FTC Says Hashed Email Addresses Are Not Anonymous

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC Says Hashed Email Addresses Are Not Anonymous

The FTC posted on its Technology Blog a warning that data can only be considered anonymous “when it can never be associated back to a person” and that “the opacity of an identifier cannot be an excuse for improper use or disclosure.” Specifically, the blog post highlights hashed email addresses as an example of personal data that is not anonymous, because they can still be used to identify users. “While hashing might obscure how a user identifier appears,” the post explains, “it still creates a unique signature that can track a person or device over time,” which the FTC finds to be insufficient to constitute anonymous data.

TAKEAWAY

In its blog post, the FTC references several fines and settlements that have already been issued against companies sharing with third parties hashed email addresses or similar identifiers that fall short of “anonymous” data, including cases against Betterhelp (where Betterhelp sent hashes to Facebook, rather than email addresses), Premom (where persistent user tracking using a unique advertising ID was found to be contrary to Premom’s claims that it would only share “non-identifiable” data with third parties), and InMarket (where the FTC alleged InMarket was using unique mobile device identifiers to track users over time and across apps). For all three cases, the FTC blog points out the potential outcome of the identifiers–the capability to identify and track people over time–as an indicator of the non-anonymous nature of the information, regardless of any attempt to obfuscate the data.

Navigating the maze of sensitive data & U.S. states’ privacy laws can be a burden. Check out this guide that delves into the landscape of regulations that impact the processing of sensitive data.

EUROPE

CPC Network Takes Action Against Meta ‘Pay or Consent’ Model

The European Commission announced its coordination of action by the Consumer Protection Cooperation (CPC) Network based on allegations that Meta’s “Pay or Consent” model may violate EU consumer law, specifically that they may be contrary to the EU’s Unfair Commercial Practices Directive and the Unfair Contract Terms Directive. Meta will have until September 1, 2024 to respond to a letter sent to it by the CPC Network. If Meta does not take necessary steps to solve concerns raised in the letter, the CPC authorities can decide to take enforcement measures, including sanctions.

TAKEAWAY

The specific concerns identified by the CPC Network do not relate to the concept of a ‘pay or consent’ model generally, but rather identify specific concerns with the way the model is presented to users, including the use of certain wording, like “free” and “your info” (instead of “personal data”), requiring users to navigate through multiple screens and hyperlinks to find information on how their personal data will be used, and not giving users sufficient time and a real opportunity to assess how their choice might impact their relationship with Meta.

Explore the intricate landscape of consent or pay models and the learnings that could be applied for consent in the US, in this on-demand consent or pay webinar.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.