Creating a new standard for privacy that goes above and beyond hashed emails

Advertisers, agencies, publishers and more must ensure they are not staking their digital marketing futures to services that rely on hashed emails, says LiveRamp’s Sam White.

In recent years, new data privacy laws and browser changes have created many challenges for the digital advertising and media industries. With the main tools for targeting and measuring digital ad campaigns, such as the third-party cookie, IP addresses, and mobile ad identifiers gradually disappearing from the media planner playbook, advertisers, agencies and publishers have been on the hunt for a durable set of replacement solutions to help avoid substantial revenue loss. 

Hashed emails have been mentioned by some as a replacement solution, providing an alternative to cookies and device IDs, for matching data sets across publishers and marketers. And a growing subset of companies are treating hashed emails as the full extent of their pseudonymisation and privacy practices – the hashed emails are then used as-is and matched across partners. There is, however, evidence to suggest that the process of using hashed emails for media transactions – in isolation – will fail the test of time for a wide breadth of consumer privacy, technical and regulatory reasons. 

The process of ‘hashing’ involves taking regular email addresses and transforming them to create a fixed-length string of characters, or hash, to now represent the email. Historically, this process helped to protect an individual’s identity and Personally Identifiable Information (PII) in a way that stays within the boundaries of privacy rules, while still giving marketers the capability to leverage identity for digital marketing.

But the use of hashed emails as a standalone tool generally fails to achieve whatever marketing outcome the publisher and marketer intended.

The security risk

First, hashed emails pose security risks, as they lack built-in rigorous technical protection. Well-reported breaches and widely-used tools for bad actors have exposed glaring weaknesses in email hashing, which seriously undermine its viability as a standalone privacy practice.

Although hashed emails are supposed to be impossible to reverse engineer email addresses from, bad actors have everything they need to do just that. They can take advantage of the many datasets from wide-reaching data breaches that are readily available on the web to unlock all the unsecured data that companies tie to hashed emails, including consumers’ known identities.

Reduced match rates

Marketers and publishers must also coordinate in a scalable way that produces measurable high performance in marketing use cases such as conversion-driving campaigns; using hashed emails as an identifier can hurt match rates if consumers are not using their emails. In today’s ecosystem, marketers must engage consumers across devices, within households, and across environments, and a consumer may use a different identifier in many of these channels. With most transactions linked to name and postal address, emails would underperform for omnichannel targeting and measurement.

When a marketer and publisher seek to scale a campaign with hashed emails alone, and then prove that their efforts drove sales lift, they’re likely to find that this method generates inefficient match rates and an extremely limited ability to prove that more online and in-store transactions occurred as a result of the marketing effort.

The spirit of regulation

Using hashed emails as a standalone identity marketing practice creates issues with consent and privacy. While those using hashed emails directly as identifiers have yet to come under the spotlight as regulators chase universal identifiers, at minimum, they continue to contradict the spirit of privacy regulations. And as regulations become more sophisticated about protecting consumer privacy, any companies that rely on these services will be left scrambling to find compliant alternatives, and rebuilding their marketing stack as they go.

Superior alternatives are available

In the quest to show the right message at the right time, hashed emails are too blunt an instrument for publishers and marketers to be using them as they do, preventing them from achieving their goals. The open internet will thrive with more effective means to make data meaningful while protecting the consumer’s known identity.

The ambition of regulators and privacy advocates to avoid passing universal identifiers globally, both in the programmatic bidstream and in private data partnerships, is worthy of support. Cryptographic methods widely available today can be used to create stronger identifiers, and pseudonymise user identities without the risk of re-identification.

By addressing key security issues in the process of hashing emails, companies can simultaneously solve potential regulatory crunches as well. In deciding what alternatives to choose, companies should pay attention to two key factors.

First, companies should pick solutions that use specific partner-encoded identifiers and that are also interoperable. Partner encoding means encoding identifiers specific to each separate partner, to ensure the security and privacy of partner data. Ideally, these identifiers should never be aggregated, passed along to other parties, or stored. While standalone hashed emails can easily be resolved by bad actors to consumers’ known information, partner-encrypted identifiers cannot.

Second, companies should pick solutions that preserve the consumer’s privacy – that they have agreed to provide their identity only to the publisher whose privacy policy they were shown. Solutions must never leak identity signals to other publishers for aggregation and unpermissioned, possibly unconsented, sharing.

By selecting robust solutions that respect both the letter and the spirit of the law, companies can set themselves up well for future regulatory changes, as well as to help steward the new trusted, transparent ecosystem being ushered in. Building digital marketing stacks with the proper diligence will benefit companies’ bottom lines as well, as they will be able to build with continuity and stability, and focus on other challenges facing them as they move forward.

It’s time for marketers, publishers and platforms to focus their attention on more advanced people-based and decentralised cryptographic approaches, instead of relying exclusively on decades-old standards to secure sensitive data.