When is personal data “anonymized”? The answer to this question has largely been based on jurisdiction. If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes. (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.) Under the GDPR, the story has been much more complicated: merely “de-identified” data is not the same as “anonymous” data, and is still governed by the GDPR as “pseudonymous” data in many instances. The point, under the GDPR, is that if it’s still possible to combine or analyze that aggregated or de-identified data in such a way that allows for identification of an individual, then it cannot be truly anonymous.
But businesses should be aware that, post-Dobbs v. Jackson Women’s Health Org. (overturning Roe v. Wade), the U.S. might look more like Europe where the differences between anonymization and de-identification are concerned. On July 11, 2022, Kristen Cohen, Acting Associate Director of the Federal Trade Commission’s (FTC) Division of Privacy & Identity Protection, wrote a blog post where she stated the following:
Claims that data is “anonymous” or “has been anonymized” are often deceptive. Companies may try to placate consumers’ privacy concerns by claiming they anonymize or aggregate data. Firms making claims about anonymization should be on guard that these claims can be a...
A federal grand jury in St. George returned an indictment today charging a Utah podiatrist and two nurses who worked for him with fraud for their roles in a $29 million Medicare false claims case....