The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys. Most American dictionaries do not recognize either term.[1] While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his or her real name” – their meanings are slightly more complex.[2]
In order to understand its meaning, it is important to understand how the term has evolved over time within different data privacy contexts. “Pseudonymization” was defined within the ISO 29100 privacy framework published in 2011 simply as a “process applied to personally identifiable information (PII) which replaces identifying information with an alias.”[3] Although the term was defined, it did not form an integral part of the privacy framework. Indeed, it was only referenced in the context of a technique that might contribute to privacy enhancing technology, and to explain that not all substitutions of personal identifiers create anonymized data.[4]
The European GDPR, which went into force in 2018, included the term albeit with a slightly broader definition then that which was used within the ISO framework. Two years later the CCPA became the first U.S. statute (federal or state) to use the term adopting a definition near identical to the GDPR.[5] Indeed, except for minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical. Virginia, Colorado, and Utah adopted similar definitions to the ones used within the CCPA and the GDPR a few years later.
Source | Term | Definition | |
---|---|---|---|
ISO | Pseudonymization | [P]rocess applied to personally identifiable information (PII) which replaces identifying information with an alias.[6] | |
Europe GDPR | Pseudonymisation | [T]he processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.[7] | |
California CCPA/CPRA | Pseudonymize / Pseudonymization | [T]he processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.[8] | |
Virginia VCDPA | Pseudonymous Data |
|
|
Colorado CPA | Pseudonymous Data |
|
|
Utah | Pseudonymous Data | [P]ersonal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is: (a) kept separate from the consumer’s personal data; and(b) subject to appropriate technical and organizational measure to ensure that the personal data are not attributable to an identified individual or an identifiable individual.[11] |
FOOTNOTES
[1] Neither term was in the Miriam Webster or Cambridge dictionaries as of March 8, 2021.
[2] Cambridge dictionary definition of “pseudonym” as of November 28, 2019.
[3] ISO 29100:2011 at § 2.24.
[4] ISO 29100:2011 at §§ 2.15, 4.4.4.
[5] A Westlaw search of all federal and state statutes conducted on March 8, 2021, did not identify any other federal or state law that utilizes either term.
[6] ISO 29100:2011 at § 2.24.
[7] GDPR, Article 4(5).
[8] Cal. Civ. Code § 1798.140(aa) (West 2021).
[9] Code of Va. § 59.1-571 (2021).
[10] C.R.S. 6-1-1303(22) (2022).
[11] Utah Code Ann. 13-61-101(28) (2022).