May 26, 2022

Volume XII, Number 146

Advertisement
Advertisement

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Comparing and Contrasting the State Laws: What is Pseudonymized Data?

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys.  Most American dictionaries do not recognize either term.[1] While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his or her real name” – their meanings are slightly more complex.[2]

In order to understand its meaning, it is important to understand how the term has evolved over time within different data privacy contexts. “Pseudonymization” was defined within the ISO 29100 privacy framework published in 2011 simply as a “process applied to personally identifiable information (PII) which replaces identifying information with an alias.”[3] Although the term was defined, it did not form an integral part of the privacy framework. Indeed, it was only referenced in the context of a technique that might contribute to privacy enhancing technology, and to explain that not all substitutions of personal identifiers create anonymized data.[4]

The European GDPR, which went into force in 2018, included the term albeit with a slightly broader definition then that which was used within the ISO framework. Two years later the CCPA became the first U.S. statute (federal or state) to use the term adopting a definition near identical to the GDPR.[5]  Indeed, except for minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical. Virginia, Colorado, and Utah adopted similar definitions to the ones used within the CCPA and the GDPR a few years later.

Source Term Definition
ISO Pseudonymization [P]rocess applied to personally identifiable information (PII) which replaces identifying information with an alias.[6]
Europe GDPR Pseudonymisation [T]he processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.[7]
California CCPA/CPRA Pseudonymize / Pseudonymization [T]he processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.[8]
Virginia VCDPA Pseudonymous Data
[P]ersonal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.[9]
Colorado CPA Pseudonymous Data
[P]ersonal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.[10]
Utah Pseudonymous Data [P]ersonal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is:
(a) kept separate from the consumer’s personal data; and(b) subject to appropriate technical and organizational measure to ensure that the personal data are not attributable to an identified individual or an identifiable individual.[11]

 

FOOTNOTES


[1] Neither term was in the Miriam Webster or Cambridge dictionaries as of March 8, 2021.

[2] Cambridge dictionary definition of “pseudonym” as of November 28, 2019.

[3] ISO 29100:2011 at § 2.24.

[4] ISO 29100:2011 at §§ 2.15, 4.4.4.

[5] A Westlaw search of all federal and state statutes conducted on March 8, 2021, did not identify any other federal or state law that utilizes either term.

[6] ISO 29100:2011 at § 2.24.

[7] GDPR, Article 4(5).

[8] Cal. Civ. Code § 1798.140(aa) (West 2021).

[9] Code of Va. § 59.1-571 (2021).

[10] C.R.S. 6-1-1303(22) (2022).

[11] Utah Code Ann. 13-61-101(28) (2022).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 130
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement