April 1, 2023

Volume XIII, Number 91


March 31, 2023

Subscribe to Latest Legal News and Analysis

March 30, 2023

Subscribe to Latest Legal News and Analysis

March 29, 2023

Subscribe to Latest Legal News and Analysis

What is De-Identified Data?

The terms “de-identified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy- and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes set to go into force in 2023:






Technical safeguards.  An organization must implement technical safeguards that prohibit reidentification.

✔ [1]

Policy against reidentification.  An organization must implement business processes that specifically prohibit reidentification.

✔ [2]

Inadvertent release.  An organization must implement processes to prevent inadvertent release of the deidentified information.

✔ [3]

No reidentification.  An organization must make no attempt to reidentify the information.

✔ [4]

Data not reasonably associated to an individual.  An organization must make a reasonable attempt to ensure that the data cannot be associated with specific individuals.

✔ [5]

✔ [6]

✔ [7]

Public commitment.  An organization must publicly commit (e.g., in its privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it.

✔ [8]

✔ [9]

✔ [10]

Downstream recipient contracts.  An organization must contractually obligate recipients of the information to abide by the same restrictions.

✔ [11]

✔ [12]

✔ [13]


  1.  Cal. Civ. Code § 1798.140(h) (West 2020).

  2.  Cal. Civ. Code § 1798.140(h) (West 2020).

  3. Cal. Civ. Code § 1798.140(h) (West 2020).

  4.  Cal. Civ. Code § 1798.140(h) (West 2020).

  5.  Cal. Civ. Code § 1798.140(m)(1) (West 2021).

  6. Va. Code § 59.1-577(A)(1) (2021).

  7.  C.R.S. § 6-1-1303(11)(a) (2021).

  8.  Cal. Civ. Code § 1798.140(m)(2) (West 2021).

  9.  Va. Code § 59.1-577(A)(2) (2021).

  10. C.R.S. § 6-1-1303(11)(b) (2021).

  11.  Cal. Civ. Code § 1798.140(m)(3) (West 2021).

  12. Va. Code § 59.1-577(A)(3) (2021).

  13.  C.R.S. § 6-1-1303(11)(c) (2021).

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 326

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...