May 11, 2021

Volume XI, Number 131

Advertisement

May 11, 2021

Subscribe to Latest Legal News and Analysis

May 10, 2021

Subscribe to Latest Legal News and Analysis

What exactly Does ‘Pseudonymized’ Mean??

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys. Most American dictionaries do not recognize either term.While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his or her real name” – their meanings are slightly more complex.2

The CCPA was the first United States statute (federal or state) to use either term.3 The CCPA’s definition borrows from the European GDPR enacted two years prior. Indeed, except for minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical:

Source GDPR CCPA Modification from GDPR to CCPA
Term pseudonymisation Pseudonymize / Pseudonymization
Definition [T]he processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.4 “[T]he processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.”5 [T]he processing of personal information data in such a manner that renders the personal information data can no longer be attributedable to a specific data subject consumer without the use of additional information, provided that such the additional information is kept separately and is subject to technical and organiszational measures to ensure that the personal data information are is not attributed to an identified or identifiable natural person consumer.

Confusion surrounding the term “pseudonymize” largely stems from ambiguity concerning how the term fits into the larger scheme of the CCPA. Aside from the definition, the CCPA only refers to “pseudonymized” on one occasion. Within the definition of “research,” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”6 The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data.

The net result is that while the CCPA borrows the term “pseudonymization” from European data privacy law and introduces it to the American legal lexicon, it does not appear to give it any independent legal effect or status.


Neither term was in the Miriam Webster or Cambridge dictionaries as of March 8, 2021.

2 Cambridge dictionary definition of “pseudonym” as of November 28, 2019.

3 A Westlaw search of all federal and state statutes conducted on March 8, 2021, did not identify any other federal or state law that utilizes either term.

4 GDPR, Article 4(5).

5 Cal. Civ. Code § 1798.140(aa) (West 2021).

Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research”; as such, it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

Advertisement
©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 99
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement