The Federal Trade Commission (FTC) recently sent a reminder that “hashing” personal data is not as protective as companies may think.
As explained in a blog post from the FTC’s Office of Technology staff, “Hashing involves taking a piece of data—like an email address, a phone number, or a user ID—and using math to turn it into a number (called a hash) in a consistent way: the same input data will always create the same hash. For example, hashing the fictional phone number “123-456-7890” transforms it into the hash “2813448ce6316cb70b38fa29c8c64130”, a hexadecimal number that might appear random, but is always what someone gets when they hash that phone number. “
Since hashed data "appears meaningless and seemingly can’t be used to find the original phone number, companies often claim that hashing allows them to preserve user privacy."
Unfortunately, the FTC staff warn, this does not make the data anonymous. Hashed data “can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized. FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.”
Hashing can “obscure how a user identifier appears,” but “it still creates a unique signature that can track a person or device over time.” Hence, the FTC warned companies against relying “on hashing to reduce data sensitivity.”
As examples, the FTC blog cited the 2015 Nomi case, the 2022 BetterHelp case, the 2023 Premom case, and the 2024 InMarket case.
This is all a helpful reminder that what insights professional might think is personally identifiable often differs from what regulators and enforcers think.
Insights Association members should review IA compliance info and guidance on a range of privacy and data security issues, consider their professional and cyber liability insurance, look into ISO 27001 certification for data security, revisit/review their privacy policies, and review and update contracts and policy clauses.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.
About the Author
Based in Washington, DC, Howard is the Insights Association's lobbyist for the marketing research and data analytics industry, focusing primarily on consumer privacy and data security, the Telephone Consumer Protection Act (TCPA), tort reform, and the funding and integrity of the decennial Census and the American Community Survey (ACS).
Howard has more than two decades of public policy experience. Before the Insights Association, he worked in Congress as senior legislative staffer for then-Representatives Christopher Cox (CA-48) and Cliff Stearns (FL-06). He also served more than four years with a science policy think tank, working to improve the understanding of scientific and social research and methodology among journalists and policymakers.
Howard is also co-director of The Census Project, a 900+ member coalition in support of a fair and accurate Census and ACS.
He has also served previously on the Board of Directors for the National Institute for Lobbying and Ethics and and the Association of Government Relations Professionals.
Howard has an MA International Relations from the University of Essex in England and a BA Honors Political Studies from Trent University in Canada, and has obtained the Certified Association Executive (CAE), Professional Lobbying Certificate (PLC) and the Public Policy Certificate (PPC).
When not running advocacy for the Insights Association, Howard enjoys hockey, NFL football, sci-fi and horror movies, playing with his dog, and spending time with family and friends.