Deidentified information is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
- Has implemented business processes that specifically prohibit reidentification of the information.
- Has implemented business processes to prevent inadvertent release of deidentified information.
- Makes no attempt to reidentify the information.”[1]
The CPRA modified the definition of deidentified information by, among other things, removing the four conditions above and requiring that a business:
- Take reasonable means to avoid the association of the information with a consumer or household.
- Publicly commit (e.g., in a privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it.
- Contractually obligate recipients of the information to abide by the same restrictions.[2]
The new definition of deidentified information will become operate in 2023.
[1] Cal. Civil Code 1798.140(h) (Oct. 2020).
[2] Cal. Civil Code 1798.140 (m).