Deidentified information is defined within the CCPA to refer to information that “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” provided that a business that uses deidentified information takes four operational and organizational steps to ensure that such information is not reidentified or disseminated.[1]
The standard for “deidentification” under the CCPA differs from the standard for “anonymization” under the European GDPR. While the CCPA considers information that cannot “reasonably” identify an individual as deidentified, the Article 29 Working Party interpreted European privacy laws as requiring that data has been “irreversibly prevent[ed]” from being used to identify an individual.[2]
[1] Cal. Civ. Code § 1798.140(h) (West 2020).
[2] Opinion of the Data Protection Working Party on Anonymisation Techniques, 0829/14/EN WP 216, at 7 (adopted April 10, 2014).