Deidentification Topic Page

Here, you can find the IAPP’s collection of coverage, analysis and resources related to deidentification.

Featured Resources


The definition of ‘anonymization’ is changing in the EU

Different interpretations across jurisdictions make the definition of “anonymization” difficult to nail down. This article provides an overview of the confusion around the EU standard and how it is progressively evolving.
Read More


A new standard for anonymization

Privacy experts can now use a new standard, the ISO/IEC 27559:2022 privacy-enhancing data deidentification framework. This article discusses the purpose of the framework, its implementation, and more.
Read More


10 recommendations for regulating non-identifiable data

There is considerable activity today in regulatory development and updates around the privacy rights of individuals in Canada, Europe, the U.S. and elsewhere. This article offers key considerations for regulating the generation and processing of non-identifiable data.
Read More


A lawyer’s guide to pseudonymization and anonymization

In this piece for Privacy Tech, Immuta’s Alfred Rossi, Andrew Burt and Sophie Stalla-Bourdillon look to clarify the definition of these practices, help distinguish between direct and indirect identifiers, and offer some considerations for organizations that want to properly deidentify their data.
Read More


Deidentification versus anonymization

While deidentification is not anonymization in virtually all cases, it is still useful as a data minimization technique. In this article, Lea Kissner breaks down the differences between deidentification and anonymization.
Read More


Does anonymization or de-identification require consent under the GDPR?

Data de-identification has many benefits in the context of the GDPR. One question is whether consent is required to anonymize or de-identify data. This article makes the case that no consent is required for anonymization or other forms of de-identification.
Read More

Additional News and Resources

A trans-Atlantic comparison of a real struggle: Anonymized, deidentified or aggregated?

Nonpersonal data is at the forefront of modern data analytics. In general, anonymized or deidentified personal data is not in the scope of privacy and data protection regulations, offering freedom from the restrictions of privacy compliance while allowing for greater data utilization. However, despite the growing demand for techniques to anonymize or deidentify personal data, this issue remains a topic of intense discussion at the intersection of privacy law and engineering. One part of the pro... Read More

New options for anonymization ahead?

In the same week the European Court of Justice published three rulings on the interpretation of the EU General Data Protection Regulation, clarifying details around subject access requests, immaterial damages and accountability, another EU court handed down a landmark ruling on the concept of personal data, which has largely gone unnoticed. Although this ruling did not make it into the headlines, it will undoubtedly have a much bigger impact on the work of privacy professionals in Europe and bey... Read More

Calif. on the verge of instituting new deidentification requirements, broader research exemptions

On Sept. 5, 2020, the California Legislature passed Assembly Bill 713, which amends the California Consumer Privacy Act. Although the bill has the primary and helpful effect of largely exempting the U.S. Health Insurance Portability and Accountability Act deidentified information from the CCPA, AB 713 also regulates deidentified information in a novel way that departs from the mostly hands-off approach to such datasets adopted by federal and state regulators. As has been the case with many of th... Read More

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

De-identification: Moving from the binary to a spectrum

As with so many things in this world, there is rarely, if ever, a silver-bullet solution to a complex problem in privacy. Perhaps the most glaring example of this is in defining the identifiability of an individual.  Countless privacy laws and regulations around the world define personal information or personally identifiable information in different ways, using varying definitions and key terms. One jurisdiction may consider an IP address PII while another may not. The Federal Trade Commission... Read More

A de-identification protocol for open data 

Open data initiatives are increasing everywhere. These are often driven by the public sector aiming to promote data availability to trigger innovation and eventually better services. The basic concept is to make data available publicly with no constraints on who can access the data and what they can do with it. It is important to ensure that these open data initiatives do not release personal information. Concurrent with open data are freedom of information laws which allow citizens to request ... Read More