Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC enforces against inadequate anonymization and deceptive claims about de-identification under FTC Act Section 5, and has established guidance on what constitutes adequate de-identification.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this De-identification and Aggregated Data Rights clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

De-identification and Aggregated Data Rights — Fiverr

Share 𝕏 Share in Share 🔒 PDF

What it is

Fiverr can take your personal data, strip out identifying details, and then use or sell that aggregated data to anyone for any purpose — including marketing and research.

Consumer impact (what this means for users)

Fiverr claims broad rights to use data derived from your activity for unlimited commercial purposes once it is de-identified — with no opt-out available and no restriction on how that data can be shared or monetized.

Cross-platform context

See how other platforms handle De-identification and Aggregated Data Rights and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

De-identification can be reversed in some cases through re-identification attacks, and this provision gives Fiverr unrestricted rights to commercially exploit behavioral data derived from user activity.

View original clause language

We may de-identify or aggregate your personal information so that it can no longer reasonably identify you, and use such de-identified or aggregated data for any purpose, including sharing with third parties for research, analytics, and marketing purposes, without restriction.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: CCPA/CPRA §1798.140(m) defines de-identified information and imposes obligations to implement technical safeguards and prohibit re-identification; GDPR Recital 26 and EDPB guidance establish that truly anonymized data falls outside GDPR scope, but de-identified data that can be re-identified with reasonable effort remains personal data subject to GDPR. The FTC's 2012 Privacy Report established standards for anonymization adequacy. NIST SP 800-188 provides technical de-identification standards. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC enforces against inadequate anonymization and deceptive claims about de-identification under FTC Act Section 5, and has established guidance on what constitutes adequate de-identification.
File a complaint →

Provision details

Document information

Document

Fiverr Privacy Policy

Entity

Fiverr

Document last updated

April 29, 2026

Tracking information

First tracked

March 20, 2026

Last verified

April 27, 2026

Record ID

CA-P-003443

Document ID

CA-D-00140

Evidence Provenance

Source URL

https://www.fiverr.com/privacy-policy

Wayback Machine

View archived versions →

SHA-256

a28fab0776af5b5e1f02fe672f91126ee950cf444829a62c9c1c011a57efff18

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Fiverr | Document: Fiverr Privacy Policy | Record: CA-P-003443
Captured: 2026-03-20 10:52:11 UTC | SHA-256: a28fab0776af5b5e…
URL: https://conductatlas.com/platform/fiverr/fiverr-privacy-policy/de-identification-and-aggregated-data-rights/
Accessed: May 2, 2026

Classification

Severity

Medium

De-identification and Aggregated Data Rights