The FTC’s Position on Hashing Should Wake Up Internet Advertisers

People who work in digital ads and marketing really felt what the U.S. Federal Trade Commission (FTC) said on July 24, 2024. The FTC made it clear that hashing, which is often used by businesses to hide personal information, is not a foolproof way to protect privacy or identity.

This is not new knowledge; it is well known that hashing as a privacy measure has its limits and can go wrong. But the FTC’s clear position sends a strong message to the business. One that could have big effects, especially since data clean rooms, identity solutions, identity resolution, identity bridging tools, and retail media networks are becoming more and more important.

Figuring out what the FTC thinks

Personal information like email addresses, phone numbers, and user IDs are hashed into strings of letters that look like they are made up at random. People think that hashed strings are hard to reverse, which makes it hard for anyone to find their way back to the original data. This is done to protect user privacy.

The FTC says this is not a good point of view. Hashes are still used to keep track of people across platforms and over time as unique IDs. But users can be found again or their info can be changed back without a lot of work or cost. This is a big risk to privacy that could lead to major harm. The agency said, “Our staff will remain alert to make sure businesses are following the law and will take action when they lie about their privacy claims.”

If the government doesn’t think hashing is enough, then businesses must do the same.

What this means for privacy tools

This brings up important questions about how privacy-protecting systems like data clean rooms, identity solutions, identity resolution, and identity linking are used now and in the future.

These usually combine a lot of different kinds of data, sometimes from different sources, to prove or establish a user’s name and precisely target customers. The purpose of these tools is to protect data and lower the chance of re-identification, but expecting them to be the only way to make sure privacy is followed may not be realistic.

It’s possible that regulators will not be satisfied with full plans that include encryption, differential privacy, and strong access controls.

9 things marketers and advertising can do

Advertisers and marketers need to change their ways to be more environmentally friendly and respectful of people’s privacy.

1. Teach teams what hashing can’t do.

Make sure that your teams know that hashing is not enough to meet your privacy responsibilities. Hashed identifiers should be kept safe like personal information. This should help keep people from relying too much on hashing and other basic protection measures.

2. Get ready to follow the regulatory compliance

Expect claims about de-identification of data to be looked at more closely and compliance standards to get stricter. In order to deal with this, you need a complete protection plan. It will also make it easier for your group to follow new or stricter rules or laws.

3. Make things clearer and put consent from users first

To get informed consent and build and keep user trust, you need to be open and honest. You have to let people know how you gather, use, and share their information. This cannot be a one-time disclosure; it needs to be an ongoing process.

Now more than ever, you need to get users’ permission before using their data for measurement and advertising purposes. A person’s affirmative consent is needed to handle certain very private personal info. It’s not enough to just check a box; users need to be told how their data will be used and given the tools to manage it.

4. Do third-party due diligence

Do a lot of research on any company that sells technology that says it can remove personal information from records. Learn the steps that are taken to see if the output identifier is a unique value that could be used to find and follow a person.

5. Do regular privacy audits

If you do regular privacy compliance checks, you’ll find out if any sets of data that are thought to be anonymous can be used to find or re-identify a person.

6. Back the Seller Defined Audiences from the IAB Tech Lab

With Seller Defined Audiences from the IAB Tech Lab, publishers can use first-party data on their own sites as long as they get permission from users first. This protects users’ privacy and lets publishers get the most out of their data.

7. Don’t just focus on first-party info; rethink the customer experience

You should stay away from direct reaction strategies that rely too much on first-party data and hashed identifiers. Instead, you should focus on making the experiences of your customers better through rich media, new ad formats, branded entertainment, advertorials, and partnerships.

8. Use data clean rooms to get ideas on how to best reach audiences on O&O platforms

Owned and operated (O&O) sites are more important to reach audiences because the government is keeping a closer eye on them. You might want to use data clean rooms to get insights, but be careful about how you use these tools to engage your audience.

9. Advocate for privacy-first data handling

Engage in industry talks and advocate for a privacy-first approach to data handling that goes beyond hashing. Support efforts to build standards and best practices that recognize the limitations of hashing and support stronger data protection methods.

What this means for the industry

The FTC’s statement is the latest of many warnings about this. Reassess your data methods and privacy claims. It’s time to evolve strategies and adopt more holistic methods that truly protect consumer privacy.

Responsible data handling practices aligning with regulatory expectations and customer trust are important. The FTC’s latest comment reinforces the need for continuous innovation in how data is managed and protected. From now on, ways need to be sound technically, legally, and morally.

Companies must make sure they are following all privacy rules, such as those about being open, getting permission, giving users a choice, being responsible, and so on, as long as a marker can be used to find and follow people over time. We as a field need to really think about this and work to make sure that all of our data methods are open, legal, and most importantly, trustworthy.