Why the FTC’s stand on hashing is a wake-up call for digital advertisers

On July 24, 2024, the U.S. Federal Trade Commission (FTC) released a statement that hit home for many in the digital advertising and marketing industry. The FTC categorically stated that hashing — commonly used by companies to obscure personal data — is not a foolproof method to ensure anonymity or privacy compliance. 

This isn’t new information; the limitations and potential pitfalls of hashing as a privacy measure are well known. However, the FTC’s explicit stance is a strong signal to the industry. One that could have far-reaching implications, especially with the growing reliance on data clean rooms, identity solutions, identity resolution, identity bridging technologies and retail media networks.

The FTC’s statement can be found here.

Understanding the FTC’s position

Hashing converts personal data like email addresses, phone numbers or user IDs into seemingly random strings of characters. It is used to protect user privacy because people believe hashed strings are not easily reversible, making it difficult for anyone to trace the hash back to the original data. 

The FTC says this is a flawed assumption. Hashes still serve as unique identifiers that track individuals across platforms and over time. However, users can be re-identified or their data reversed without significant cost or effort. This is a significant privacy risk with the potential for serious harm. The agency stressed that its “staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.”

If the government doesn’t see hashing as sufficient, companies must follow suit.

Implications for privacy technologies

This raises essential questions about the current and future use of privacy-preserving systems like data clean rooms, identity solutions, identity resolution and identity bridging.

These often combine multiple data points, sometimes from disparate sources, to establish or verify user identity and target consumers with precision. Although they are designed to reduce the risk of re-identification and protect data, overstating their privacy benefits and expecting them to serve as a silver bullet for all privacy compliance may not be enough.

Even adding comprehensive strategies combining encryption, differential privacy and robust access controls, might not be enough for regulators.

9 actions for advertisers and marketers

Advertisers and marketers must pivot toward more sustainable and privacy-compliant practices, here’s how:

1. Educate teams on the limits of hashing

Ensure teams understand hashing is not enough to comply with privacy obligations. Hashed identifiers should be treated as personal data and protected as such. Hopefully, this will help prevent over-reliance on hashing and using more comprehensive privacy measures.

2. Prepare for regulatory compliance

Expect increased scrutiny on claims about data de-identification and stricter compliance requirements. A comprehensive privacy strategy is essential to deal with this. It will also put your organization in a better position to handle stricter laws or guidelines.

3. Enhance transparency and prioritize user consent

Transparency is key to building and maintaining user trust and obtaining informed consent. You must tell users how their data is collected, used and shared. This has to be an ongoing effort, not a one-time disclosure. 

It’s more important than ever to obtain informed consent from users before using their data for advertising and measurement purposes. Affirmative consent is necessary for handling certain highly sensitive personal data. This goes beyond ticking a box; it’s about educating users on how their data will be used and ensuring they can control it.

4. Perform third-party due diligence

Thoroughly investigate any vendor of a technology claiming it can de-identify personal data. Understand the methods used to determine if the output identifier is a unique value that can potentially identify and track an individual.

5. Conduct regular privacy audits

Regular privacy compliance reviews will tell you whether any data set considered unidentified can be used to trace or re-identify someone.

6. Support IAB Tech Lab’s Seller Defined Audiences

The IAB Tech Lab’s Seller Defined Audiences lets publishers use their first-party data within their own properties — provided user consent is obtained. This respects user privacy while allowing publishers to unlock the value of their data.

7. Move beyond first-party data and rethink consumer experience

Avoid direct response tactics that heavily depend on first-party data and hashed identifier. Instead, focus on enhancing consumer experiences with rich media, innovative ad formats, branded entertainment, advertorials and sponsorships.

8. Optimize audience reach on O&O platforms using data clean rooms for insights

Stricter government oversight increases the importance of using owned and operated (O&O) properties to reach audiences. Consider leveraging data clean rooms for insights, but think carefully about audience activation through these platforms. 

9. Advocate for privacy-first data handling

Engage in industry discussions and advocate for a privacy-first approach to data handling that goes beyond hashing. Support efforts to create standards and best practices that recognize the limitations of hashing and promote stronger data protection methods.

What this means for the industry

The FTC’s announcement is the latest of many warnings about this. Reassess your data practices and privacy claims. It’s time to evolve strategies and adopt more holistic approaches that genuinely protect consumer privacy.

Responsible data handling practices aligning with regulatory expectations and consumer trust are crucial. The FTC’s latest statement reinforces the need for continuous innovation in how data is managed and protected. Moving forward, methods must be technically sound and legally and ethically robust.

As long as an identifier can be used to identify and track people over time, companies must be sure they are complying with all privacy obligations, including transparency, consent, user choice, accountability, etc. As an industry, we must take this to heart and strive for transparency, compliance and, above all, trustworthiness in all data practices.