Back to Blog

The Trouble with Hashed Emails (HEMs)

  • LiveRamp
  • 3 min read

For years, marketers and publishers have relied on the third-party cookie for retargeting and monetization, overlooking the myriad problems they posed. However, cookies have always raised concerns with lack of consumer consent, device addressability, and poor durability, and have invited serious scrutiny and condemnation as a result.

Today there are several solutions being touted as cookie improvements, but marketers and publishers should beware that many don’t solve the initial problem raised by cookies, since these replacement identifiers also lack durability, provide limited addressability, and do nothing to improve transparency and choice. Fortunately, some solutions already work better today than cookies do. Authenticated people-based addressability should remain at the very top of the marketing tactic list

Another solution that is often talked about is the use of hashed emails (HEMs). Let’s take a closer look at why this solution may not be an improvement from cookies.

Hashed emails (HEMs) aren’t secure 

Proponents of hashed emails hail the solution’s cryptographic, one-way encryption process that creates a code unique to the email. However, HEMs are a universal identifier—the same HEM is sent by brands to all activation endpoints. While an email in hashed form may not be human readable, they are standardized algorithms, and many firms are now offering services that can reverse email hashing to correctly guess consumers’ email addresses, identifying users on a personally identifiable level. Of equal or greater concern is that these email lists can be, and are, easily repurposed and rehashed to violate user privacy.

An email address is not a comprehensive online identity 

Identity resolution providers such as LiveRamp provide value by tying multiple identifiers (including email) to a real, person-based identifier. Using email address data that a user declares as the base of identity will create a brittle conception of the consumer that may not extend comprehensively across devices, households, and environments that require a log-in using a different identifier. Since HEMs don’t protect personally identifiable information (PII), they’re an inappropriate solution for data collaboration with other parties, and because they’re not a durable people-based identifier, matching identity for the purposes of data activation is weak.

An email address is not persistent 

Email addresses change with each new job, with new software, and with maturity. Email addresses are elective identifiers, and consumers can elect to change them at any point, often without any fee. Inconsistencies also create fragile matching. HEMs require both parties to not only have the same individual email address, but that address must be stored in the same syntax for HEMs to join. HEMs also can’t match against other common PII, such as NAP data (name and postal information), or against digital device identifiers used to recognize visitors and prospects. This match weakness is exacerbated in programmatic bidstreams, where each call from brand to DSP to SSP to publisher will go through this same probabilistic match test and cause drop-off in audience reach.

HEMs weaken measurement 

Analytic accuracy is strengthened by using durable omnichannel person-based identifiers that are stable even when the consumer updates their PII. As noted above, HEMs change when a customer’s email changes, and HEMs don’t resolve to single individuals across channels, harming long-term incrementality measurement for attribution or building training data for machine learning.

For marketers who want to maximize reach and return, and for publishers who want to maximize yields, RampID offers more. In this video, Tom Affinito, Global Portfolio Marketing Lead, Partnerships, answers common questions we get around HEMs and how RampID compares when the two are stacked against each other.

To watch fullscreen, click here.