Your customers are on social media. You want to market to them where they'll see it. So, what do you do? You hand your customer list over to *insert social media platform* and it serves your customers a wonderfully tailored and targeted ad. Problem? We think so.
Broadly speaking, the Privacy Act prevents the disclosure of personal information to third parties for a reason other than the primary reason of collection. An exception is where a secondary reason is related to the primary reason and the individual would expect the disclosure. That's a hard test to get around and, unless you've given that individual the heads up that you plan to share their information in that way, it more likely than not prevents you handing over customer data to a social media company.
This is where hashing comes in. Companies can provide social media platforms with a `hashed' list of customer data. By hashing the data, it is transformed (think encrypted) to a string of characters and, so to speak `deidentified'. That hashed information is useless unless matched back to a similarly hashed list. The social media company then hashes its own user list and, subsequently, the two lists of indecipherable data are run past each other. If there's a match, bingo, your customer is on the platform and they see your ad. If no match, it means the customer isn't a user, and the data is a useless scrambled mess of characters.
Under the Privacy Act, personal information is information or an opinion about an identified individual or one who is reasonably identifiable. By hashing the information, companies are only handing over a list of jumbled up numbers. On its face, that's not personal information.
But given the social media company can ultimately use those jumbled characters to discern the individual to whom you want the ad served, doesn't that individual then become reasonably identifiable?