Privacy in Processing vs. Privacy in Identity

Privacy frameworks split on where rights attach: to what is done with data (processing) or to whether data can be traced back to a person (identity). GDPR takes the processing view. If you use someone’s behavioral history to target them, they have rights over that processing regardless of how the data is keyed. The SECURE Data Act takes the identity view. Sever the link between data and PII through pseudonymization, and the rights detach.

The same technical operation (pseudonymization) has a different regulatory function under each theory. Under a processing-based framework, pseudonymization is a security tool used inside the regulatory perimeter: it reduces risk, but obligations persist. Under an identity-based framework, pseudonymization is the exit from the perimeter: once the data no longer points to a name, consumer rights no longer apply. Same engineer, same system, fundamentally different regulatory question depending on which theory governs.