CCPA Deidentified and Aggregate Consumer Information
The California Consumer Privacy Act (CCPA) protects the personal information of California residents. However, many businesses do not maintain the collected personal information in its original form. Instead, they take that information and transform it into aggregate information. So how does the CCPA handle cases like this where the information has been deidentified or aggregated?
The new California privacy law allows businesses to collect, use, retain, sell and disclose deidentified or aggregate consumer information. It does not consider it as personal information as long as it meets the requirements for classification as one of these terms.
What is Aggregate Consumer Information?
The law defines aggregate consumer information as information that relates to a group or category of consumers from which individual consumer identities have been removed. For information to be considered aggregate, it must not be linked or reasonably linked to any consumer or household. If information can be linked to a device, it is not considered aggregate consumer information.
If a company take individual consumer records and deidentifies them, without combining them into a group or category of consumers, that is also not considered aggregate consumer information.
What is deidentified information?
For a business to have deidentified personal information, the information cannot reasonably identify or be directly or indirectly linked to a particular consumer. The business must also implement technical safeguards and business processes that prohibit reidentification, implement business processes to prevent inadvertent release of deidentified information, and make no attempt to reidentify the information.
How does deidentified information differ from aggregate information?
Aggregate information involves information about groups of consumers that can no longer be linked back to any individual’s personal information. Deidentified information involves individual records that can no longer be associated or relinked with any particular individual. For businesses, the difference is that aggregate information under the law does not require the development of technical and business process safeguards to prevent reidentification.
What are the implications for businesses?
Businesses only need to disclose or delete personal information, defined as information that can be linked to a particular individual, device or household. If information is deidentified or aggregated, then it can be kept or sold.
However, when businesses decide to deidentify personal information, they need to make sure that it is not possible to subsequently re-associate it with a particular person. This has been the subject of much study over the past few years and there have been cases where people have been able to associate deidentified data with a particular person through a small number of data points when combined with external information about a particular person. Businesses that engage in this process need to be careful that they are not falling into a trap and thinking there personal information is covered when it is not.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Learn more about California’s new law:
Overview of the California Consumer Privacy Act
Right to Opt Out
Right to Access
Right to Delete
Opt In Consent for Kids
Effective Date for Compliance
Application to non-CA Businesses
Do Not Sell My Personal Information Link
Financial Incentives for Information Sharing
Deidentified and Aggregate Consumer Information
Government Fines and Consumer Damages
Text of AB-375
Clarip CA Consumer Privacy Act Services:
California Consumer Privacy Act Webinar
California Privacy Law Consulting Services
California Privacy Software
Blog Posts on the Privacy Law:
Will California’s Privacy Law Extend to the Rest of the Country?
Big Day for California Privacy Law
California to Pass New Privacy Law
California Consumer Privacy Act Expected on November Ballot