that takes a particular input, such as a phone number or email address, and uses a mathematical formula to create a different output. However, hashing does not make the output “anonymized” from the FTC’s perspective. This is because the hashing can be undone and reveal information that was initially obscured.

The Agency first highlighted its views on “hashing” in 2012. Since then, the FTC has brought enforcement actions against companies that have made statements about data use and collection practices that relate to hashing. For instance, if a company that sells hashed information states in their privacy policy that they do not share or sell personal information with third parties because they believe hashed information is no longer identifiable, that company could face allegations of unfair or deceptive trade practices under the FTC’s Section 5 authority as the FTC takes the perspective that the hashed information is, in fact, still identifiable.

According to the FTC, although hashing may facially appear to conceal personal information, it still creates a unique identifier that corresponds to the initial input. This means that hashed information still has the ability to be tied to a particular individual. Sharing hashed information does not provide users with meaningful anonymity. Companies that utilize hashing believing it “anonymizes” or reduces the data’s sensitivity may face scrutiny if they make certain claims to the contrary about their data sharing practices.

Putting it into practice. The FTC’s position on “hashing” is not new. That said, the renewed statements in this blog signals the Agency’s likely upcoming focus on enforcing against businesses that use persistent unique identifiers in serving targeted advertising but nevertheless make statements that only “non-identifiable data” is shared. Companies that share hashed information or use other unique ID’s should do their diligence to ensure public-facing statements are consistent with practices.