- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
What is ‘pseudonymized’ data?
The terms “pseudonymize” and “pseudonymization” are commonly referred to in the world of data privacy, but their origins and precise meaning are not widely understood among American attorneys. Indeed, most American dictionaries do not recognize either terms as part of the English language.1 While the terms derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his or her real name” – their meanings are slightly more complex.2
The CCPA was the first United States statute (federal or state) to use either term.3 The CCPA’s definitions for the terms borrow from the European GDPR enacted two years prior to the CCPA. Indeed, the with the exception of minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical:
|Source||GDPR||CCPA||Modification from GDPR to CCPA|
|Term||pseudonymisation||Pseudonymize / Pseudonymization|
|Definition||[T]he processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.4||“[T]he processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.”5||[T]he processing of personal information data in such a manner that renders the personal information data can no longer be attributedable to a specific data subject consumer without the use of additional information, provided that such the additional information is kept separately and is subject to technical and organiszational measures to ensure that the personal data information are is not attributed to an identified or identifiable natural person consumer.|
Confusion surrounding the term “pseudonymize” largely stems from ambiguity concerning how the term is intended to fit into the larger scheme of the CCPA. Besides defining the term, the CCPA only refers to “pseudonymized” on one occasion. Within the definition of “research,” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”6 The conjunctive reference to “research” being both pseudonymized “and” deidentified raises the question about whether the CCPA gives any effect to the term “pseudonymized.” Specifically, the CCPA appears to assign a higher threshold of anonymization to the term “deidentified.” As a result, if data is already to be deidentified it is not clear what additional processing or set of operations is expected by also pseudonymizing the data.
The net result is that while the CCPA borrows the term “pseudonymization” from European data privacy law, and introduces it to the American legal lexicon, it does not appear to apply the term or give it any independent legal effect or status.