Skip to content

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes that are set to go into force in 2023:

Requirement California CCPA California CPRA Virginia VCDPA Colorado CPA Utah UCPA
1.  Technical safeguards. An organization must implement technical safeguards that prohibit reidentification. [1]
2.  Policy against reidentification. An organization must implement business processes that specifically prohibit reidentification. [2]
3.  Inadvertent release. An organization must implement processes to prevent inadvertent release of the deidentified information. [3]
4.  No reidentification. An organization must make no attempt to reidentify the information. [4]
5.  Data not reasonably associated to an individual. An organization must make a reasonable attempt to ensure that the data cannot be associated with specific individuals. [5] [6] [7] [8]
6.  Public commitment. An organization must publicly commit (e.g., in its privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it. [9] [10] [11] [12]
7.  Downstream recipient contracts. An organization must contractually obligate recipients of the information to abide by the same restrictions. [13] [14] [15] [16]

[1] Cal. Civ. Code § 1798.140(h) (West 2020).

[2] Cal. Civ. Code § 1798.140(h) (West 2020).

[3] Cal. Civ. Code § 1798.140(h) (West 2020).

[4] Cal. Civ. Code § 1798.140(h) (West 2020).

[5] Cal. Civ. Code § 1798.140(m)(1) (West 2021).

[6] Va. Code § 59.1-577(A)(1) (2021).

[7] C.R.S. § 6-1-1303(11)(a) (2021).

[8] Utah Code Ann. 13-61-101(14)(a), (b)(i) (2022).

[9] Cal. Civ. Code § 1798.140(m)(2) (West 2021).

[10] Va. Code § 59.1-577(A)(2) (2021).

[11] C.R.S. § 6-1-1303(11)(b) (2021).

[12] Utah Code Ann. 13-61-101(14)(b)(ii) (2022).

[13] Cal. Civ. Code § 1798.140(m)(3) (West 2021).

[14] Va. Code § 59.1-577(A)(3) (2021).

[15] C.R.S. § 6-1-1303(11)(c) (2021).

[16] Utah Code Ann. 13-61-101(14)(b)(iii) (2022).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).