Partner
Governor Gavin Newsom recently signed Assembly Bill (“AB”) 713 which amends the California Consumer Privacy Act (“CCPA”). See text of AB 713 here. The CCPA has now been amended at least eight times and businesses should expect continued changes in the coming years.
AB 713 makes several amendments to the CCPA the most important of which focus on deidentified and reidentified information. This is the first time that any privacy statute has specifically regulated this type of date. In same circumstances, deidentified data can now be transferred, sold or shared without being subject to the CCPA. Further, AB 713 bans the common practice of reidentifying data after the data has been acquired. For example, AB 713 now exempts health care data from the application of the CCPA if
(i) that data is protected by various federal statutes and policies like the Health Insurance Portability and Accountability Act and the federal Health Information Technology for Economic and Clinical Health Act and
(ii) if that data has been deidentified
Deidentifying data and information is a process of removing or segregating data sets to de-link personally identifiable data (like a person’s name or social security number) from generic data (like a person’s age and their most recent medical test results). As noted, AB 713 now specifically exempts medical data that has been deidentified from having to comply with the CCPA. In general, businesses are deidentifying data as a method of complying with and avoiding privacy laws and as one method of protecting data from cyberattacks. Indeed, mostly, there are no statutory or regulatory restrictrictions on storing, sharing, transferring and/or selling deidentified data. Further, deidentified data is less dangerous in the event of a cyber-attack or hack, because, even if the data is stolen, there is minimal financial and legal risk because the data does not identify specific consumers. As a result, deidentified data can be stored with weaker cybersecurity systems and protocols.
From a privacy perspective, the problem is that the data is very easily reidentified. All that is needed is a simple “linking code” in the various data sets. Imagine, for example, two data sets in a spreadsheet format. One spreadsheet contains the personally identifiable information and the other contains all of the generic data from the person’s doctor’s visits, test results, etc. Now imagine that both data sets have a column with a unique “linking code” — let’s say “123YZ.” That unique linking code allows the data sets to be recombined. This is a particular concern for medical and health information.
AB 713 attempts to rectify this problem. As noted, AB 173 prohibits businesses and others from reidentifying data that they have acquired (unless the reidentification is done pursuant to specific exceptions). Further, beginning in 2021, businesses who sell, share or transfer deidentified data must enter into contracts that prohibit the data-recipient from reidentifying the data. AB 713 takes effect immediately.
In the coming months and years, deidentification and reidentification are going to be subject to much debate and litigation. A new legal battleground has been opened up.
If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.
“Deidentification” is not a single, fixed technical process—it is a spectrum of data transformation techniques ranging from simple field removal (deleting name and Social Security number) to sophisticated statistical methods designed to prevent re-identification even when the dataset is combined with external data sources. The gold standard for deidentification in the healthcare context is HIPAA’s Safe Harbor method, which requires removal of 18 specific identifiers. However, computer science research has repeatedly demonstrated that even properly deidentified datasets can often be re-identified when linked to publicly available information. AB 713 acknowledged this reality by imposing specific contractual obligations designed to prevent re-identification: businesses that disclose deidentified health data must require the recipient to prohibit re-identification, implement safeguards against re-identification, and notify the disclosing business of any known or suspected re-identification attempt.
AB 713’s healthcare data exemption applies specifically to personal information that is both (1) protected by HIPAA or the HITECH Act and (2) has been deidentified under HIPAA’s standards. This creates a clear bright line for covered entities and business associates operating under HIPAA: HIPAA-compliant deidentification produces data that is exempt from CCPA. However, businesses that are not covered entities under HIPAA—such as consumer wellness apps that collect health data outside the clinical care context—do not qualify for this exemption and remain fully subject to the CCPA for their health data. The CPRA, effective January 1, 2023, created a new category of “sensitive personal information” that includes health data and biometric data for identification purposes; even partially deidentified data retaining personal information triggers the CPRA’s additional obligations.
AB 713’s prohibition on re-identifying data that a business has acquired requires active compliance monitoring. Common re-identification risk scenarios include: running a deidentified dataset against an internal database of known customers using a common attribute like zip code and age; purchasing a third-party dataset that, when combined with an existing deidentified dataset, enables re-identification; and using machine learning models trained on deidentified data in ways that allow inference of individual identity. Businesses must implement technical safeguards—monitoring for unusual query patterns, implementing differential privacy techniques, and conducting periodic k-anonymity and l-diversity analyses—alongside organizational safeguards including training data science teams on the re-identification prohibition.
AB 713’s contractual requirements create compliance obligations for the entire chain of data recipients. A data broker that acquires deidentified health data must enter into the required contracts with its own customers and downstream recipients. This “flow-down” effect is designed to prevent re-identification from occurring at the end of a long data supply chain even when the original data collector acted properly. Data brokers operating in California should review their terms of service and data licensing agreements to ensure that re-identification prohibitions are incorporated throughout the data supply chain.
Deidentification compliance under AB 713 and the broader CCPA/CPRA framework requires coordination between legal, technical, and data governance teams. The privacy attorneys at Revision Legal help businesses develop and implement legally compliant deidentification practices. Contact us at 231-714-0100.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?