Yell it from the rooftops: “Hashed data is NOT anonymous data!”
For compliance professionals familiar with global regulations, this should not be a surprise. But enough organizations have been misrepresenting the nature of their data collection and processing that in July, the Federal Trade Commission (FTC) of the United States published a blog clarifying this fact. From the blog, “… hashes aren’t ‘anonymous’ and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized.”
To understand why this is the case, it is helpful to think about what hash data means first. It is also helpful to look at the definitions of personal data and personal information as it relates to privacy compliance.
What does it mean to “hash” data?
Again from the FTC blog, “Hashing involves taking a piece of data—like an email address, a phone number, or a user ID—and using math to turn it into a number (called a hash) in a consistent way: the same input data will always create the same hash.”
To put it simply, hashing is the process of obfuscating one value (such as a clear-text email address) by turning it into a different value in a consistent manner. Consistency here is key; the same input when using the same hashing method will always output the same new hashed value. While a hashed value cannot be “unhashed” or decrypted back to the original value, it still represents a unique value associable with the original. It is this consistency and uniqueness that leads to the implications for privacy and anonymity.
What is “personal data” or “personal information”?
Personal Data, as defined in Europe’s General Data Protection Regulation (GDPR) is, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (GDPR, Article 4(1))
Personal Information, as defined in the California Consumer Privacy Act (CCPA) is, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCPA Section 1798.140(o)(1)
Additional global regulations generally follow the same logic and definition as the two above. The important point, and consistent across all global regulations, is the inclusion of any data which can be associated with or linked directly or indirectly with an individual. This means that any datapoint, even if not a direct identifier such as a clear-text email, which uniquely represents an individual, falls within scope.
Thinking back to a hashed value, which is a unique representation of a user identifier, this clearly fits the definitions for personal information and personal data across privacy regulations. Taken all together, it is clear that a hashed identifier is not anonymous.
So, what does this mean?
It means that any data collection of personal information, be it in clear-text or hashed form, should be considered for privacy compliance obligations. Processing of that data must be assessed for risk, disclosed to consumers, have consent preferences provided, be subject to data subject request requirements, and have technical and operational protections provided.
Hashed data is not anonymous; if personal data is hashed it must be treated with the same compliance consciousness as if it were in an unhashed format. Now that enforcement bodies are underscoring this point, consider your organization warned.
