Finding the Delta: Understanding the Differences in the State Deidentification Standards
Tuesday, May 17, 2022

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes that are set to go into force in 2023:

Requirement California CCPA California CPRA Virginia VCDPA Colorado CPA Utah UCPA
1.  Technical safeguards. An organization must implement technical safeguards that prohibit reidentification. [1]
2.  Policy against reidentification. An organization must implement business processes that specifically prohibit reidentification. [2]
3.  Inadvertent release. An organization must implement processes to prevent inadvertent release of the deidentified information. [3]
4.  No reidentification. An organization must make no attempt to reidentify the information. [4]
5.  Data not reasonably associated to an individual. An organization must make a reasonable attempt to ensure that the data cannot be associated with specific individuals. [5] [6] [7] [8]
6.  Public commitment. An organization must publicly commit (e.g., in its privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it. [9] [10] [11] [12]
7.  Downstream recipient contracts. An organization must contractually obligate recipients of the information to abide by the same restrictions. [13] [14] [15] [16]

 FOOTNOTES

[1] Cal. Civ. Code § 1798.140(h) (West 2020).

[2] Cal. Civ. Code § 1798.140(h) (West 2020).

[3] Cal. Civ. Code § 1798.140(h) (West 2020).

[4] Cal. Civ. Code § 1798.140(h) (West 2020).

[5] Cal. Civ. Code § 1798.140(m)(1) (West 2021).

[6] Va. Code § 59.1-577(A)(1) (2021).

[7] C.R.S. § 6-1-1303(11)(a) (2021).

[8] Utah Code Ann. 13-61-101(14)(a), (b)(i) (2022).

[9] Cal. Civ. Code § 1798.140(m)(2) (West 2021).

[10] Va. Code § 59.1-577(A)(2) (2021).

[11] C.R.S. § 6-1-1303(11)(b) (2021).

[12] Utah Code Ann. 13-61-101(14)(b)(ii) (2022).

[13] Cal. Civ. Code § 1798.140(m)(3) (West 2021).

[14] Va. Code § 59.1-577(A)(3) (2021).

[15] C.R.S. § 6-1-1303(11)(c) (2021).

[16] Utah Code Ann. 13-61-101(14)(b)(iii) (2022).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins