“A Rose by any Other Unique Identifier”: Regulating Consumer Data Tracking and Anonymisation Claims

Representations in online privacy policies that certain data is anonymous or “not information that personally identifies you” can have significant consequences. They may indicate that the firm considers the data to be outside the scope of data protection regulation, and/or give consumers the impression that this is data which cannot have an impact on the individual; for example, that it will not add to the individual consumer’s profile. However, there are a growing range of data practices and services offered by adtech and data analytics providers that do affect individuals’ privacy while claiming not to use personal information, including persistent unique identifiers, data matching using hashed emails and other “identity resolution” services – practices which are not within most consumers’ knowledge or understanding. Obfuscation about such activities may not only mislead consumers, but hinder competition on privacy quality by firms that seek to compete on the basis of genuinely privacy-enhancing features. This article argues that claims of anonymization and pseudonymization require tighter regulation under data protection law and should also be rigorously scrutinized under consumer protection law for potential misleading conduct.

By Dr Katharine Kemp^[1]

I. INTRODUCTION

Representations in online privacy policies that certain data is anonymous or “not information that personally identifies you” can have significant consequences. The