Skip to content

Deidentified information is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

  1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
  2. Has implemented business processes that specifically prohibit reidentification of the information.
  3. Has implemented business processes to prevent inadvertent release of deidentified information.
  4. Makes no attempt to reidentify the information.”[1]

The CPRA modified the definition of deidentified information by, among other things, removing the four conditions above and requiring that a business:

  1. Take reasonable means to avoid the association of the information with a consumer or household.
  2. Publicly commit (e.g., in a privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it.
  3. Contractually obligate recipients of the information to abide by the same restrictions.[2]

The new definition of deidentified information will become operate in 2023.

[1] Cal. Civil Code 1798.140(h) (Oct. 2020).

[2] Cal. Civil Code 1798.140 (m).