The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .”[1] That prohibition, however, may not apply to information once it has been deidentified or aggregated.
Two provisions of the CCPA relate to the deidentification and aggregation of personal information.
The first provision states that nothing within the CCPA restricts the ability of a business to “collect, use, retain, sell, or disclose consumers’ personal information that is deidentified or aggregate consumer information.”[2] It is important to note, however, that the statutory exemption only applies to a “business,”[3] and during the 2020 rulemaking process the Office of the Attorney General did not expressly extend the exemption to service providers.[4] As a result, under the CCPA there was ambiguity as to whether a service provider was permitted to utilize this exception. That ambiguity was resolved during the 2023 rulemaking conducted by the California Privacy Protection Agency. The CPPA revised the regulations implementing the CCPA to expressly state that service providers were not prohibited from retaining, using, or disclosing personal information if such information was deidentified or aggregated.[5]
The second provision is found within the definition of personal information itself. The CCPA expressly defines “personal information” as not including “consumer information that is deidentified or aggregate[d].”[6] As a result, information that is converted into a deidentified or aggregated form presumably is outside the scope of personal information regulated by the CCPA.
The net result is that if a service provider has an interest in retaining, using, or disclosing the personal information it receives from a client, the service provider may be permitted to deidentify or aggregate the personal information in order to convert it from “personal information” (for which there are retention, use, and disclosure restrictions) to non-personal information (for which the CCPA imposes no such restrictions). From a practical standpoint, if a service provider intends to retain, use, or share deidentified or aggregated information, the parties should consider including within the service provider agreement a recognition of that intention as well as a definition of “deidentification” and “aggregation” that matches the definitions of those terms used within the CCPA.[7]
[1] Cal. Civ. Code § 1798.140(ag)(1)(B) (West 2023).
[2] Cal. Civ. Code § 1798.145(a)(6) (West 2023) (emphasis added).
[3] Cal. Civ. Code § 1798.145(a)(6) (West 2021) (emphasis added).
[4] Cal. Code Regs. tit. 11, § 999.314(c)(5) (2021) (providing an exemption wherein service providers could retain, use, or disclose personal information for the purposes identified in Cal. Civ. Code 1798.145(a)(1) through (a)(4), and omitting from the scope of that exemption Cal. Civ. Code 1798.145(a)(6) which referred to deidentified and/or aggregated information)
[5] Cal. Code Regs. tit. 11, § 7050(a)(5) (pending adoption 2023) (list of exceptions applicable to service provider prohibition on retention, use, and disclosure revised to incorporate Cal. Civ. Code 1798.145(a)(6) (deidentification and aggregation)).
[6] Cal. Civ. Code § 1798.140(v)(3) (West 2021).
[7] It should be noted that under the European GDPR the act of de-identification may, itself, be considered a form of processing for which a lawful basis is required. As a result, some European supervisory authorities may take the position that a processor that engages in de-identification in order to create anonymous data that it intends to use for its own purposes has converted itself into a controller.