When is personal data “anonymized”? The answer to this question has largely been based on jurisdiction. If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes. (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.) Under the GDPR, the story has been much more complicated: merely “de-identified” data is not the same as “anonymous” data, and is still governed by the GDPR as “pseudonymous” data in many instances. The point, under the GDPR, is that if it’s still possible to combine or analyze that aggregated or de-identified data in such a way that allows for identification of an individual (which as a practical matter will almost always be the case), then it cannot be truly anonymous.
But businesses should be aware that, post-Dobbs v. Jackson Women’s Health Org. (overturning Roe v. Wade), the U.S. might look more like Europe where the differences between anonymization and de-identification are concerned. On July 11, 2022, Kristen Cohen, Acting Associate Director of the Federal Trade Commission’s (FTC) Division of Privacy & Identity Protection, wrote a blog post where she stated the following:
Claims that data is “anonymous” or “has been anonymized” are often deceptive. Companies may try to placate consumers’ privacy concerns by claiming they anonymize or aggregate data. Firms making claims about anonymization should be on guard that these claims can be a deceptive trade practice and violate the FTC Act when untrue. Significant research has shown that “anonymized” data can often be re-identified, especially in the context of location data. One set of researchers demonstrated that, in some instances, it was possible to uniquely identify 95% of a dataset of 1.5 million individuals using four location points with timestamps. Companies that make false claims about anonymization can expect to hear from the FTC.
Cohen’s blog post, which does not mention Dobbs explicitly, comes on the heels of President Biden’s July 8 Executive Order “encourag[ing]” the FTC to “consider actions, as appropriate and consistent with applicable law, to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.”
In the absence of a comprehensive federal data privacy statute, the FTC–through its Section 5 authority to enforce against unfair and deceptive acts and practices–acts as the country’s general privacy watchdog. While Cohen’s blog post is neither a rule nor formal guidance, it does signal that the FTC’s view of what counts (and does not count) as “anonymized” personal data appears to hew much closer to the GDPR’s strict view of anonymization.
From an enforcement perspective, the FTC’s primary concern has long been about what representations organizations make to consumers, and whether those representations are clear and accurate. The FTC here is not suggesting that businesses are prohibited from “merely” aggregating or de-identifying personal data. Rather, through Cohen’s post, the FTC is instead sending the message that businesses that only de-identify or aggregate personal data, but do not truly anonymize it, must be clear and honest with individuals about that fact. If companies state, through their privacy policies, that individual data is “anonymized,” when it is merely de-identified, they are opening themselves up to an enforcement action from the FTC (and perhaps state attorneys general, which also have broad consumer protection powers). The FTC appears to be particularly concerned with location-tracking data–a significant post-Dobbs privacy concern for pregnant individuals who might seek reproductive care across state borders.
As a practical matter, consider what you are doing with personal data that you might have considered “anonymized.” If there is any question about whether that personal data is in fact truly “anonymized,” review and edit your privacy representations accordingly.