While the recent Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence advocates for a federal privacy law to be enacted, at this time it is still the states leading the way. The Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CDPA) came into effect in July, 2023, following California and Virginia. The two acts share significant similarities and differ in some notable details. Focussing on the definitions of personal information, de-identification, pseudonymization, and sensitive data, this article performs a comparison of the CPA and the CDPA and explains how compliance with both acts can be facilitated in certain respects using Private AI.
Personal Information under the CPA and CDPA
The definitions of personal information are virtually identical. In both contexts it means information that is linked or reasonably linkable to an identified or identifiable individual but excludes publicly available information (which is in both instances narrowly defined) and de-identified information.
An interesting aspect both acts also share is that their definition of “consumer” carves out individuals acting not only in a professional, but also in their capacity as employees. While that does not exclude employment information from the definition of personal information, is does mean that many of the rights under the CPA and CDPA are not extended to employees acting as such, i.e., during a job application or insofar as employment records are maintained by their employer.
De-Identification Definition
The CPA defines de-identified data in a way that aligns closely with the CDPA. Once data is de-identified, it ceases to be personal information under both acts. For this exclusion from the acts to apply, the data:
- cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual
and
- The controller that processes the data implements measures against de-identification, commits publicly to process the data in de-identified form and does not attempt to re-identify it, and requires data recipients to do the same.
Pseudonymization
Similarly, the definitions of “pseudonymized data” are also almost identical in both acts; it means personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual (here, the CPA deviates, saying instead “to a specific individual”).
A fairly clear distinction between de-identified and pseudonymized information is that in the latter case, re-identification is practically expected to occur, whence pseudonymized information remains personal data. A bit less clear are the respective standards for de-identification, as the de-identification definition requires that inferences about the individual are not “reasonably” possible, whereas for information to be pseudonymized, it “cannot be” attributable to a specific individual. That almost seems like the standard for de-identification is lower than that for pseudonymization, which is surprising given that the former is a technique to exclude data from the definition of personal information altogether. It remains to be seen how these two definitions will be interpreted in practice and by the courts.
Sensitive Data
The two acts differ slightly in how they define sensitive data. Both include the following as sensitive data:
- Racial or Ethnic Origin
- Religious Beliefs
- Mental or Physical Health Condition or Diagnosis
- Sex Life or Sexual Orientation
- Citizenship or Citizenship Status
- Genetic or Biometric Data
- Personal Data from a Known Child
But only the CDPA considers Precise Geolocation Data as sensitive.
Private AI’s Compliance Solutions
Private AI’s technology plays a pivotal role in helping organizations comply with both the CPA and CDPA, or to render it not applicable by de-identifying data:
- Robust De-identification Techniques: Private AI leverages advanced ML models to accurately identify and redact over 50 entities of personal data, including PHI and PCI. This aligns with the de-identification standards set by both acts, effectively transforming sensitive data into a non-personal form, thus rendering both legislations inapplicable.
- Flexible Deployment Options: Organizations can choose between on-premise solutions for maximum data control or an API-based solution in Private AI’s Azure instance, catering to diverse data handling needs.
- Multilingual Capabilities: With support for over 52 languages, Private AI ensures compliance for businesses operating in various regions and dealing with multilingual data.
- Integration with Advanced Tools: Incorporating Private AI’s technology with tools like ChatGPT ensures outputs remain compliant with privacy laws, crucial in maintaining consumer trust. It also helps safeguard sensitive business data from being exposed externally.
Conclusion
The Colorado Privacy Act and the Connecticut Data Privacy Act share a fundamental approach to data privacy, especially in terms of their scope of application and definition of key concepts such as de-identification, pseudonymization and sensitive data, with a subtle difference in the CDPA’s inclusion of geolocation data as sensitive data. The value of de-identification is paramount in this context; by effectively de-identifying data, organizations can render these acts inapplicable, alleviating the burden of compliance. Private AI’s technology, with its robust de-identification capabilities, emerges as a crucial tool in this landscape, enabling businesses to navigate the subtleties of these laws while championing privacy and data security. Try it on your own data using our web demo, or get a free API key.
