Regulating Deidentified and Reidentified Data: California Amends the CCPA Again featured image

Regulating Deidentified and Reidentified Data: California Amends the CCPA Again

by John DiGiacomo

Partner

Internet Law

Governor Gavin Newsom recently signed Assembly Bill (“AB”) 713 which amends the California Consumer Privacy Act (“CCPA”). See text of AB 713 here. The CCPA has now been amended at least eight times and businesses should expect continued changes in the coming years.

AB 713 makes several amendments to the CCPA the most important of which focus on deidentified and reidentified information. This is the first time that any privacy statute has specifically regulated this type of date. In same circumstances, deidentified data can now be transferred, sold or shared without being subject to the CCPA. Further, AB 713 bans the common practice of reidentifying data after the data has been acquired. For example, AB 713 now exempts health care data from the application of the CCPA if

(i) that data is protected by various federal statutes and policies like the Health Insurance Portability and Accountability Act and the federal Health Information Technology for Economic and Clinical Health Act and

(ii) if that data has been deidentified

Deidentifying data and information is a process of removing or segregating data sets to de-link personally identifiable data (like a person’s name or social security number) from generic data (like a person’s age and their most recent medical test results). As noted, AB 713 now specifically exempts medical data that has been deidentified from having to comply with the CCPA. In general, businesses are deidentifying data as a method of complying with and avoiding privacy laws and as one method of protecting data from cyberattacks. Indeed, mostly, there are no statutory or regulatory restrictrictions on storing, sharing, transferring and/or selling deidentified data. Further, deidentified data is less dangerous in the event of a cyber-attack or hack, because, even if the data is stolen, there is minimal financial and legal risk because the data does not identify specific consumers. As a result, deidentified data can be stored with weaker cybersecurity systems and protocols.

From a privacy perspective, the problem is that the data is very easily reidentified. All that is needed is a simple “linking code” in the various data sets. Imagine, for example, two data sets in a spreadsheet format. One spreadsheet contains the personally identifiable information and the other contains all of the generic data from the person’s doctor’s visits, test results, etc. Now imagine that both data sets have a column with a unique “linking code” — let’s say “123YZ.” That unique linking code allows the data sets to be recombined. This is a particular concern for medical and health information.

AB 713 attempts to rectify this problem. As noted, AB 173 prohibits businesses and others from reidentifying data that they have acquired (unless the reidentification is done pursuant to specific exceptions). Further, beginning in 2021, businesses who sell, share or transfer deidentified data must enter into contracts that prohibit the data-recipient from reidentifying the data. AB 713 takes effect immediately.

In the coming months and years, deidentification and reidentification are going to be subject to much debate and litigation. A new legal battleground has been opened up.

If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Understanding Product Liability Law for Ecommerce Merchants

Understanding Product Liability Law for Ecommerce Merchants

Internet Law

Introduction Being an ecommerce merchant is hard; you have to keep an eye on your advertising spend, control your inventory, and make sure your customers are happy. Additionally, you also have to navigate a complex landscape of legal responsibilities. One of these areas, which is often overlooked, is product liability. Product liability law holds manufacturers, […]

Read more about Understanding Product Liability Law for Ecommerce Merchants

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Internet Law

Introduction In our increasingly digital world, the significance of internet privacy is paramount. Internet privacy attorneys are essential in safeguarding the rights of individuals and organizations against various privacy-related challenges. This blog post delves into the key issues these attorneys address. Data Breaches and Cybersecurity Data breaches occur when sensitive information is accessed or disclosed […]

Read more about Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Put Revision Legal on your side