De-Identified Data under CCPA Bill AB-873
One of the CCPA amendments under consideration by the California legislature changes the definition of “deidentified” in the California Consumer Privacy Act. The change in the new privacy law would address business concerns about operational uncertainties in the CCPA around the steps a business should take to de-identify data.
The current version of AB873:
(h) “Deidentified” means information that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:
(1) Ensure that the data is deidentified.
(2) Publicly commit to maintain and use the data in a deidentified form.
(3) Contractually prohibit recipients of the data from trying to reidentify the data.
The current definition of “deidentified” in the CCPA (as amended by SB-1121):
(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.
A redline of the changes:
AB 873 is currently awaiting a floor vote in the California Assembly. If it passes, it will be considered by the State Senate.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW: