Ed. Note: This is the third installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it.

The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA.1

***

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meanings are not widely understood among American attorneys.  Most American dictionaries do not recognize either term.2  While they derive from the root word “pseudonym” which is defined as a “name that someone uses instead of his or her real name” their meanings are slightly more complex.3 

The CCPA was the first U.S. statute (federal or state) to use either term.4  The CCPA’s definition borrows from the European GDPR enacted two years prior.  Indeed, except for minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical:

Confusion surrounding the term “pseudonymize” largely stems from ambiguity concerning how the term fits into the larger scheme of the CCPA.  Aside from the definition, the CCPA refers to “pseudonymized” on only one occasion.  Within the definition of “research,” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”7  The conjunctive reference to research being both pseudonymized “and” deidentified raises the question of whether the CCPA lends any independent meaning to the term “pseudonymized.”  Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.”  As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data.

The net result is that while the CCPA borrows the term “pseudonymization” from European data privacy law and introduces it to the American legal lexicon, it does not appear to give it any independent legal effect or status.

Notes:

  1. The full book may be purchased on the ABA’s website at shopABA.org.
  2. Neither term was in the Miriam Webster or Cambridge dictionaries as of March 8, 2021.
  3. Cambridge dictionary definition of “pseudonym” as of November 28, 2019.
  4. A Westlaw search of all federal and state statutes conducted on March 8, 2021, did not identify any other federal or state law that utilizes either term.
  5. GDPR, Article 4(5).
  6. Cal. Civ. Code § 1798.140(aa) (West 2021).
  7. Cal. Civ. Code § 1798.140(ab)(2) (West 2021).  It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify.  Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.