Deidentified Information

Information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, provided certain requirements are met. Under CCPA, deidentified information is excluded from the definition of personal information if businesses implement technical safeguards prohibiting reidentification, implement business processes specifically prohibiting reidentification, and make no attempt to reidentify the information. Unlike fully anonymized data, deidentified information recognizes that theoretical reidentification risks may exist but are managed through technical and organizational controls. Organizations using deidentified information must publicly commit not to reidentify it, contractually obligate recipients not to reidentify it, and maintain the deidentified status throughout data lifecycle. The distinction between deidentified and anonymized data matters—deidentified data retains some risk of reidentification but remains useful for analytics, research, and other purposes when properly safeguarded.