Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.

Exemptions from compliance obligations with respect to pseudonymized data

Europe

GDPR

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Reidentification. Organization is not required to re-identify pseudonymous data. N/A[2] [3] [4]
Access request. Organization is not required to provide access to pseudonymized data.   [5] [6] [7]
Rectification request. Organization is not required to correct pseudonymized data.   [8] [9] N/A
Deletion request. Organization is not required to delete pseudonymized data.   [10] [11] [12]
Targeted advertising. Organizations is not required to provide an opt-out right to targeted advertising   N/A
Sale. Organizations is not required to provide an opt-out right to targeted advertising  
Profiling. Organization is not required to provide opt-out right to profiling with legal effect.   N/A N/A N/A
Data minimization. Organization is not required to limit collection/storage   N/A [13] N/A
Consent for sensitive information. Organization is not required to get consent for sensitive information.   N/A N/A [14] N/A