July 2, 2022

Volume XII, Number 183


July 01, 2022

Subscribe to Latest Legal News and Analysis

June 30, 2022

Subscribe to Latest Legal News and Analysis

June 29, 2022

Subscribe to Latest Legal News and Analysis

Finding the Delta: Understanding the Differences in the State Deidentification Standards

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes that are set to go into force in 2023:

Requirement California CCPA California CPRA Virginia VCDPA Colorado CPA Utah UCPA
1.  Technical safeguards. An organization must implement technical safeguards that prohibit reidentification. [1]
2.  Policy against reidentification. An organization must implement business processes that specifically prohibit reidentification. [2]
3.  Inadvertent release. An organization must implement processes to prevent inadvertent release of the deidentified information. [3]
4.  No reidentification. An organization must make no attempt to reidentify the information. [4]
5.  Data not reasonably associated to an individual. An organization must make a reasonable attempt to ensure that the data cannot be associated with specific individuals. [5] [6] [7] [8]
6.  Public commitment. An organization must publicly commit (e.g., in its privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it. [9] [10] [11] [12]
7.  Downstream recipient contracts. An organization must contractually obligate recipients of the information to abide by the same restrictions. [13] [14] [15] [16]


[1] Cal. Civ. Code § 1798.140(h) (West 2020).

[2] Cal. Civ. Code § 1798.140(h) (West 2020).

[3] Cal. Civ. Code § 1798.140(h) (West 2020).

[4] Cal. Civ. Code § 1798.140(h) (West 2020).

[5] Cal. Civ. Code § 1798.140(m)(1) (West 2021).

[6] Va. Code § 59.1-577(A)(1) (2021).

[7] C.R.S. § 6-1-1303(11)(a) (2021).

[8] Utah Code Ann. 13-61-101(14)(a), (b)(i) (2022).

[9] Cal. Civ. Code § 1798.140(m)(2) (West 2021).

[10] Va. Code § 59.1-577(A)(2) (2021).

[11] C.R.S. § 6-1-1303(11)(b) (2021).

[12] Utah Code Ann. 13-61-101(14)(b)(ii) (2022).

[13] Cal. Civ. Code § 1798.140(m)(3) (West 2021).

[14] Va. Code § 59.1-577(A)(3) (2021).

[15] C.R.S. § 6-1-1303(11)(c) (2021).

[16] Utah Code Ann. 13-61-101(14)(b)(iii) (2022).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 137

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...