Skip to content

FTC Reaffirms Strict Standards for Data Anonymization

23 AUGUST 2024 | ZAC SOTO

On July 24th, through its Office of Technology Blog, the Federal Trade Commission (FTC), reiterated its hardline stance that hashing—a method of converting data like names or passwords into a string of characters to obscure the original information—does not meet its criteria for anonymization (LINK). This position, although not new, underscores the FTC’s focus on compliance with what many consider an almost unattainable standard, posing significant challenges for businesses that rely on personal data for research, marketing, and innovation.

Hashing, a cryptographic process that converts data into a fixed-size string of characters, can be found in a wide variety of technologies making use of personal information (such as phone numbers, email addresses, or device identifiers), including biometric systems and website tracking. Underlying “hashed” information is converted into an output of numbers or letters acting as a mathematical representation of the underlying information. This hashed alpha-numeric output can be converted back into the underlying information via the use of the corresponding hashing algorithm used to create the hashed output.
The FTC has reaffirmed its position that hashing does not prevent re-identification, particularly when combined with other identifying information, as there remains the possibility, however remote, of re-identification of personal information. As a result, in reaffirming guidance from 2012, the FTC has made it clear that hashing does not constitute anonymization because, according to their standard, data is only truly anonymous if it can never be linked back to an individual—a near-impossible feat. This position was notably highlighted in a 2022 case against BetterHelp, an online therapy provider accused of sharing hashed email addresses with Facebook, which the FTC alleged could be used to identify and target individuals seeking mental health services.
Anonymization is notably distinct from “de-identification”, the latter of which is a broader term that involves removing personal identifiers from data to protect individuals’ privacy. While pseudonymization, a form of de-identification, involves removing personal identifiers so that data cannot be attributed to an individual without additional information, it does not meet the FTC’s stringent anonymization criteria. The FTC’s standard is notably strict even when measured against other aggressive data privacy regulatory regimes; enforcement under the European Union’s General Data Protection Regulation (GDPR), for example, pursuant to relevant case law from the Court of Justice of the European Union, suggests that “pseudonymization”, will suffice to meet de-identification requirements of the GDPR, meaning that hashing could very well suffice as a compliant means of de-identification under the GDPR so long as the recipient of hashed information lacked the means to re-identify it. The complexities of truly anonymizing data are further amplified by advancements in technology, particularly artificial intelligence, which can re-identify individuals by rapidly analyzing patterns in large datasets.
The FTC’s aggressive stance suggests that companies should not disclose data to third parties, even in pseudonymized form, without considering the risk of re-identification. The FTC has particularly emphasized the importance of recognizing that online identifiers, such as email addresses, phone numbers, and device IDs, remain personal data, even when hashed. The FTC warns that it is deceptive for companies to claim that hashed or pseudonymized data is anonymous if it can still be used to track or target individuals over time.

Given the FTC’s renewed focus on this issue, companies should review their data practices, particularly regarding online tracking, targeted advertising, and the use of persistent identifiers. The consequences of mishandling or misrepresenting data practices are severe, potentially leading to regulatory investigations, enforcement actions, and damage to a company’s reputation. In this complex and evolving privacy landscape, companies must remain vigilant and make informed decisions to ensure compliance.

This article is not meant to provide legal or tax advice. It should be understood as a provocative, simplified overview to allow the reader to better consult its legal and tax advisors. Every individual, every company, and every situation is different. There is no “one size fits all” solution. Also, we are not tax advisors or tax experts and do not offer tax advice. Readers are advised to seek professional advice before acting on any information contained in this article. The author and publisher are not liable for any damages or negative consequences arising from any use of the information presented in this article.

FTC Reaffirms Strict Standards for Data Anonymization

23 AUGUST 2024 | ZAC SOTO

On July 24th, through its Office of Technology Blog, the Federal Trade Commission (FTC), reiterated its hardline stance that hashing—a method of converting data like names or passwords into a string of characters to obscure the original information—does not meet its criteria for anonymization (LINK). This position, although not new, underscores the FTC’s focus on compliance with what many consider an almost unattainable standard, posing significant challenges for businesses that rely on personal data for research, marketing, and innovation.

Hashing, a cryptographic process that converts data into a fixed-size string of characters, can be found in a wide variety of technologies making use of personal information (such as phone numbers, email addresses, or device identifiers), including biometric systems and website tracking. Underlying “hashed” information is converted into an output of numbers or letters acting as a mathematical representation of the underlying information. This hashed alpha-numeric output can be converted back into the underlying information via the use of the corresponding hashing algorithm used to create the hashed output.

The FTC has reaffirmed its position that hashing does not prevent re-identification, particularly when combined with other identifying information, as there remains the possibility, however remote, of re-identification of personal information. As a result, in reaffirming guidance from 2012, the FTC has made it clear that hashing does not constitute anonymization because, according to their standard, data is only truly anonymous if it can never be linked back to an individual—a near-impossible feat. This position was notably highlighted in a 2022 case against BetterHelp, an online therapy provider accused of sharing hashed email addresses with Facebook, which the FTC alleged could be used to identify and target individuals seeking mental health services.

Anonymization is notably distinct from “de-identification”, the latter of which is a broader term that involves removing personal identifiers from data to protect individuals’ privacy. While pseudonymization, a form of de-identification, involves removing personal identifiers so that data cannot be attributed to an individual without additional information, it does not meet the FTC’s stringent anonymization criteria. The FTC’s standard is notably strict even when measured against other aggressive data privacy regulatory regimes; enforcement under the European Union’s General Data Protection Regulation (GDPR), for example, pursuant to relevant case law from the Court of Justice of the European Union, suggests that “pseudonymization”, will suffice to meet de-identification requirements of the GDPR, meaning that hashing could very well suffice as a compliant means of de-identification under the GDPR so long as the recipient of hashed information lacked the means to re-identify it. The complexities of truly anonymizing data are further amplified by advancements in technology, particularly artificial intelligence, which can re-identify individuals by rapidly analyzing patterns in large datasets.
The FTC’s aggressive stance suggests that companies should not disclose data to third parties, even in pseudonymized form, without considering the risk of re-identification. The FTC has particularly emphasized the importance of recognizing that online identifiers, such as email addresses, phone numbers, and device IDs, remain personal data, even when hashed. The FTC warns that it is deceptive for companies to claim that hashed or pseudonymized data is anonymous if it can still be used to track or target individuals over time.
Given the FTC’s renewed focus on this issue, companies should review their data practices, particularly regarding online tracking, targeted advertising, and the use of persistent identifiers. The consequences of mishandling or misrepresenting data practices are severe, potentially leading to regulatory investigations, enforcement actions, and damage to a company’s reputation. In this complex and evolving privacy landscape, companies must remain vigilant and make informed decisions to ensure compliance.

This article is not meant to provide legal or tax advice. It should be understood as a provocative, simplified overview to allow the reader to better consult its legal and tax advisors. Every individual, every company, and every situation is different. There is no “one size fits all” solution. Also, we are not tax advisors or tax experts and do not offer tax advice. Readers are advised to seek professional advice before acting on any information contained in this article. The author and publisher are not liable for any damages or negative consequences arising from any use of the information presented in this article.

FTC Reaffirms Strict Standards for Data Anonymization

23 AUGUST 2024 | ZAC SOTO​

On July 24th, through its Office of Technology Blog, the Federal Trade Commission (FTC), reiterated its hardline stance that hashing—a method of converting data like names or passwords into a string of characters to obscure the original information—does not meet its criteria for anonymization (LINK). This position, although not new, underscores the FTC’s focus on compliance with what many consider an almost unattainable standard, posing significant challenges for businesses that rely on personal data for research, marketing, and innovation.

Hashing, a cryptographic process that converts data into a fixed-size string of characters, can be found in a wide variety of technologies making use of personal information (such as phone numbers, email addresses, or device identifiers), including biometric systems and website tracking. Underlying “hashed” information is converted into an output of numbers or letters acting as a mathematical representation of the underlying information. This hashed alpha-numeric output can be converted back into the underlying information via the use of the corresponding hashing algorithm used to create the hashed output.
The FTC has reaffirmed its position that hashing does not prevent re-identification, particularly when combined with other identifying information, as there remains the possibility, however remote, of re-identification of personal information. As a result, in reaffirming guidance from 2012, the FTC has made it clear that hashing does not constitute anonymization because, according to their standard, data is only truly anonymous if it can never be linked back to an individual—a near-impossible feat. This position was notably highlighted in a 2022 case against BetterHelp, an online therapy provider accused of sharing hashed email addresses with Facebook, which the FTC alleged could be used to identify and target individuals seeking mental health services.
Anonymization is notably distinct from “de-identification”, the latter of which is a broader term that involves removing personal identifiers from data to protect individuals’ privacy. While pseudonymization, a form of de-identification, involves removing personal identifiers so that data cannot be attributed to an individual without additional information, it does not meet the FTC’s stringent anonymization criteria. The FTC’s standard is notably strict even when measured against other aggressive data privacy regulatory regimes; enforcement under the European Union’s General Data Protection Regulation (GDPR), for example, pursuant to relevant case law from the Court of Justice of the European Union, suggests that “pseudonymization”, will suffice to meet de-identification requirements of the GDPR, meaning that hashing could very well suffice as a compliant means of de-identification under the GDPR so long as the recipient of hashed information lacked the means to re-identify it. The complexities of truly anonymizing data are further amplified by advancements in technology, particularly artificial intelligence, which can re-identify individuals by rapidly analyzing patterns in large datasets.
The FTC’s aggressive stance suggests that companies should not disclose data to third parties, even in pseudonymized form, without considering the risk of re-identification. The FTC has particularly emphasized the importance of recognizing that online identifiers, such as email addresses, phone numbers, and device IDs, remain personal data, even when hashed. The FTC warns that it is deceptive for companies to claim that hashed or pseudonymized data is anonymous if it can still be used to track or target individuals over time.
Given the FTC’s renewed focus on this issue, companies should review their data practices, particularly regarding online tracking, targeted advertising, and the use of persistent identifiers. The consequences of mishandling or misrepresenting data practices are severe, potentially leading to regulatory investigations, enforcement actions, and damage to a company’s reputation. In this complex and evolving privacy landscape, companies must remain vigilant and make informed decisions to ensure compliance.

This article is not meant to provide legal or tax advice. It should be understood as a provocative, simplified overview to allow the reader to better consult its legal and tax advisors. Every individual, every company, and every situation is different. There is no “one size fits all” solution. Also, we are not tax advisors or tax experts and do not offer tax advice. Readers are advised to seek professional advice before acting on any information contained in this article. The author and publisher are not liable for any damages or negative consequences arising from any use of the information presented in this article.