The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. What activities count as “processing?”
While United States attorneys that focus on technology transactions, or data privacy and security, often use the term “processing” they do so in a generic sense to refer to the manipulation by a company (whether directly or when providing a service to another company) of data; the term is not generally considered a legal term of art within the United States data privacy lexicon, nor is it typically referenced or defined within United States data privacy and security laws.
In contrast, the term “processing” is a term of art within Europe and is defined within the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data.”1 The following is a non-exhaustive list of activities that fall within the category of processing:
- The collection of personal data
- The recording of personal data
- The organization of personal data
- The structuring of personal data,
- The storage of personal data,
- The adaptation of personal data,
- The alteration of personal data,
- The retrieval of personal data,
- The consultation of personal data,
- The use of personal data,
- The disclosure (or transmission) of personal data, and
- The destruction of personal data.2
The CCPA copied the GDPR’s definition, although it omitted the examples of activities laid out by the GDPR. The use of the term “copied” may be literally appropriate. As shown below the CCPA’s definition references within it the term “personal data” – a term that is used within the GDPR, but is not used within the CCPA (which uses the defined term “personal information”). This is likely a result of the drafters copying and pasting the definition of “processing” directly from the GDPR:
“’processing’ means any operation or set of operation which is performed on personal data or on sets of personal data, whether or not by automated means . . . .”