De-identification
Definition
The process of removing or modifying personal identifiers so that data can no longer be reasonably linked to a specific individual. De-identified data is generally exempt from privacy law requirements, but the business must take reasonable measures to ensure the data cannot be re-identified and must contractually prohibit recipients from re-identifying it.
Legal Definition
Under the CCPA (Cal. Civ. Code 1798.140(m)): "information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer" provided the business has implemented technical safeguards, business processes to prevent re-identification, and contractual prohibitions on re-identification.
State Laws Using This Term
Practical Example
A hospital removes names, dates of birth, and other direct identifiers from patient records before sharing the dataset with researchers. The hospital also applies statistical techniques to prevent re-identification.
Related Terms
Frequently Asked Questions
What is the difference between de-identification and anonymization?
De-identification means removing direct identifiers so data cannot reasonably be linked to a person, but re-identification may theoretically be possible. Anonymization goes further, irreversibly removing all identifiers so data can never be linked back to a person. Both are generally exempt from privacy laws.