Skip to content

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy- and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes set to go into force in 2023:

Technical safeguards.  An organization must implement technical safeguards that prohibit reidentification. [1]
Policy against reidentification.  An organization must implement business processes that specifically prohibit reidentification. [2]
Inadvertent release.  An organization must implement processes to prevent inadvertent release of the deidentified information. [3]
No reidentification.  An organization must make no attempt to reidentify the information. [4]
Data not reasonably associated to an individual.  An organization must make a reasonable attempt to ensure that the data cannot be associated with specific individuals. [5] [6] [7]
Public commitment.  An organization must publicly commit (e.g., in its privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it. [8] [9] [10]
Downstream recipient contracts.  An organization must contractually obligate recipients of the information to abide by the same restrictions. [11] [12] [13]


[1] Cal. Civ. Code § 1798.140(h) (West 2020).

[2] Cal. Civ. Code § 1798.140(h) (West 2020).

[3] Cal. Civ. Code § 1798.140(h) (West 2020).

[4] Cal. Civ. Code § 1798.140(h) (West 2020).

[5] Cal. Civ. Code § 1798.140(m)(1) (West 2021).

[6] Va. Code § 59.1-577(A)(1) (2021).

[7] C.R.S. § 6-1-1303(11)(a) (2021).

[8] Cal. Civ. Code § 1798.140(m)(2) (West 2021).

[9] Va. Code § 59.1-577(A)(2) (2021).

[10] C.R.S. § 6-1-1303(11)(b) (2021).

[11] Cal. Civ. Code § 1798.140(m)(3) (West 2021).

[12] Va. Code § 59.1-577(A)(3) (2021).

[13] C.R.S. § 6-1-1303(11)(c) (2021).