Maybe.

“Tokenization” refers to the process by which you replace one value (e.g., a credit card number) with another value that would have “reduced usefulness” for an unauthorized party (e.g., a random value used to replace the credit card number).[1] In some instances, tokens are created through the use of algorithms, such as hashing techniques.

Information is not considered “personal information” under the CCPA if it has been “deidentified.”[2] Deidentification means that the data “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”[3] An argument could be made that data once tokenized cannot reasonably be associated with an individual. That argument is strengthened under the CCPA if a business has implemented those technical and business processes to help prevent reidentification.

In comparison, in the context of the European GDPR, the Article 29 Working Party[4] has stated that even when a token is created by choosing a random number (i.e., it is not derived using an algorithm), the resulting token typically does not make it impossible to re-identify the data and, as a result, the token is best described as “pseudonymized” data, which would still be “personal data” subject to the GDPR.[5]

[1] Article 29 Working Party, WP 216: Opinion 05/2014 on Anonymisation Techniques at 21 (adopted 10 April 2014).

[2] Cal. Civ. Code 1798.145(v)(3).

[3] Cal. Civ. Code 1798.140(h) (Oct. 2020).

[4] The Article 29 Working Party was the predecessor to the European Data Protection Board.

[5] Article 29 Working Party, WP 216: Opinion 05/2014 on Anonymisation Techniques at 21 (adopted 10 April 2014).