In some cases yes, and in other cases no.
The CCPA defines “personal information” as information that, among other things, “is capable of being associated with” a particular consumer.1 Conversely, the CCPA refers to information as “deidentified” if it “cannot reasonably” be “associated with” a particular consumer.2
In situations in which a company encrypts personal information, but maintains the means to decrypt the information (e.g., a password or an encryption key), an argument exists that while the encrypted information remains in the possession of the business, it is “capable” of being associated with a consumer. In such a situation, most of the requirements of the CCPA would apply with one important exception. The private right of action conferred by the CCPA to bring suit following a data breach only applies in the context of “nonencrypted” information that has been disclosed.3 As a result, if the business accidentally disclosed the encrypted information (or if the encrypted information were accessed by a malicious third party), the business should not be liable for the statutory liquidated damages identified in the Act.
In situations in which a company receives, stores, or transmits encrypted information, but does not have the means to decrypt it (e.g., acts simply as a transmission conduit), a strong argument exists that the information “cannot reasonably” be associated with a particular consumer and, as a result, is not personal information subject to the CCPA.
In comparison to the CCPA, the European GDPR recognizes encryption as a security technique that may help keep personal data safe, but the GDPR does not state that encrypted data is no longer personal data; nor does the GDPR state that encrypted data is not governed by the Regulation.4 To the contrary, the Article 29 Working Party5 held the opinion that encryption does not “per se lend[ ] itself to the goal of making a data subject unidentifiable” and “it does not necessarily result in anonymisation.”6