Cookieless FAQs: Overview of Marketing without Third-party Cookies

Is using hashed emails for targeting a privacy-centric approach that will pass regulatory scrutiny?

Yes. Hashed email as an ID is acquired by our clients and partners through a permission-based approach. In addition, Sojern uses a privacy-enhancing technique (permitted by GDPR) on hashed emails called pseudonymization to ensure a traveler cannot be personally identified. We also implement security safeguards to protect hashed emails in our systems and defend against unauthorized access and disclosure.

To uphold consumer’s privacy choices, we provide tools that tie the consumer’s preferences (opt-in / opt-out) to hashed emails and record these preferences for ad targeting. In the cookieless world, all players will need to demonstrate to regulators that their solutions align with consumers’ privacy rights. We can demonstrate our approach to consumer privacy and will work with clients to assist them with information about our solutions.

Back to top

Are hashed emails treated the same as third-party cookies under GDPR and other privacy regulations?

Yes. Under the GDPR and other data privacy laws, hashed emails, like third-party cookies, are “online identifiers” – meaning they are considered personal pieces of data. Because online identifiers like hashed emails can be used to directly or indirectly identify a consumer, organizations that collect and use these types of personal data must be responsible for implementing appropriate technical and organizational safeguards to ensure compliance with privacy regulations.

One technical safeguard that Sojern implements is the pseudonymization of emails. The GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” By using a hash function to pseudonymize emails, Sojern ensures the hashed email cannot be attributed to an identifiable consumer.

Back to top

What is the difference between pseudonymized and anonymized data?

RAW EMAIL
PSEUDONYMIZED
ANONYMIZED
peter@gmail.com 4We8kd *****
mary@gmail.com L8Fg447bA *****
Back to top

Are there any industry standards that can be referenced to validate Sojern’s approach to hashed email and first-party cookies?

IAB Europe's updated Guide to the Post Third-Party Cookie Era provides a comprehensive discussion on the changes in the privacy-conscious environment and use of pseudonymous identifiers (like a hashed email address) as one of the solutions to solve the loss of third-party cookies in the digital advertising ecosystem.

Back to top

How is Sojern staying compliant with privacy regulations both internally and when using your customer's first party data for targeting?

Sojern's data governance and privacy program is overseen by an internal data protection officer and privacy counsel. The legal department keeps abreast of current and new privacy regulations, advise business units and operations on privacy program-building, counsel product and engineering on privacy-by-design principles, and maintain independent third-party certifications for data collection, privacy management, and compliance with industry standards such as the EDAA and DAA. Sojern's information security department maintains information security policies and implements technical safeguards to protect client data in our systems, following best industry practices to treat client data with the utmost care and secrecy.

Sojern re-certifies with the U.S. Department of Commerce for its commitments to comply with the EU-US Privacy Shield framework regardless of its validity as an adequacy mechanism for onward data transfers. Sojern cooperates with clients for their internal assessments, ranging from information security questionnaires to data processing impact assessments, to ensure Sojern provides adequate information to clients for its compliance with internal policies, controls, and processes related to privacy and data protection.

Back to top

Does Sojern have a list of any additional privacy measures or industry collaborations relating to privacy and security compliance (i.e. Internal Guidelines, NAI, IAB, Privacy Sandbox, PRAM, ANA, etc.)?

We have our Privacy Policy as well as an internal InfoSec Policy. Sojern also subscribes to the DAA, EDAA and DAAC opt-out platform which offers consumers choices to opt-out from behavioral advertising. In addition, users wishing to opt out, export, or delete any personal data that Sojern may have collected about them can use this tool.

Back to top