For deidentification under the traditional laws like HIPAA, removal of identifiers qualifies.

That was a key facet of what I discussed last week on an anonymization panel during the IAPP Europe Data Protection Congress 2022 in Brussels. Katharina Koerner, Frank Pallas and Christian Zimmermann joined me on the panel.

Here are some of the key points:

  • Under the new US laws (CPRA, CPA, VCDPA, CTDPA, UCPA and ADPPA) Deidentification is GDPR anonymization+.
  • You need to get the information to be such that it “cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.”
  • But also, you must:
    1. Take reasonable measures to ensure that the information cannot be associated with a consumer or household.
    2. Publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information.
    3. Contractually obligate any recipients of the information to comply with all provisions of this subdivision.
  • Like under GDPR, if information is deidentified, it is no longer personal information and out of scope for the laws.
  • Like under GDPR, you are not required to collect more data than you need just in order to be able to respond to consumer requests. Indeed, if you can’t identify the person, you don’t need to respond (similar to Art 11 GDPR).
  • Per European Data Protection Board guidance and the UK ICO’s new guide on anonymization, anonymization is a data processing and thus subject to all the requirements like: legal basis, fair and lawful, transparency and accountability.
  • Transparency should be real. You must explain:
    1. Why you anonymize individuals’ personal data.
    2. The techniques that you use to do this (in general terms).
    3. What safeguards are in place to minimize the risk that may be associated with the production of anonymous information. In particular, you must explain whether you intend to make the anonymous information publicly available or only disclose it to a limited number of recipients.
    4. Any risks of the anonymization you are carrying out, and the possible consequences.
    5. Your reasoning for publishing anonymous information. You must explain how you did the “weighing-up,” what factors you took or did not take into account and why, and how you looked at identification “in the round.”
  • But, make sure your disclose is accurate. The FTC has said it will enforce against vague or incorrect disclosures regarding anonymization.