Privacy laws such as the GDPR and CPRA are less demanding when you change personal data to make it harder or impossible to link it to a specific individual. The laws refer to "anonymization" and "de-identification" respectively. Though the two concepts are similar, the GDPR has stricter obligations.
Here's what you need to know and do.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.




- 1. Why Does Anonymization and De-identification Matter?
- 2. Do These Laws Affect Me?
- 3. Anonymization and the GDPR
- 4. Pseudonymization and the GDPR
- 4.1. Anonymization and Pseudonymization As Forms of Processing
- 5. De-Identification and the CPRA
- 6. Verifying Anonymization/Pseudonymization/De-Identification
- 7. Interaction of the GDPR and CPRA
- 8. Summary
Why Does Anonymization and De-identification Matter?
The General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) both restrict your use of personal information. This means information that is about an identified or identifiable individual.
Both laws have exemptions that apply when data has been altered in a way that makes it harder to link data to a specific individual. If you have transformed the data in the appropriate way, it may no longer count as personal data under the respective law and thus your use of the data is no longer restricted.
Alternatively, it may still count as personal data, but the transformation helps meet some of the requirements for handling data.
(Don't forget other privacy and security laws and regulations may still apply, for example in specialist areas such as health or finance.)
Do These Laws Affect Me?
The GDPR broadly applies if you (the organization that decides how and when to process data) or the data subject (the person the data is about) are in a European Union country. It also applies if the data processing itself takes place in an EU country. A range of national laws and international agreements mean similar measures apply in Iceland, Liechtenstein, Norway and the United Kingdom.
The CPRA applies if you serve customers in California and at least one of the following is true:
- Your gross revenue is more than $25 million a year.
- You buy, sell or share personal data about at least 100,000 people in a year.
- At least half your annual revenue comes from sharing or selling personal data.
The CPRA built upon and replaced a previous law, the California Consumer Privacy Act.
We've concentrated on the CPRA in this guide as it is the biggest state privacy law and something of a trendsetter. However, more than 20 states now have privacy laws, many of them based to some extent on the CPRA. This means it's important to understand the de-identification concept and then check how it applies to any state laws which cover you.
Anonymization and the GDPR
The GDPR has a special exception for anonymous data. It's detailed in Recital 26, one of the accompanying notes for the legislation, which says:
"The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information."
Later rulings and interpretations have confirmed that under the GDPR, anonymization must mean the link between the identifiable individual and the data is irreversibly broken.
Let's break down an example of anonymization.
Imagine you have conducted a study in which you try to figure out which has a bigger effect on weight loss: exercise or eating. You collect data about the subjects including their name, email address, gender, date of birth, weight at the start and end of the study, minutes of exercise per day and daily calorie intake.
Because the person can be clearly identified through their name and email address, all of this information counts as personal data under the GDPR. That means you need to follow all the rules, including having a lawful basis such as consent or legitimate interests. Initially there should be no problem as you clearly need to keep the names and contact addresses so that you can check up with any queries, for example if you think there's a mistake in any of the figures.
After some time, particularly at the point you come to publish a report on the study, you may no longer have the same level of justification under the GDPR to use the name and address. For example, consent does not last forever. Meanwhile, going public with the results will likely mean the user's privacy rights outweighs your legitimate interests in using the data.
The solution is to anonymize the data by deleting the fields with the name and address and keeping everything else. At this point, it is no longer possible to link the data to an identifiable individual. The remaining details are anonymized and thus don't come under the GDPR any more.
Note that some data may be a grey area. For example, if your published report says that all your test subjects came from the same local community group of 30 people, the date of birth may be enough to identify them. If your test subjects were recruited from across an entire city, the date of birth would not be enough to identify somebody. This means you always need to review your data use and anonymization carefully.
Pseudonymization and the GDPR
Sometimes people and organizations who use personal data will stop a step short of full anonymization and instead use pseudonymization. It's a subtle difference, which the UK's Information Commissioner's Office describes as follows: anonymization means removing any link between data and an identifiable individual while pseudonymization means reducing the links between the data and the individual.
To go back to our survey example, you might want to use pseudonymization when sharing it with another researcher at a different organization. In this scenario you need to:
- Be able to contact the study participants yourself.
- Make sure the other organization can't identify any participants.
- Make sure the other organization can still work with individual records, for example to filter out any effects of age or gender on the weight loss.
In this scenario, you could pseudonymize the data by giving each survey participant a reference number. You would keep a list of each person's name and email address with their reference number. However, the data you sent out would have the reference number (plus their study results) but not the name or email address.
It's vital to remember that while such pseudonymization is good practice and helps to reduce the risk of a privacy breach, it does not count as anonymization under the GDPR. That's because it's still possible (if now harder) to link the data to the individual. The GDPR's Recital 26 confirms:
"Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person."
This means that even the pseudonymized data is still subject to the GDPR. You must continue to keep it secure and to make sure your lawful basis for using it (eg consent or legitimate interests) remains valid.
Anonymization and Pseudonymization As Forms of Processing
The GDPR covers all forms of processing personal data, which covers collecting, using, altering, sharing and deleting it. This means that the act of anonymizing or pseudonymizing the data is itself a form of processing and thus must be done in line with the GDPR.
This doesn't have to be a major problem, particularly given these actions both increase the privacy of data subjects (the people the data is about). The main effect is that you need to mention your use of anonymization or pseudonymization in your Privacy Policy.
Raleigh's Privacy Policy details how it does and doesn't use anonymization in a particular scenario:

De-Identification and the CPRA
The CPRA does not use the same concepts of anonymization and pseudonymization. Instead, it exempts information that has been "de-identified". The law itself defines this as "Data, which cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer".
De-identification can involve a range of techniques to reduce the effect of information that could identify somebody. For example:
- Randomizing data.
- Changing data from specific details to more general ranges. (For example, in our weight loss study, we could list an age category for each person rather than their date of birth.)
- Masking data. (For example, we could change a user's name in the records from John Brown to JB or change their email address from [email protected] to j*******n@*********isp.com.)
Whatever method you use, you'll need to do three things to confirm your data counts as de-identified under the CPRA:
- Take "reasonable" steps to break the link between the individual and the data.
- Consider how easy or difficult it would be for somebody to re-establish the link between the individual and the data. Our earlier example of having the date of birth and gender of somebody from a small group vs a wider population is the type of issue you'll need to consider here.
- Have a firm policy that you and your staff will not try to re-identify anybody using the data and enforce the same policy and obligations on anyone who receives the data.
UC Davis Health explains some of the methods it uses for de-identifying particular types of data:

Verifying Anonymization/Pseudonymization/De-Identification
You can use professional services where experts will try to identify or reidentify individuals using your transformed data set. This may uncover flaws in your transformation that means the links between the individual and the data are stronger than you intended.
While such services are useful, you need to be careful that you are not breaking any privacy rules by giving the service provider access to your data. You may need to have a legally binding confidentiality agreement.
If your data is covered by the GDPR, the service provider will be acting as a data processor on your behalf. This means you'll need a legally binding Data Processing Agreement that requires them to follow the GDPR.
Contrast includes such a requirement in its Data Processing Agreement:

Interaction of the GDPR and CPRA
Both laws have the same broad principle of exempting data based on how easy it is to link to an identifiable individual, but there is a key distinction:
- CPRA only requires reasonable efforts to break the link.
- The GDPR requires the link to be irreversibly broken.
This means that data which you have deidentified so that it is exempt from the CPRA will not automatically count as anonymized under the GDPR. If it is not, you must continue to follow the GDPR when holding or processing it.
Summary
The GDPR does not cover data which has been anonymized. This means irreversibly breaking the link between the data and the identifiable individuals, for example by permanently deleting details such as names and addresses.
The GDPR does still apply to data which has been pseudonymized. This means reducing the links between the data and the identifiable individuals, for example by using reference numbers in place of names.
The CPRA does not cover data which has been de-identified. This means making reasonable efforts to make it harder or impossible to link the data to the individual, for example by masking details or using ranges rather than specifics.
Data that meets the de-identification threshold of the CPRA will not necessarily count as anonymized under the GDPR.