As the ad tech industry grapples with privacy compliance, the FTC’s latest warning reveals that hashed IDs are not the anonymity shield many believe them to be, urging a rethink of data privacy strategies.
No pun intended, but the ad tech industry is still hashing out its privacy concerns. With Google essentially pulling the plug on third-party cookie deprecation and instead heading in the direction of an opt-out mechanism, ad tech’s privacy terrain is still in a state of limbo.
But as publishers and advertisers search for the privacy-compliant tech that works best for them, the FTC reissued a warning about hashed IDs.
In a recent blog post, the FTC reiterated a critical privacy principle: hashed IDs are not anonymous. Despite some companies’ claims, hashing—a process that transforms data like email addresses or phone numbers into seemingly random strings—does not render data anonymous.
Data is only anonymous when you cannot trace it back to an individual, according to the FTC. This misinterpretation can lead to significant privacy violations, as bad actors can still use hashed data to identify and track users, potentially causing harm.
Hashing provides a layer of obfuscation but does not eliminate the potential for re-identification. The FTC has highlighted several cases where companies misused hashing, believing it ensured anonymity. Notable instances include the 2015 case against Nomi, which tracked consumers in stores using hashed MAC addresses, and the 2022 case against BetterHelp, where hashed email addresses were shared with Facebook, compromising user privacy.
A Quick Refresh on Hashed IDs
Companies often use hashing to obscure personal data. Hashing transforms information such as email addresses or phone numbers into a consistent numerical value, known as a hash.
This process ensures that the same input data will always generate the same hash, making the original data difficult to guess.
The advantage of hashing is that it allows companies to store data without directly revealing identifiable information. A hash appears meaningless and preserves user privacy, as companies cannot easily trace it back to the original data. This is why companies often use hashing when they are reluctant to record or share direct identifiers but still need the data for future matching.
However, according to the FTC, the belief that hashing fully anonymizes data is flawed. Companies and bad actors can still use hashed IDs to identify users, and their misuse can lead to harm. They warn that companies should not claim that hashing personal information makes it completely anonymous. The FTC will continue monitoring and addressing deceptive privacy claims to ensure that companies comply with the law.
Hashing Out Industry Sentiments
The ad tech industry is all in on alternative IDs as a go-to solution for privacy complaints. But, the FTC just threw a wrench in the works by declaring that hashed IDs aren’t truly anonymous. A shift might be on the horizon. This revelation puts universal ID formats like TTD’s UI2 and LiveRamp’s Ramp ID—those that hash and encrypt personal data—under the microscope, suggesting they might not be the ultimate fix we once believed.
Where will the industry pivot after this?
Third-party cookies and hashed IDs will not stand the test of time, according to Adam Schenkel, EVP of GumGum. Schenkel instead upholds that contextual targeting will be the next wave for privacy-compliant solutions.
“This news and the FTC’s commitment to safeguarding data privacy for Americans indicates that privacy-invasive targeting tactics like third-party cookies and hashed IDs will not stand the test of time,” said Schenkel. “Instead, advanced contextual advertising emerges as a superior solution once again because not only is contextual respectful of a user’s privacy, but it’s also able to match ad content with a user’s real-time interests and mindset.”
Publishers Hash Out the Sit-and-Wait Approach
Sam Cheng, Director of Advertising Operations, TeamSnap, noted the uncertainty and potential difficulties ahead when asked about his initial reactions to the ruling. “It’s too soon to know until major publishers start taking an approach,” he said, emphasizing a cautious outlook.
Cheng highlighted the complexities in finding the next ID solution to comply with the FTC’s rules, noting that HashID will likely stick around until a new one surfaces. For now, he’s taking a wait-and-see approach.
He also emphasized the tough challenges publishers face in meeting the FTC’s data anonymity and user tracking guidelines. He acknowledged that implementing a new solution would be a pain, especially for companies lacking the technical bandwidth to adapt quickly.
“Assuming most companies don’t have the technical bandwidth, it will be challenging to implement a new solution when it does come out,” he explained.