The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .”[1] That prohibition, however, may not apply to information once
deidentified information
Finding the Delta: Understanding the Differences in the State Deidentification Standards
The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes that are…
What is de-identified data?
The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy- and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes set to…
What exactly does ‘pseudonymized’ mean??
The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys. Most American dictionaries do not recognize either term.1 While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his…
Tomato, to-ma-toe: Is CCPA deidentification the same thing as GDPR anonymization?
Deidentified information is defined within the CCPA to refer to information that “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” provided that a business that uses deidentified information takes four operational and organizational steps to ensure that such information is not…
What is ‘hashing,’ and does it help avoid the obligations imposed by the new privacy regulations?
Maybe.
“Hashing” refers to the process of using an algorithm to transform data of any size into a unique fixed-sized output (e.g., combination of numbers and letters). To put it in layman’s terms, some piece of information (e.g., a name) is run through an equation that creates a unique string of characters. Anytime the exact…
Does the CCPA adopt a specific standard for deidentifying information?
No.
The CCPA defines “deidentified” data as information that “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”1 A number of individuals and entities requested that the Office of the California Attorney General provide guidance as to what steps should be…
What qualifies as deidentified information?
Deidentified information is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information
…