The system must inform its users whenever it can demonstrate its inability to individually identify them using the information it has collected from them.
Systems usually request information from their users or collect it based on their interactions with the application. Some regulations related to the collection of personal data are only applicable if users can be identified using this data. Whenever the system is unable to individually identify its users with the data it collects from them, and it can demonstrate this, it must inform them of this situation.
GDPR. Art. 11: Processing which does not require identification.(2): Where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.4): Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data.
ISO 27001:2013. Annex A - 18.1.4: When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulations.