New guidance from the Federal Trade Commission clarifies that hashes aren’t “anonymous,” can still be used to identify users, and their misuse can lead to harm.

Some key points:

  • For background, hashing involves taking a piece of data (like an email address, a phone number, or a user ID) and using math to turn it into a number (called a hash) in a consistent way. The same input data will always create the same hash.
  • Data is only anonymous when it can never be associated back to a person.
  • While hashing might obscure how a user identifier appears, it still creates a unique signature (persistent identifier) that can track a person or device over time.
  • Companies should not act as if hashing personal information renders it anonymized, and they definitely should not claim it does.
  • Pay specific attention to cases where the recipient can undo the hashing and reveal the email addresses of visitors and users (like in the BetterHelp case).
  • FTC staff will remain vigilant to ensure companies are following the law and take action when the privacy claims they make are deceptive.
  • Regardless of what they look like, all user identifiers have the powerful capability to identify and track people over time. Therefore, the opacity of an identifier cannot be an excuse for improper use or disclosure. This includes email addresses, phone numbers, MAC addresses, hashed email addresses, device identifiers and advertising identifiers (like in BetterHelp and InMarket).