The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys. Most American dictionaries do not recognize either term.[1] While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his or her real name” – their meanings are slightly more complex.[2]

In order to understand its meaning, it is important to understand how the term has evolved over time within different data privacy contexts. “Pseudonymization” was defined within the ISO 29100 privacy framework published in 2011 simply as a “process applied to personally identifiable information (PII) which replaces identifying information with an alias.”[3] Although the term was defined, it did not form an integral part of the privacy framework. Indeed, it was only referenced in the context of a technique that might contribute to privacy enhancing technology, and to explain that not all substitutions of personal identifiers create anonymized data.[4]

The European GDPR, which went into force in 2018, included the term albeit with a slightly broader definition then that which was used within the ISO framework. Two years later the CCPA became the first U.S. statute (federal or state) to use the term adopting a definition near identical to the GDPR.[5] Indeed, except for minor adjustments to conform the definition to CCPA-specific terminology (e.g., “consumer” instead of “data subject”), the definitions are virtually identical. Virginia, Colorado, and Utah adopted similar definitions to the ones used within the CCPA and the GDPR a few years later.

Source Term Definition
ISO Pseudonymization

[P]rocess applied to personally identifiable information (PII) which replaces identifying information with an alias.[6]

 

Europe

GDPR

Pseudonymisation [T]he processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.[7]

California

CCPA / CPRA

Pseudonymize / Pseudonymization [T]he processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.[8]

Virginia

VCDPA

Pseudonymous Data [P]ersonal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.[9]

Colorado

CPA

Pseudonymous Data [P]ersonal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.[10]
Utah Pseudonymous Data [P]ersonal data that cannot be attributed to a specific individual without the use of additional information, if the additional information is: (a) kept separate from the consumer’s personal data; and(b) subject to appropriate technical and organizational measure to ensure that the personal data are not attributable to an identified individual or an identifiable individual.[11]