The California Consumer Privacy Act and the California Privacy Rights Act specifically state that they do not restrict a business’s ability to collect, use, retain, sell, share, or disclose “aggregated consumer information.”[1] Aggregate consumer information is defined as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. ‘Aggregate consumer information’ does not mean one or more individual consumer records that have been deidentified.”[2]
Other modern state data privacy laws do not expressly exempt aggregated personal data from their scope, but some (Utah) expressly exempt aggregated data from their definition of personal information. For the remainder of state statutes (i.e., Colorado, Connecticut, and Virginia) while there is no express exemption for aggregated data, most aggregated data is implicitly exempted insofar as once data has been aggregated it arguably no longer satisfies the definition of personal information. For example, if information about multiple consumers has been combined to create an average, or aggregate, statistic, that information arguably no longer is “linked or reasonably linkable to an identified or identifiable natural person,”[3] and, therefore, would no longer be “personal data” under the VCDPA. The following chart compares and contrasts how the modern state data privacy laws treat aggregated data:
FOOTNOTES
[1] Cal. Civ. Code § 1798.145(a)(6) (West 2021) (emphasis added).
[2] Cal. Civ. Code § 1798.140(a) (West 2020).
[3] Va. Code § 59.1-571 (2022)