Comparing U.S. Comprehensive State Privacy Laws: Treatment of Pseudonymous Data
As of August 2023, 13 states have passed comprehensive data privacy law (including Florida, which enacted a law with a broad set of consumer rights and requirements for companies, but that law primarily applies to a narrower set of the largest internet companies). This number is expected to rise in the continued absence of a federal framework. Each state data privacy law regulates the use of identifiable consumer information, creating varying restrictions and obligations that covered businesses must comply with. While most of these laws include “pseudonymous data” within the definitions of “personal information” or “personal data”, this term is defined and treated somewhat differently across the various laws. Most state laws provide exemptions for pseudonymous data from certain provisions related to the feasibility of complying with a consumer’s data request. These exemptions are particularly important for members of the digital advertising industry, as much of the information utilized in facilitating tailored advertising can be considered pseudonymous. Key differences between each state’s exemption for pseudonymous data, what member companies should be aware of and steps to help ensure information is properly pseudonymized are highlighted below.
How is pseudonymous data defined across the states?
Generally speaking, while the definition of pseudonymous data varies slightly across the state laws, pseudonymous data is defined in most of these laws as personal data that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is: (1) kept separate from the consumer’s personal data; and (2) subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
What consumer rights are exempted from pseudonymous data?
Current state privacy laws approach pseudonymous data in various ways. Some broadly exempt all consumer rights, while others still require covered businesses to honor opt-outs associated with the data. Additionally, a handful of states offer no exemptions for pseudonymous data. To compare the key differences between each state’s exemptions for pseudonymous data, below are categories of which consumer rights are exempt from pseudonymous data. As noted above, however, it is important to remember that in order for a member company to qualify for a state’s exemption of pseudonymous data, the two standards provided in the paragraph above must be met.
States that exempt all consumer rights with respect to pseudonymous data
Out of the thirteen U.S. states that have passed a comprehensive data privacy law, only Florida, Iowa and Tennessee exempt all consumer rights with respect to pseudonymous data. The consumer rights included in the exemption under the Florida Digital Bill of Rights are: the right to access, correct, delete, obtain a copy and opt-out. The consumer rights included in the exemption under the Iowa Data Privacy Law are: the right to access, delete, obtain a copy and opt-out. Lastly, the consumer rights included in the exemption under the Tennessee Information Protection Act are: the right to access, correct, delete, obtain a copy, access categories and opt-out.
States that exempt most consumer rights with respect to pseudonymous data
A majority of states that have passed a comprehensive data privacy law exempt most consumer rights with respect to pseudonymous data. These states include: Colorado, Connecticut, Delaware, Indiana, Montana, Texas, Utah and Virginia. All eight states include the right to access, correct, delete and obtain a copy in their exemptions for pseudonymous data. The Colorado Privacy Act also includes the right to data portability. None of these eight states exempt pseudonymous data from the consumer right to opt-out. Additionally, Delaware does not include the right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
States that do not exempt any consumer rights with respect to pseudonymous data.
California and Oregon do not include any exemptions for pseudonymous data. While the California Consumer Privacy Act (CCPA) includes a definition of “pseudonymous data,” the Oregon Consumer Privacy Act does not recognize the concept at all. Aside from formally defining the term, the CCPA only briefly makes reference to the concept in the definition of “research.” Importantly, the final implementing regulations required by the CPRA introduced a new concept and responsibility associated with pseudonymous data that is not found in the statute. That is, in Sec. 7025, pertaining to opt-out preference signals, the regulations require businesses to treat an opt-out preference signal as a valid request to opt-out of the sale or sharing for not only that browser or device through which the signal is transmitted but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.” This is a novel requirement that contrasts with the consensus approach across the industry that due to the probabilistic nature of such “pseudonymous profiles,” preference signals cannot practically be extended to other platforms.
Takeaways
There is a high level of significance on the pseudonymous data exemptions for members of the digital advertising industry. It is important for companies to understand the requirements needed to meet these exemptions in order for the consumer’s data in question to be considered truly pseudonymous. If a company’s processing of pseudonymous data is qualified for an exemption that exists within a state’s comprehensive data privacy law, the company needs to take the necessary steps to ensure that the information cannot be attributed to a specific individual without the use of additional information, provided that the additional information used to attribute personal data to a specific person must be: (1) kept separate from the personal data and subject to appropriate technical; and (2) organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
