Quiz Entry - updated: 2026.06.07
How do GDPR, HIPAA, and CCPA each frame the standard for de-identified data?
GDPR: "not reasonably re-identifiable" (context-dependent); HIPAA Safe Harbor: remove 18 specific identifiers; CCPA: cannot reasonably be linked to a person or household, with ongoing monitoring.
Three regulatory takes on "anonymous enough":
- GDPR standard — data must be "not reasonably re-identifiable" considering available technology and resources. It emphasizes a context-dependent risk assessment (the "motivated intruder" idea), not a checklist.
- HIPAA Safe Harbor — a checklist: remove 18 specific identifiers (names, dates, ZIP, etc.). Easy to apply, but often insufficient alone against sophisticated linkage attacks; additional de-identification is recommended.
- CCPA — California law: anonymized data must not be reasonably linkable back to an individual or household, with ongoing monitoring obligations.
The contrast matters: HIPAA's rule-based approach can give false confidence, while GDPR/CCPA's risk-based approach better reflects that re-identification is contextual and evolving.
Tip: Checklists (HIPAA's 18 identifiers) are easy but brittle; risk-based standards (GDPR) are harder but match how attacks actually work.