Aggregate Consumer Information 

What Is Aggregate Consumer Information? 

Aggregate consumer information is data collected from multiple sources and used to characterize a group or segment of consumers. This information is typically used by businesses to better understand the target market, improve products and services, and tailor marketing strategies. 

Aggregate consumer information is often compared to de-identified and anonymized data. 

Here’s how the three terms differ:

• Aggregate data summarizes information to show trends and patterns for a group without focusing on individuals.
• De-identified data removes direct identifiers but might leave the data in a state where re-identification is possible, especially if combined with other data.
• Anonymized data is processed to the extent that re-identification of individuals should not be possible, making it the most privacy-conscious of the three.

Third-party definition

Means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de-identified. – Clym. 

Is It Legal for Businesses to Collect and Use Aggregate Consumer Information? 

Yes, it is generally legal for businesses to collect and use aggregated consumer data. 

For example, under the California Consumer Privacy Act and the California Privacy Rights Act, two laws that give California consumers more rights regarding how their data is collected and used by businesses, businesses can collect, use, retain, sell, share, or disclose consumers’ personal data if it is aggregated or de-identified. 

Similarly, the Utah Consumer Privacy Act and Iowa Act Relating to Consumer Data Protection exclude aggregated (and de-identified) data from their personal data definition.

Other state laws (for example, the VCDPA) implicitly exempt aggregate data from their scope. 

Is Aggregate Data Really Anonymous? 

Aggregate data, by its nature, is typically considered anonymous, but there are some important considerations:

• Risk of re-identification: In some cases, especially with smaller datasets or very specific aggregations, there could be a risk of re-identifying individuals. For instance, if an aggregate dataset is broken down into particular categories (e.g., “women aged 30-31, living in a small town”), it might become possible to infer who the individuals in that category might be. For example, in one case, researchers were able to look up Strava (a fitness tracking app) users through a heatmap feature that aggregated user data. They said, “In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person. However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user.”
• Combining with other data: There’s also a risk if aggregate data is combined with other datasets. Advanced data analysis techniques might make it possible to cross-reference aggregate data with other available data, potentially leading to re-identification.
• Contextual sensitivity: The level of risk also depends on the sensitivity of the data. Aggregate data about sensitive topics (like health conditions in a small community) might still pose privacy concerns.

In other words, even when data is aggregated, there’s still a risk of re-identification. The precise level of risk depends on the specific context, how the data is aggregated, and what other data it could potentially be combined with.