LOGBOOK

HELP

Quiz Entry - updated: 2026.06.07

How do GDPR, HIPAA, and CCPA each frame the standard for de-identified data?

GDPR: "not reasonably re-identifiable" (context-dependent); HIPAA Safe Harbor: remove 18 specific identifiers; CCPA: cannot reasonably be linked to a person or household, with ongoing monitoring.

Three regulatory takes on "anonymous enough":

  • GDPR standard — data must be "not reasonably re-identifiable" considering available technology and resources. It emphasizes a context-dependent risk assessment (the "motivated intruder" idea), not a checklist.
  • HIPAA Safe Harbor — a checklist: remove 18 specific identifiers (names, dates, ZIP, etc.). Easy to apply, but often insufficient alone against sophisticated linkage attacks; additional de-identification is recommended.
  • CCPA — California law: anonymized data must not be reasonably linkable back to an individual or household, with ongoing monitoring obligations.

The contrast matters: HIPAA's rule-based approach can give false confidence, while GDPR/CCPA's risk-based approach better reflects that re-identification is contextual and evolving.

Tip: Checklists (HIPAA's 18 identifiers) are easy but brittle; risk-based standards (GDPR) are harder but match how attacks actually work.

From Quiz: PRIVACY / Re-identification Attacks & Privacy Defenses | Updated: Jun 07, 2026