Deidentified Data
Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.
What it requires
A controller holding deidentified data must take reasonable measures against re-identification, publicly commit not to re-identify it, and bind recipients to the same obligations by contract. The Act does not require re-identification to fulfill a request, and the rights to confirm, access, correct, or delete data do not apply to properly safeguarded pseudonymous data.
Legal text (excerpt)
A controller in possession of deidentified data shall: (1) take reasonable measures to ensure that the data cannot be associated with an individual; (2) publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and (3) contractually obligate any recipients of the deidentified data to comply with the provisions of this subchapter.
Primary source
Vermont Office of the Attorney General: § 2415h: Deidentified Data ↗Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.