Blog

FTC Says Hashed Email Addresses Are Not Anonymous

Julie Rubash, General Counsel and Chief Privacy Officer
July 29, 2024
July 29: FTC Says Hashed Email Addresses Are Not Anonymous

USA

FTC Says Hashed Email Addresses Are Not Anonymous

The FTC posted on its Technology Blog a warning that data can only be considered anonymous “when it can never be associated back to a person” and that “the opacity of an identifier cannot be an excuse for improper use or disclosure.” Specifically, the blog post highlights hashed email addresses as an example of personal data that is not anonymous, because they can still be used to identify users. “While hashing might obscure how a user identifier appears,” the post explains, “it still creates a unique signature that can track a person or device over time,” which the FTC finds to be insufficient to constitute anonymous data.

TAKEAWAY

In its blog post, the FTC references several fines and settlements that have already been issued against companies sharing with third parties hashed email addresses or similar identifiers that fall short of “anonymous” data, including cases against Betterhelp (where Betterhelp sent hashes to Facebook, rather than email addresses), Premom (where persistent user tracking using a unique advertising ID was found to be contrary to Premom’s claims that it would only share “non-identifiable” data with third parties), and InMarket (where the FTC alleged InMarket was using unique mobile device identifiers to track users over time and across apps). For all three cases, the FTC blog points out the potential outcome of the identifiers–the capability to identify and track people over time–as an indicator of the non-anonymous nature of the information, regardless of any attempt to obfuscate the data.

Navigating the maze of sensitive data & U.S. states’ privacy laws can be a burden. Check out this guide that delves into the landscape of regulations that impact the processing of sensitive data.

EUROPE

The European Commission announced its coordination of action by the Consumer Protection Cooperation (CPC) Network based on allegations that Meta’s “Pay or Consent” model may violate EU consumer law, specifically that they may be contrary to the EU’s Unfair Commercial Practices Directive and the Unfair Contract Terms Directive. Meta will have until September 1, 2024 to respond to a letter sent to it by the CPC Network. If Meta does not take necessary steps to solve concerns raised in the letter, the CPC authorities can decide to take enforcement measures, including sanctions.

TAKEAWAY

The specific concerns identified by the CPC Network do not relate to the concept of a ‘pay or consent’ model generally, but rather identify specific concerns with the way the model is presented to users, including the use of certain wording, like “free” and “your info” (instead of “personal data”), requiring users to navigate through multiple screens and hyperlinks to find information on how their personal data will be used, and not giving users sufficient time and a real opportunity to assess how their choice might impact their relationship with Meta.

Explore the intricate landscape of consent or pay models and the learnings that could be applied for consent in the US, in this on-demand consent or pay webinar.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]