Ed. Note: This is the fourth installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it.

The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA. 

***

What activities count as “processing”?

Data privacy laws generally govern the “processing” of personal information.  The CCPA defines “processing” as “any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.”1  Although the Office of the Attorney General was asked to further define what types of activities constitute “operation[s]” or “set of operation[s]” and, hence, processing, the Attorney General refused stating that the terms were “reasonably clear based on their commonly understood meaning[s].”2  The Office of the Attorney General was further asked to verify that the storage of personal information in the cloud would constitute processing.  That request was also declined with the Attorney General stating that the request constituted a “specific legal question [] that would require a fact-specific determination.”3

The CCPA’s definition of “processing” is substantially similar to the definition provided for the term in the European GDPR: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.”4  Unlike the CCPA, however, the GDPR provides the following non-exhaustive list of activities that fall within the definition of processing:

  • The collection of personal data,
  • The recording of personal data,
  • The organization of personal data,
  • The structuring of personal data,
  • The storage of personal data,
  • The adaptation of personal data,
  • The alteration of personal data,
  • The retrieval of personal data,
  • The consultation of personal data,
  • The use of personal data,
  • The disclosure (or transmission) of personal data, and
  • The destruction of personal data.5

It is unclear whether a California court that is asked to interpret the scope of processing under the CCPA would look to the GDPR’s non-exhaustive list. It is possible, however, that a court would view the omission of the above list from the text of the CCPA, and the California Attorney General’s refusal to opine on the issue, as indicating that the statute was intended to diverge from its European counterpart.

Notes

  1. Cal. Civ. Code § 1798.140(y) (West 2021).  As discussed in Q 16, the original version of the CCPA included the phrase “personal data” in place of “personal information.”  The CPRA replaced “information” with “data.”
  2. FSOR Appendix A at 8 (Response 30).
  3. FSOR Appendix A at 8 (Response 30).
  4. GDPR, Article 4(2).
  5. GDPR, Article 4(2).