Keys for Compliance: Hashed Data Is Not Anonymous Data

Estimated Reading Time: 4 minutes
August 21, 2024
Keys For Compliance: Hashed Data is Not Anonymous Data

Yell it from the rooftops: “Hashed data is NOT anonymous data!”

For compliance professionals familiar with global regulations, this should not be a surprise. But enough organizations have been misrepresenting the nature of their data collection and processing that in July, the Federal Trade Commission (FTC) of the United States published a blog clarifying this fact. From the blog, “… hashes aren’t ‘anonymous’ and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymized.”

To understand why this is the case, it is helpful to think about what hash data means first. It is also helpful to look at the definitions of personal data and personal information as it relates to privacy compliance

What does it mean to “hash” data?

Again from the FTC blog, “Hashing involves taking a piece of data—like an email address, a phone number, or a user ID—and using math to turn it into a number (called a hash) in a consistent way: the same input data will always create the same hash.” 

To put it simply, hashing is the process of obfuscating one value (such as a clear-text email address) by turning it into a different value in a consistent manner. Consistency here is key; the same input when using the same hashing method will always output the same new hashed value. While a hashed value cannot be “unhashed” or decrypted back to the original value, it still represents a unique value associable with the original. It is this consistency and uniqueness that leads to the implications for privacy and anonymity. 

What is “personal data” or “personal information”?

Personal Data, as defined in Europe’s General Data Protection Regulation (GDPR) is, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” (GDPR, Article 4(1))

Personal Information, as defined in the California Consumer Privacy Act (CCPA) is, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCPA Section 1798.140(o)(1)

Additional global regulations generally follow the same logic and definition as the two above. The important point, and consistent across all global regulations, is the inclusion of any data which can be associated with or linked directly or indirectly with an individual. This means that any datapoint, even if not a direct identifier such as a clear-text email, which uniquely represents an individual, falls within scope. 

Thinking back to a hashed value, which is a unique representation of a user identifier, this clearly fits the definitions for personal information and personal data across privacy regulations. Taken all together, it is clear that a hashed identifier is not anonymous

So, what does this mean?

It means that any data collection of personal information, be it in clear-text or hashed form, should be considered for privacy compliance obligations. Processing of that data must be assessed for risk, disclosed to consumers, have consent preferences provided, be subject to data subject request requirements, and have technical and operational protections provided. 

Hashed data is not anonymous; if personal data is hashed it must be treated with the same compliance consciousness as if it were in an unhashed format. Now that enforcement bodies are underscoring this point, consider your organization warned. 

Do you have questions about privacy-centric marketing?

Our team is here to help whenever you need us.

Author

  • Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
Last Updated: August 21, 2024

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.

  • This field is for validation purposes and should be left unchanged.