The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Can a service provider use and transfer personal information if they anonymize or aggregate it?
Section 1798.140(v) of the CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the specific purpose of performing the services specified in the contract for the business.”1 The CCPA also states, however, that nothing within it restricts the ability of a business to “collect, use, retain, sell, or disclose consumer information that is “deidentified or in the aggregate consumer information.”2 The net result is that if a service provider has an interest in retaining, using, or disclosing the information that it receives from a client, the service provider can anonymize or aggregate the information in order to convert it from “personal information” (for which there are retention, use, and disclosure restrictions) to non-personal information (for which the CCPA imposes no such restrictions).
Anonymized data, sometimes referred to as “de-identified” data, refers to data that “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”3 While there are a number of strategies for converting a file that contains personal information into one that does not, the CCPA requires that a business that uses de-identified information take the following four steps to help ensure that the data will not be re-identified:4
- Implement technical safeguard that prohibit reidentification. Technical safeguards may include the process, or techniques, by which data has been de-identified. For example, this might include some combination of hashing, salting, or tokenization.
- Implement businesses process that specifically prohibit reidentification. This might include an internal policy or procedure that prevents employees or vendors from attempting to reidentify data.
- Implement business processes to prevent inadvertent release of deidentified information. Among other things, this might include safeguards to help prevent de-identified information from being accessed or acquired by unauthorized parties.
- Make no attempt to reidentify the information. As a functional matter, this entails that a business follow the policies that it enacts that prohibit reidentification.
It should be noted that the standard for “anonymization” or “de-identification” under the CCPA arguably differ from the standard for anonymization under the European GDPR. While the CCPA considers information that cannot “reasonably” identify an individual as anonymous, the Article 29 Working Party interpreted European privacy laws as requiring that data has been “irreversibly prevent[ed]” from being used to identify an individual.5
Aggregation is defined within the CCPA as information that “relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.”6 In common parlance, it refers to the situation where multiple consumer data points are combined so as to prevent the extrapolation of data as it relates to any particular consumer. For example, if Mary lives 5 miles from Company A, and Peter lives 10 miles from Company A, an aggregate value (e.g., consumers live, on average, 7.5 miles from Company A) cannot be used to extrapolate the distance of Mary or Peter.
From a practical standpoint, if a service provider intends to retain, use, or share anonymized or aggregated information, the parties should consider including within the service provider agreement a definition of “anonymization” and “aggregation” that matches the definitions of those terms used within the CCPA.