Ed. Note: This is the final installment in a year-long series the WLF Legal Pulse has hosted of “frequently asked questions” on two California laws meant to protect the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.
Data privacy has become one of the greatest areas of risk and concern for business. It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020. Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it. The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP. The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business. The following excerpt was reproduced with the permission of the ABA.
What qualifies as deidentified information?
“Deidentified information” is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” provided that a business that uses deidentified information:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.”1
The CPRA modified the definition by, among other things, removing the four conditions above and replacing them with the requirements that a business:
(1) Take reasonable means to avoid the association of the information with a consumer or household.
(2) Publicly commit (e.g., in a privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it.
(3) Contractually obligate recipients of the information to abide by the same restrictions.2
The new definition of deidentified information will become operative in 2023.
Notes