Regulating Deidentified and Reidentified Data: California Amends the CCPA Again featured image

Regulating Deidentified and Reidentified Data: California Amends the CCPA Again

by John DiGiacomo

Partner

Internet Law

Governor Gavin Newsom recently signed Assembly Bill (“AB”) 713 which amends the California Consumer Privacy Act (“CCPA”). See text of AB 713 here. The CCPA has now been amended at least eight times and businesses should expect continued changes in the coming years.

AB 713 makes several amendments to the CCPA the most important of which focus on deidentified and reidentified information. This is the first time that any privacy statute has specifically regulated this type of date. In same circumstances, deidentified data can now be transferred, sold or shared without being subject to the CCPA. Further, AB 713 bans the common practice of reidentifying data after the data has been acquired. For example, AB 713 now exempts health care data from the application of the CCPA if

(i) that data is protected by various federal statutes and policies like the Health Insurance Portability and Accountability Act and the federal Health Information Technology for Economic and Clinical Health Act and

(ii) if that data has been deidentified

Deidentifying data and information is a process of removing or segregating data sets to de-link personally identifiable data (like a person’s name or social security number) from generic data (like a person’s age and their most recent medical test results). As noted, AB 713 now specifically exempts medical data that has been deidentified from having to comply with the CCPA. In general, businesses are deidentifying data as a method of complying with and avoiding privacy laws and as one method of protecting data from cyberattacks. Indeed, mostly, there are no statutory or regulatory restrictrictions on storing, sharing, transferring and/or selling deidentified data. Further, deidentified data is less dangerous in the event of a cyber-attack or hack, because, even if the data is stolen, there is minimal financial and legal risk because the data does not identify specific consumers. As a result, deidentified data can be stored with weaker cybersecurity systems and protocols.

From a privacy perspective, the problem is that the data is very easily reidentified. All that is needed is a simple “linking code” in the various data sets. Imagine, for example, two data sets in a spreadsheet format. One spreadsheet contains the personally identifiable information and the other contains all of the generic data from the person’s doctor’s visits, test results, etc. Now imagine that both data sets have a column with a unique “linking code” — let’s say “123YZ.” That unique linking code allows the data sets to be recombined. This is a particular concern for medical and health information.

AB 713 attempts to rectify this problem. As noted, AB 173 prohibits businesses and others from reidentifying data that they have acquired (unless the reidentification is done pursuant to specific exceptions). Further, beginning in 2021, businesses who sell, share or transfer deidentified data must enter into contracts that prohibit the data-recipient from reidentifying the data. AB 713 takes effect immediately.

In the coming months and years, deidentification and reidentification are going to be subject to much debate and litigation. A new legal battleground has been opened up.

If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side