Does Deidentification Allow Service Providers to use PI?

David A. Zetoony

Email

303.685.7425

Bio and Articles

Is deidentification the silver bullet to allowing service providers to use personal information for their own purposes?

by: David A. Zetoony of Greenberg Traurig, LLP - Data Privacy Dish

Friday, March 19, 2021

Print Mail Download

i

The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .”¹ That prohibition, however, may not apply to information once it has been deidentified or aggregated.

Two provisions of the CCPA relate to the deidentification and aggregation of personal information. The first provision states that nothing within the CCPA restricts the ability of a business to “collect, use, retain, sell, or disclose consumer information that is “deidentified or aggregate consumer information.”² It is important to note, however, that the exemption only applies to a “business”³ and was not extended by the Office of the Attorney General to service providers.⁴ As a result, to the extent that a service provider is not acting as a “business,” the exemption may not apply.

However, the second provision, which is found within the definition of personal information itself, serves as a basis to permit service providers to treat deidentified or aggregated consumer information as exempt from the CCPA’s restrictions. The CCPA expressly defines “personal information” as not including “consumer information that is deidentified or aggregate[d].”⁵ As a result, any personal information that is converted into a deidentified or aggregated form presumably is outside the scope of personal information regulated by the CCPA.

The net result is that if a service provider has an interest in retaining, using, or disclosing the personal information it receives from a client, the service provider may be permitted to deidentify or aggregate the personal information in order to convert it from “personal information” (for which there are retention, use, and disclosure restrictions) to non-personal information (for which the CCPA imposes no such restrictions). From a practical standpoint, if a service provider intends to retain, use, or share deidentified or aggregated information, the parties should consider including within the service provider agreement a recognition of that intention as well as a definition of “deidentification” and “aggregation” that matches the definitions of those terms used within the CCPA.

¹ Cal. Civ. Code 1798.140(ag)(1)(B).
² Cal. Civ. Code 1798.145(a)(6) (emphasis added).
³ Cal. Civ. Code 1798.145(a)(6) (emphasis added).
⁴ CCPA Reg. 999.314(c)(5).
⁵ Cal. Civ. Code 1798.140(v)(3).