FTC Warns That Hashing Data is Not Anonymization - Articles

Articles

14Aug

FTC Warns That Hashing Data is Not Anonymization

The Federal Trade Commission (FTC) recently sent a reminder that “hashing” personal data is not as protective as companies may think.

As explained in a blog post from the FTC’s Office of Technology staff, “Hashing involves taking a piece of data—like an email address, a phone number, or a user ID—and using math to turn it into a number (called a hash) in a consistent way: the same input data will always create the same hash. For example, hashing the fictional phone number “123-456-7890” transforms it into the hash “2813448ce6316cb70b38fa29c8c64130”, a hexadecimal number that might appear random, but is always what someone gets when they hash that phone number. “

Since hashed data "appears meaningless and seemingly can’t be used to find the original phone number, companies often claim that hashing allows them to preserve user privacy."

Unfortunately, the FTC staff warn, this does not make the data anonymous. Hashed data “can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized. FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.”

Hashing can “obscure how a user identifier appears,” but “it still creates a unique signature that can track a person or device over time.” Hence, the FTC warned companies against relying “on hashing to reduce data sensitivity.”

As examples, the FTC blog cited the 2015 Nomi case, the 2022 BetterHelp case, the 2023 Premom case, and the 2024 InMarket case.

This is all a helpful reminder that what insights professional might think is personally identifiable often differs from what regulators and enforcers think.

Insights Association members should review IA compliance info and guidance on a range of privacy and data security issues, consider their professional and cyber liability insurance, look into ISO 27001 certification for data security, revisit/review their privacy policies, and review and update contracts and policy clauses.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

About the Author

Howard Fienberg

Howard Fienberg

Based in Washington, DC, Howard is the Insights Association's lobbyist for the marketing research and data analytics industry, focusing primarily on consumer privacy and data security, the Telephone Consumer Protection Act (TCPA), tort reform, and the funding and integrity of the decennial Census and the American Community Survey (ACS). Howard has more than two decades of public policy experience. Before the Insights Association, he worked in Congress as senior legislative staffer for then-Representatives Christopher Cox (CA-48) and Cliff Stearns (FL-06). He also served more than four years with a science policy think tank, working to improve the understanding of scientific and social research and methodology among journalists and policymakers. Howard is also co-director of The Census Project, a 900+ member coalition in support of a fair and accurate Census and ACS. He has also served previously on the Board of Directors for the National Institute for Lobbying and Ethics and and the Association of Government Relations Professionals. Howard has an MA International Relations from the University of Essex in England and a BA Honors Political Studies from Trent University in Canada, and has obtained the Certified Association Executive (CAE), Professional Lobbying Certificate (PLC) and the Public Policy Certificate (PPC). When not running advocacy for the Insights Association, Howard enjoys hockey, NFL football, sci-fi and horror movies, playing with his dog, and spending time with family and friends.

Related

California A.B. 3048 Almost Law -- Would Require Opt Out Preference Signals on All Browsers and Mobile Operating Systems

California A.B. 3048 Almost Law -- Would Require Opt Out Preference Signals on All Browsers and Mobile Operating Systems

California A.B. 3048, legislation that would require browsers and mobile operating systems to offer ...

Read More >
Law Requires China to Divest from TikTok

Law Requires China to Divest from TikTok

The Protecting Americans from Foreign Adversary Controlled Applications Act was approved alongside r...

Read More >
DASHBOARD Act - H.R. 8531

DASHBOARD Act - H.R. 8531

The Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data Act (DASHBOARD...

Read More >
HHS Tracking Guidance Struck Down

HHS Tracking Guidance Struck Down

Federal guidance for healthcare entities and their contractors was recently struck down by a court, ...

Read More >
Minors Provisions Build Out Colorado Privacy Act - S.B. 41

Minors Provisions Build Out Colorado Privacy Act - S.B. 41

Colorado S.B. 24-041, signed into law by Governor Jared Polis (D) on May 31, 2024, adds "enhanc...

Read More >
Colorado H.B. 1058 Adds Biological and Neural Data to Privacy Law

Colorado H.B. 1058 Adds Biological and Neural Data to Privacy Law

A recent law in Colorado adds biological and neural data to the Colorado Privacy Act, the state’s c...

Read More >
Members only Article - Please login to view