FTC Warns That Hashing Data is Not Anonymization - Articles

Articles

14Aug

FTC Warns That Hashing Data is Not Anonymization

The Federal Trade Commission (FTC) recently sent a reminder that “hashing” personal data is not as protective as companies may think.

As explained in a blog post from the FTC’s Office of Technology staff, “Hashing involves taking a piece of data—like an email address, a phone number, or a user ID—and using math to turn it into a number (called a hash) in a consistent way: the same input data will always create the same hash. For example, hashing the fictional phone number “123-456-7890” transforms it into the hash “2813448ce6316cb70b38fa29c8c64130”, a hexadecimal number that might appear random, but is always what someone gets when they hash that phone number. “

Since hashed data "appears meaningless and seemingly can’t be used to find the original phone number, companies often claim that hashing allows them to preserve user privacy."

Unfortunately, the FTC staff warn, this does not make the data anonymous. Hashed data “can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized. FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.”

Hashing can “obscure how a user identifier appears,” but “it still creates a unique signature that can track a person or device over time.” Hence, the FTC warned companies against relying “on hashing to reduce data sensitivity.”

As examples, the FTC blog cited the 2015 Nomi case, the 2022 BetterHelp case, the 2023 Premom case, and the 2024 InMarket case.

This is all a helpful reminder that what insights professional might think is personally identifiable often differs from what regulators and enforcers think.

Insights Association members should review IA compliance info and guidance on a range of privacy and data security issues, consider their professional and cyber liability insurance, look into ISO 27001 certification for data security, revisit/review their privacy policies, and review and update contracts and policy clauses.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

About the Author

Howard Fienberg

Howard Fienberg

Based in Washington, DC, Howard is the Insights Association's lobbyist for the marketing research and data analytics industry, focusing primarily on consumer privacy and data security, the Telephone Consumer Protection Act (TCPA), tort reform, and the funding and integrity of the decennial Census and the American Community Survey (ACS). Howard has more than two decades of public policy experience. Before the Insights Association, he worked in Congress as senior legislative staffer for then-Representatives Christopher Cox (CA-48) and Cliff Stearns (FL-06). He also served more than four years with a science policy think tank, working to improve the understanding of scientific and social research and methodology among journalists and policymakers. Howard is also co-director of The Census Project, a 900+ member coalition in support of a fair and accurate Census and ACS. He has also served previously on the Board of Directors for the National Institute for Lobbying and Ethics and and the Association of Government Relations Professionals. Howard has an MA International Relations from the University of Essex in England and a BA Honors Political Studies from Trent University in Canada, and has obtained the Certified Association Executive (CAE), Professional Lobbying Certificate (PLC) and the Public Policy Certificate (PPC). When not running advocacy for the Insights Association, Howard enjoys hockey, NFL football, sci-fi and horror movies, playing with his dog, and spending time with family and friends.

Related

Oregon Guidance on AI Restrictions and Requirements Under State Law

Oregon Guidance on AI Restrictions and Requirements Under State Law

Oregon Attorney General Ellen Rosenblum (D) recently released guidance for companies that Oregon'...

Read More >
New Jersey Privacy Regulator Offers Guidance for 2025 Law

New Jersey Privacy Regulator Offers Guidance for 2025 Law

With the Garden State’s new privacy law taking effect on January 15, 2025, time is short for insigh...

Read More >
Fighting for You: December 2024 Legislative and Regulatory Update

Fighting for You: December 2024 Legislative and Regulatory Update

While northerly climes were frosting over at the tail end of 2024, the Insights Association took a s...

Read More >
Improving Contractor Cybersecurity Act - H.R. 5310

Improving Contractor Cybersecurity Act - H.R. 5310

The Improving Contractor Cybersecurity Act (H.R. 5310) would require cybersecurity measures for fede...

Read More >
Digital Platform Commission Act - S. 1671

Digital Platform Commission Act - S. 1671

The Digital Platform Commission Act (S. 1671) would create a new federal agency to regulate online p...

Read More >
2024 State Privacy Legislative Roundup

2024 State Privacy Legislative Roundup

The insights industry faced comprehensive consumer data privacy legislation in 2024 in dozens of sta...

Read More >
Members only Article - Please login to view