What qualifies as aggregate or de-identified information under the CCPA?

The CCPA defines both “aggregate consumer information” and “deidentified information.”  Aggregate consumer information is defined to mean “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.  “Aggregate consumer information’ does not mean one or more individual consumer records that have been deidentified.”1

Deidentified information is defined under the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(2) Has implemented business processes that specifically prohibit reidentification of the information.

(3) Has implemented business processes to prevent inadvertent release of deidentified information.

(4) Makes no attempt to reidentify the information.”2

Notably, the definition of “aggregate consumer information” explicitly excludes deidentified information from its scope, even though it is possible that both definitions could apply to the same data set.  The functional difference between the two definitions is primarily that the definition of aggregate consumer information applies solely to the data itself, whereas the definition of deidentified information also incorporates and considers the conditions under which such data is held.  In any event, the effect is the same: whether aggregated or deidentified, the data is no longer “personal information.”