Hashing is a process that converts personal data, such as an email address or phone number, into a fixed-length string of characters using a mathematical algorithm. The resulting string is called a hash. A hashed email address looks like a random sequence of letters and numbers rather than a readable address. Hashing is used in digital advertising to share audience data with ad platforms in a way that protects individual privacy, since the hash cannot be reversed back to the original data.
Why is hashing used in advertising?
Ad platforms such as Meta and Google allow advertisers to upload customer lists to create Custom Audiences. Rather than sending raw email addresses or phone numbers to the platform, the data is hashed first. Meta and Google then hash their own user data in the same way and compare the two sets of hashes to find matches, without either party ever seeing the other's original data in plain text. This allows audience matching to take place while reducing the risk of exposing personal information during the upload.
Is hashed data truly anonymous?
Hashing is a one-way process, meaning the hash cannot be converted back to the original email address or phone number by the platform receiving it. However, hashed data is not considered fully anonymous under most privacy frameworks, including the PDPA in Thailand and GDPR in Europe. Because the hash consistently represents the same piece of data, it can still be used to identify individuals indirectly, particularly if someone has access to both the hash and a reference dataset. Hashing is therefore treated as a form of pseudonymisation rather than full anonymisation.
What hashing algorithm is used?
Meta and Google both require customer list data to be hashed using SHA-256, which is a widely used cryptographic algorithm that produces a 64-character hash. When uploading a customer list manually, both platforms provide guidance on formatting and hashing requirements. Most customer data platforms and CRM tools have built-in SHA-256 hashing for export, so the process is typically automated rather than requiring manual technical implementation.
Where does hashed data come up in practice?
You are most likely to encounter hashed data in the following contexts:
- Uploading a customer list to Meta or Google to create a Custom Audience for retargeting or lookalike campaigns
- Sending first-party data to ad platforms via Conversions API (Meta) or Google Ads Enhanced Conversions, where customer identifiers are sent as hashes alongside conversion events
- Sharing data between platforms or partners as part of a data clean room arrangement, where neither party shares raw personal data directly