Your customers are on social media. You want to market
to them where they'll see it. So, what do you do? You hand your
customer list over to *insert social media platform* and it serves
your customers a wonderfully tailored and targeted ad. Problem? We
Broadly speaking, the Privacy Act prevents the disclosure of
personal information to third parties for a reason other than the
primary reason of collection. An exception is where a secondary
reason is related to the primary reason and the individual would
expect the disclosure. That's a hard test to get around and,
unless you've given that individual the heads up that you plan
to share their information in that way, it more likely than not
prevents you handing over customer data to a social media
This is where hashing comes in. Companies can provide social
media platforms with a 'hashed' list of customer data. By
hashing the data, it is transformed (think encrypted) to a string
of characters and, so to speak 'deidentified'. That
hashed information is useless unless matched back to a similarly
hashed list. The social media company then hashes its own user list
and, subsequently, the two lists of indecipherable data are run
past each other. If there's a match, bingo, your customer is on
the platform and they see your ad. If no match, it means the
customer isn't a user, and the data is a useless scrambled mess
Under the Privacy Act, personal information is information or an
opinion about an identified individual or one who is reasonably
identifiable. By hashing the information, companies are only
handing over a list of jumbled up numbers. On its face, that's
not personal information.
But given the social media company can ultimately use those
jumbled characters to discern the individual to whom you want the
ad served, doesn't that individual then become reasonably
It's not all doom and gloom and stop the presses, those
types of disclosure can still be permitted under the Privacy Act as
long as your house is in order. That means having a clear privacy
policy, collection statement, terms and conditions around
collection and disclosure, as well as letting your customers know
what you plan to do with their information.
We do not disclaim anything about this article. We're
quite proud of it really.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this Alert, we discuss the implications that changes to privacy law will have on agencies and organisations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).