| It recently became public that already back in 2023, the Bavarian data protection authority imposed a fine of €3.2 million on a German online marketing business. The unnamed company was found to have processed hashed email addresses without the consent of the affected data subjects for the purpose of carrying out targeted advertising campaigns between 2019 and 2021. In its decision, the authority held – unsurprisingly – that hashed email addresses (i.e. email addresses converted into pseudonymous character strings) still constituted personal data within the meaning of the GDPR, for the processing of which a legal basis, in this case consent, would have been necessary. Specifically, the company displayed targeted online advertising campaigns to specific groups of individuals. For this purpose, it forwarded the hashed email addresses in question to a US business, which matched them with users within its own data base. Because its partner had information about the interest groups these identified users belonged to, the German business was able to display targeted advertising campaigns to them. This principle is well-known, for example, through the ‘Facebook Custom Audiences’ service. This case shows that in the field of online advertising, data protection compliance requirements also apply to hashed user data. In these cases, prior and purpose-specific consent of the data subjects is usually required, which can be obtained through a consent management platform (‘cookie banner’), which typically follows the TCF industry standard. (Dr. Lukas Mezger, Unverzagt Law) |