The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .” That prohibition, however, may not apply to information once it has been deidentified or aggregated.
Two provisions of the CCPA relate to the deidentification and aggregation of personal information.
The first provision states that nothing within the CCPA restricts the ability of a business to “collect, use, retain, sell, or disclose consumers’ personal information that is deidentified or aggregate consumer information.” It is important to note, however, that the statutory exemption only applies to a “business,” and during the 2020 rulemaking process the Office of the Attorney General did not expressly extend the exemption to service providers. As a result, under the CCPA there was ambiguity as to whether a service provider was permitted to utilize this exception. That ambiguity was resolved during the 2023 rulemaking conducted by the California Privacy Protection Agency. The CPPA revised the regulations implementing the CCPA to expressly state that service providers were not prohibited from retaining, using, or disclosing personal information if such information was deidentified or aggregated.
The second provision is found within the definition of personal information itself. The CCPA expressly defines “personal information” as not including “consumer information that is deidentified or aggregate[d].” As a result, information that is converted into a deidentified or aggregated form presumably is outside the scope of personal information regulated by the CCPA.
The net result is that if a service provider has an interest in retaining, using, or disclosing the personal information it receives from a client, the service provider may be permitted to deidentify or aggregate the personal information in order to convert it from “personal information” (for which there are retention, use, and disclosure restrictions) to non-personal information (for which the CCPA imposes no such restrictions). From a practical standpoint, if a service provider intends to retain, use, or share deidentified or aggregated information, the parties should consider including within the service provider agreement a recognition of that intention as well as a definition of “deidentification” and “aggregation” that matches the definitions of those terms used within the CCPA.