Is it possible for data that has undergone salted-hashing to still be considered “personal information?”

January 31, 2020

Maybe.

“Salting” refers to the insertion of a random value (e.g., a number or a letter) into personal data before that data is hashed. 

Whether personal information that has undergone salting and hashing is still considered “personal information” depends upon the particular law or regulation at issue.

In the context of the CCPA, information is not “personal information” if it has been “deidentified.”1  Deidentification means that the data “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”2 A strong argument could be made that data that is salted and then hashed cannot reasonably be associated with an individual.  That argument is strengthened under the CCPA if a business takes the following four steps to help ensure that the salted and hashed data will not be re-identified:3

  1. Implement technical safeguard that prohibit reidentification.  Technical safeguards may include the process or techniques by which data has been deidentified.  For example, this might include the hashing algorithm being used or the number of characters inserted as part of the salting process.4
  2. Implement business processes that specifically prohibit reidentification.  This might include an internal policy or procedure that prevents employees or vendors from attempting to reidentify data or reverse the salted and hashed values.
  3. Implement business processes to prevent inadvertent release of deidentified information.  This might include a policy against disclosing hashed values to the public.
  4. Make no attempt to reidentify the information. As a functional matter, this entails taking steps to prohibit reidentification by the business’s employees.

In comparison, in the context of the European GDPR the Article 29 Working Party5 has stated that while the technique of salting and then hashing data “reduce[s] the likelihood of deriving the input value,” because “calculating the original attribute value hidden behind the result of a salted hash function may still be feasible within reasonable means,” the salted-hashed output should be considered pseudonymized data that remains subject to the GDPR.6

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.145(a)(5).

2. CCPA, Section 1798.140(h).

3. CCPA, Section 1798.140(v).

4. Salting refers to the insertion of characters into data before it is hashed to make brute force reidentification more difficult.

5. The Article 29 Working Party was the predecessor to the European Data Protection Board.

6. Article 29 Working Party, WP 216: Opinion 05/2014 on Anonymisation Techniques at 20 (adopted 10 April 2014).

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.