A MoFo Privacy Minute Q&A (14 December 2021)

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

This year, MoFo offered five different topical webinars about the three new state privacy laws: California’s CCPA, Colorado’s CPA, and Virginia’s VCDPA. In 2022, we will offer four more webinars. Sign Up for MoFo’s Privacy + Data Security News, Events, & Publications.

During our webinars, our attendees ask us great questions. In this final issue of A MoFo Privacy Minute for the year 2021, we chose three of your questions to answer.  Stay tuned for more in 2022!

Q: Please explain the difference between pseudonymous and de-identified information under the three laws. Can I consolidate the definitions together and apply one protocol for my business?  

Like the California Consumer Privacy Act (CCPA), the CPRA, VCPDA, and CPA do not apply to de-identified data. All three state laws similarly define “de-identified data” as information that cannot be reasonably linked to an individual. The VCDPA and CPA further narrow the definition of “de-identified data” to exclude data that can reasonably be linked to a device linked to an individual. Furthermore, to be considered “de-identified data,” all three laws require that the controller (1) take reasonable measures to ensure that the information cannot be associated with a consumer (or household, under the CPRA); (2) publicly commit to maintain and use the data in a de-identified form and not attempt to re-identify the data; and (3) contractually require recipients to do the same.

“Pseudonymous data,” on the other hand, is defined, under all three states, as personal data that cannot be attributed to an individual without the use of additional information, which must be kept separate and protected by appropriate technical and organization measures. In other words, the standard is lower for pseudonymous data than it is for de-identified data. For data to be de-identified, a business cannot be able to reasonably re-identify the data. For data to be pseudonymous, a business can have the ability within its four walls to do so, but the information necessary to re-identify the data must be kept separate with controls in place to prevent the information from being used to do so. The VCDPA and CPA exempt “pseudonymous data” from the rights of access, deletion, correction, and data portability granted to consumers under the respective laws, but do not otherwise broadly exempt “pseudonymous data” from the laws’ requirements.  Despite defining “pseudonymous data,” the CPRA, on the other hand, does not exclude such data from consumer rights, and only uses this definition in the context of its exception for research activities. 

Q: What is the difference in scope between the HIPAA and GLBA exceptions under the CPRA, VCDPA, and CPA?

The CPRA and VCDPA both exempt covered entities, business associates and protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA). The CPA, however, excludes only PHI, not covered entities as a whole, which may process other personal information that is not PHI. 

The VCDPA and CPA exempt financial institutions and nonpublic personal information (NPI) subject to the Gramm-Leach Bliley Act (GLBA). The CPRA, however, only excludes NPI itself, not financial institutions as a whole, which may process other personal information that is not NPI. 

Where the state privacy law only exempts the PHI or NPI subject to HIPAA or GLBA, respectively, any other data that the covered entity or financial institution collects and processes will be subject to the requirements under the respective state privacy laws, unless another exception applies, such as an exception for human resources information or business representative information.

Q: What must contracts with services providers/processors say about audit rights?

The CPA and VCDPA impose certain obligations on data processors to provide the controller with audit rights, which must be outlined in the contract between the two parties. The processor must either (1) allow for and contribute to reasonable audits and inspections by the controller (or the controller’s designated auditor); or (2) arrange for a qualified and independent auditor, at the processor’s expense, to conduct an audit of the processor’s policies and technical and organizational measures. The above must be outlined in the contract between the controller and the processor. Additionally, the contract must require the processor to provide the controller, upon request, with all information necessary to demonstrate compliance with the CPA and VCDPA, respectively.

Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, State Privacy Laws, and the GDPR + European Privacy.