The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys. Most American dictionaries do not recognize either term.1 While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his or her real name” – their meanings are slightly more complex.2
The CCPA was the first United States statute (federal or state) to use either term.3 The CCPA’s definition borrows from the European GDPR enacted two years prior. Indeed, except for minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical:
The net result is that while the CCPA borrows the term “pseudonymization” from European data privacy law and introduces it to the American legal lexicon, it does not appear to give it any independent legal effect or status.Confusion surrounding the term “pseudonymize” largely stems from ambiguity concerning how the term fits into the larger scheme of the CCPA. Aside from the definition, the CCPA only refers to “pseudonymized” on one occasion. Within the definition of “research,” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”6 The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data.