A hash is essentially rubbish.

To be more specific, hashing data does not make it anonymous, and regulators, like the Federal Trade Commission, consider hashed identifiers to be personal information.

In late July, the FTC issued a blog post reminding corporations that hashes are not anonymous. They can still be used to identify users, and misuse can be dangerous.

Data hashing is the process of cryptographically scrambling data into an unreadable string of text. Take this brief explanation with a grain of salt – pun intended – because I am not a technology.

READ MORE: The FTC Shuts Down A Sweepstakes Scam That Took In Over $28 Million

I am aware that hashing is a frequent and effective approach for data authentication and safe data storage. However, it is ineffective as an anonymization approach since anyone applying the same hashing algorithm to the same data – an email address, for example – will produce the same string of hashed text, which may then be used as an identity.

In 2012, the FTC’s then-chief technologist Ed Felten authored a blog post titled “Does Hashing Make Data ‘Anonymous'”? The answer to that inquiry was and remains a resounding no.

Felten made the point at the time that “hashing is vastly overrated as a ‘anonymization’ technique,” as well as “the casual assumption that hashing is sufficient to anonymize data is risky at best and usually wrong.”

But why did the FTC feel the need to issue another warning about hashing more than a decade after the first? Because companies ignored it.

READ MORE: The FTC Provides $5.6 Million In Refunds To Ring Users As Part Of The video Privacy Settlement

In 2015, the FTC reached a settlement with Nomi, a retail technology company, for failing to properly anonymize MAC addresses. It hashed the data, but that wasn’t sufficient.

In 2022, the FTC filed a case against BetterHelp, an online therapy business that was accused of transmitting hashed email addresses to Facebook. The FTC claimed that Facebook may still use this information to identify and target ads to persons seeking mental health counseling.

In other words, it’s safe to presume that the FTC is monitoring the hashing situation. Because regulators do not issue advisories on bad behavior merely for fun. A warning is a polite reminder to be careful.

But is this latest blog post the forerunner to a slew of enforcement actions? I sought advice from a few reliable individuals, including lawyers who are well-versed in the complexities of advertising technology.

READ MORE: The FTC Will Hold A Hearing Today To Make Canceling Cable Television And Other Services As Easy As A Single Click

Jessica Lee, Chief Privacy and Security Partner at Loeb & Loeb

“The FTC’s recent warning concerning hashing is a helpful (and hopefully not shocking) reminder that hashing does not imply anonymity.

“A few years ago, Ashkan Soltani, executive director of the California Privacy Protection Agency, stated that hashed emails and other first-party identifiers used as replacements for third-party cookies retain personal information and may pose higher privacy issues due to their longevity.

“For the advertising industry, hashed IDs are a solution to third-party cookie restrictions; they are not a means to circumvent privacy legislation. Companies that believe that simply hashing data makes it anonymous should think again.

“Making public statements that you only use anonymous data when that data is not truly anonymous may be considered a deceptive statement, and the FTC is signaling that they are watching this issue and are prepared to enforce.”

Julie Rubash, General Counsel and Chief Privacy Officer, Sourcepoint

“Evaluating a single data point is insufficient. According to the FTC’s warning, organizations should also consider the data element’s whole life cycle, whether it can be reidentified by anybody involved in the process, and the end conclusion, or possible outcome, of using the data.

“If a data element has the capability to track the same user over time, then it’s likely not anonymous in the eyes of the FTC.”

“Companies do not have to stop using hashed data since there are valid reasons to do so; nevertheless, treating hashing as a way of anonymizing personal data is not one of them.

“The FTC’s warning could be a forerunner to more stringent enforcement actions. Companies can avoid costly penalties and potential regulatory scrutiny by proactively protecting hashed personal data with the same care as other personal data.

“The message is clear: Hashing is not a loophole for data privacy compliance.”

Source