On July 24, 2024, the Federal Trade Commission (FTC) released a statement that hit home for many in the digital advertising and marketing industry. The FTC categorically stated that hashing — commonly used by companies to obscure personal data — is not a foolproof method to ensure anonymity or privacy compliance.
This isn’t new information; the limitations and potential pitfalls of hashing as a privacy measure have been highlighted before. However, the FTC’s explicit stance on this matter sends a strong signal to the industry. It could have far-reaching implications, especially for the growing reliance on data clean rooms, identity solutions, identity resolution, identity bridging technologies and retail media networks.
The FTC’s statement can be found here.
Understanding the FTC’s position
The FTC’s message is clear. Just because data has been hashed does not mean it is anonymous. Hashing, a process that converts personal data like email addresses, phone numbers, or user IDs into seemingly random strings of characters, has often been touted as a way to protect user privacy. The idea is that these hashed strings are not easily reversible, making it difficult for anyone to trace the hash back to the original data.
However, the FTC warns that this is a flawed assumption. Hashes still serve as unique identifiers that track individuals across platforms and over time. Their misuse leads to significant privacy risks and harm. FTC specifically stressed that the:
“FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.”
Many adtech companies may claim that re-identifying a user from hashed data is nearly impossible. However, this assumption is false: Users can be reidentified or their data reversed without significant cost or effort. And, if the government doesn’t see hashing as sufficient, the industry must take notice. The FTC’s perspective holds significant weight, and companies must align practices accordingly.
Some organizations rely on hashing, believing it reduces data sensitivity while still allowing them to target users with ads. However, this underscores a critical point: The FTC asserts hashing doesn’t eliminate the risk of identification; it only conceals it. As IAB continues engaging with regulators and supporting efforts to protect user data, this stance is no surprise. It reinforces the need for the industry to adopt more robust and transparent privacy practices.
The FTC’s stance raises essential questions about the current and future states of privacy-preserving technologies, including data clean rooms, identity solutions, identity resolution, identity bridging and retail media networks. These technologies are increasingly used to manage, reconcile and connect user identities across different platforms and datasets without directly sharing the raw identifiable information.
Data clean rooms, in particular, are designed to allow multiple parties to collaborate on data insights without exposing underlying raw data. Retail media networks, on the other hand, leverage vast amounts of first-party data both within and outside of their own properties to create highly targeted advertising opportunities across various platforms.
However, even with efforts to go beyond hashing, such as implementing comprehensive strategies that combine encryption, differential privacy and robust access controls, they might not be enough to convince regulators that these methods alone can fully ensure privacy compliance.
Although these technologies are designed to reduce the risk of re-identification and protect data throughout its lifecycle, overstating their privacy benefits and expecting them to serve as a silver bullet for all privacy compliance will be subject to strict regulatory scrutiny.
The challenge is even greater for data clean rooms, identity solutions, identity resolution and bridging processes and retail media networks. These technologies often combine multiple data points, sometimes from disparate sources, to establish or verify user identity and target consumers with precision.
While these processes are powerful for targeting and personalization, they also carry a heightened risk of privacy harm if not managed carefully. If your company uses these technologies, continue to evaluate privacy risks and comply with privacy obligations.
10 recommendations for advertisers and marketers
Given the FTC’s stance, advertisers and marketers must pivot toward more sustainable and privacy-compliant practices.
1. Educate teams on the limits of hashing
Ensure all relevant teams understand that the security benefits of hashing do not render the data de-identified and, therefore, exempt from all privacy obligations. Hashed identifiers should still be treated as personal data, requiring full privacy compliance. This awareness will help prevent over-reliance on hashing and encourage the adoption of more comprehensive privacy measures.
2. Prepare for regulatory compliance
Given the FTC’s announcement that it will continue to closely monitor violations in this area, anticipate increased scrutiny on claims about data de-identification and stricter compliance requirements. Adopting a comprehensive privacy strategy at this point will aid in enhancing preparedness for any upcoming laws or guidelines.
3. Enhance transparency and prioritize user consent
Transparency is key to building and maintaining user trust and obtaining informed consent. It’s essential to clearly communicate to users how their data is collected, used and shared. This transparency should be an ongoing effort, not just a one-time disclosure.
It’s more important than ever to obtain informed consent from users before using their data for advertising and measurement purposes. Affirmative consent is necessary for handling certain highly sensitive personal data. This goes beyond ticking a box; it’s about educating users on how their data will be used and ensuring they have control over it.
4. Perform third-party due diligence
When considering a technology that claims to be capable of de-identifying personal data, thoroughly investigate the vendor. You should understand the specific technology and methods being used and determine whether the output identifier is a unique value that can potentially identify and track an individual over time.
5. Conduct regular privacy audits
Conduct regular privacy compliance reviews to evaluate whether any data set you currently treat as unidentified (if any) can be used to trace an individual over time or be re-identified. Identify any vulnerabilities that could lead to re-identification and take corrective actions as needed.
6. Support IAB Tech Lab’s Seller Defined Audiences
Strong support is necessary for the adoption of IAB Tech Lab’s Seller Defined Audiences, which empowers publishers to leverage their first-party data within their own properties to target audiences — provided user consent is obtained. This approach respects user privacy while allowing publishers to unlock the value of their data.
7. Move beyond first-party data and rethink consumer experience
As reliance on first-party data and hashed identifiers faces increasing scrutiny, the industry should avoid direct response tactics that heavily depend on these methods. Instead, focus on enhancing consumer experiences through investments in rich media, innovative ad formats, branded entertainment, advertorials and sponsorships.
8. Optimize audience reach on O&O platforms using data clean rooms for insights
As privacy regulations evolve and the effectiveness of hashing and other encryption methods are questioned, focusing on reaching audiences more effectively at scale on owned and operated (O&O) properties is crucial. Consider leveraging data clean rooms for valuable insights while exercising caution when contemplating audience activation through these platforms.
9. Honor consumer privacy rights
Although hashing obscures personal data, it doesn’t make it truly de-identified. Over time, hashed data can potentially be reversed or used to re-identify users. Therefore, the industry should treat such data as personal and ensure compliance with consumer privacy rights requests under applicable laws.
10. Advocate for privacy-first data handling
Engage in industry discussions and advocate for a privacy-first approach to data handling that goes beyond hashing. Support efforts to create standards and best practices that recognize the limitations of hashing and promote stronger data protection methods.
What this means for the industry
The FTC’s announcement amplifies its clear warning in recent years for the entire digital advertising and data ecosystem. Reassess your data practices and privacy claims critically. Claiming that hashing is a privacy-compliant solution is no longer tenable. It’s time to evolve strategies and adopt more holistic approaches that genuinely protect consumer privacy.
Responsible data handling practices aligning with regulatory expectations and consumer trust are crucial. The FTC’s latest statement reinforces the need for continuous innovation in how data is managed and protected. Moving forward, methods must be technically sound and legally and ethically robust.
While hashing has its place in data security and privacy, it should not be mistaken for a silver bullet in privacy protection. The FTC has made it clear:
“The opacity of an identifier cannot be an excuse for improper use or disclosure.”
As long as an identifier can be used to identify and track people over time, one must recognize and comply with all privacy obligations, including transparency, consent, user choice, accountability, etc. As an industry, we must take this to heart and strive for transparency, compliance and, above all, trustworthiness in all data practices.
By embracing these principles, the industry can continue to innovate while respecting the privacy rights of the individuals it serves.
Contributing authors are invited to create content for MarTech and are chosen for their expertise and contribution to the martech community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. The opinions they express are their own.
