"It defines de-identified as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”"
I'd love to know what they mean by reasonable... I've seen some demos of tech that can do some pretty amazing things at de-de-identifying.
So, huge caveat (I'm NOT a lawyer), but right now most interpretations seem to suggest that masking and synthesizing would constitute appropriate deidentification even if a motivated adversary could reverse engineer given appropriate time and resources. Again, this is something that will likely be clarified over time.
I'd love to know what they mean by reasonable... I've seen some demos of tech that can do some pretty amazing things at de-de-identifying.