Christopher Escobedo Hart of Foley Hoag writes:
When is personal data “anonymized”? The answer to this question has largely been based on jurisdiction. If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes. (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.) Under the GDPR, the story has been much more complicated: merely “de-identified” data is not the same as “anonymous” data, and is still governed by the GDPR as “pseudonymous” data in many instances. The point, under the GDPR, is that if it’s still possible to combine or analyze that aggregated or de-identified data in such a way that allows for identification of an individual, then it cannot be truly anonymous.
But businesses should be aware that, post-Dobbs v. Jackson Women’s Health Org. (overturning Roe v. Wade), the U.S. might look more like Europe where the differences between anonymization and de-identification are concerned.
Read more at Security, Privacy and the Law