You never think about breathing air. Most of the time, you’re not consciously moving your legs as you walk. You don’t have to remind yourself to blink every few seconds.
For modern businesses, that’s what processing personal data is like: It’s so ever-present, automatic, and constant that they don’t have to think about doing it.
But unlike breathing, walking, or blinking, processing personal data is a regulated activity. There’s no California Breathe-Out-Your-Nose-Not-Your-Mouth Act, but there is a California Consumer Privacy Act (CCPA). And regulators have been happily handing out six-figure fines to businesses that don’t comply.
But what exactly does “processing personal data” mean? Are you processing personal data in your role? If so, what do you need to be doing differently? If you’re looking for some concrete, tangible examples of what counts as processing personal data, you’re in the right place.
Personal Data Processing Fundamentals: What Is It and When Should You Worry About It?
Definition and Scope of Personal Data
Before we can understand what it means to process personal data, we need to understand what personal data is.
Different privacy laws will define the term differently, but overall, you can think of personal data as any information that refers to a specific person and can be used—alone or in combination with other information—to identify that particular person.
So, that obviously includes a person’s name and address. It also includes their IP address or device identifiers, biometrics, financial data, and more. The rule of thumb is that if something can be linked back to a person, then it’s personal data.
Defining the Processing of Personal Data
Nobody likes deciphering legal text, but in this case, we really do need to start with the language laid out in regulation.
When we ask what processing personal data is, the best place to turn to is the GDPR. It’s the granddaddy of privacy legislation, and most (if not all) privacy laws today use it as their foundation.
Article 4(2) of the GDPR defines “processing” as:
. . . any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pretty broad, right?
In fact, it’s so broad that it can be tough to actually evaluate whether it applies to your daily work. Don’t worry; later, we’ll dive into some real-world examples that will help clarify whether you process personal data.
Privacy Laws’ Personal Data Processing Thresholds
In many cases, you’ll have to process a certain volume of data before privacy laws kick in.
Generally, this threshold is defined by the number of people whose personal data you process. For example, Virginia’s data privacy law, the VCDPA, kicks in if you control or process the personal data of 100,000 or more residents of the state.
(A quick aside on the term control: Under data privacy law, if you control data, you determine why it’s being processed. In practical terms, it means you can’t get around privacy compliance by directing another organization to do all your processing for you.)
Other laws, like the GDPR or Texas’s TDPSA, apply if you process any residents’ personal data. Doesn’t matter if it’s one or one thousand residents.
Because there’s such a wide range of thresholds in data privacy laws, it’s crucial to understand what activities constitute processing personal data. Knowing the legal definition is one thing; understanding whether that definition fits the activities you engage in for your role is another.
5 Common Examples of Personal Data Processing
Let’s look at some common examples of personal data processing. See if you spot a processing activity that you or your colleagues participate in at your organization. If you do, then you almost certainly need to become compliant with privacy law. But note that these are just examples and not exhaustive lists of what could be personal data processing.
1. Website Personal Data Processing
Your website is the first and best opportunity your business has to get prospects into your funnel. As a result, your website is likely stuffed to the gills with trackers and personal data collection points.
Remember, personal data processing is defined as “any operation or set of operations performed on personal data.” Ninety-nine percent of the time, the mere act of a consumer visiting your website counts as an instance of personal data processing.
Here are some examples of personal data processing you may be running on your website:
- Using cookies, pixels, and similar scripts
- Targeted advertising (whether by displaying ads on your site or retargeting visitors with ads elsewhere on the internet)
- Asking for form fills, e.g., for newsletters or gated resources
- Asking users to create an account with you
- Using heat maps to determine how users interact with your website
Not only can many of these activities trigger data privacy law requirements, they can also make you a target for wiretap and VPPA lawsuits in the US. Enterprising law firms have repurposed these older laws to go after businesses using common tracking technologies on their website. Fortunately, robust privacy compliance practices can help protect you.
2. Web and Mobile App Personal Data Processing
Unlike other channels or platforms, it seems pretty intuitive that an app would process personal data. But all the ways it processes personal data might surprise you. Here are a few common examples:
- Generating content recommendations based on user activity and preferences
- Creating and storing logins, account information, and biometric information
- Recording users via camera and microphone
- Accessing the users’ contact list or calendar
- Sending any of this information to a third-party
- Using SDKs with embedded data collection
Software development kits, or SDKs, are a particular source of concern when we consider mobile and web app personal data processing. If you get a library of development tools for free (or if the developer pays you to use their SDK), you have to wonder what the provider gets in return; often, it’s the end-users' data. Look at Allstate's fine under Texas’s TDPSA as an example.
3. Sales and Marketing Personal Data Processing
We’ve covered some of the personal data processing activities that sales and marketing might engage in already. But to be safe, we’ll reiterate them here and cover a few other activities you may not have considered.
- Using data brokers like ZoomInfo
- Using sales call AI assistants
- Targeted advertising and retargeting
4. AI Model Personal Data Processing
As AI-crazy as the world is today, it’s worth noting that using AI can be especially risky from a data privacy perspective. If you develop AI models or use AI models, pay special attention to where and when they interact with personal data.
- Providing personal data in AI chats (unless the model provider clarifies chats won’t be used for training)
- Using AI to profile somebody (i.e., make an inference about them based on their personal data, often for the purposes of deciding whether they’re eligible for loans, employment, what their insurance premium should be, etc.)
AI is such a high-risk area for individuals’ data privacy rights, that if you’re using it to facilitate your work at all, you’re probably best served conducting a thorough privacy impact assessment before relying on it.
5. HR Personal Data Processing
Most data privacy regulations exempt employee data, but not all. In fact, the CCPA, arguably the US’s largest data privacy law, regulates employee data as well as normal consumer data. HR regularly processes personal data through operations like:
- Storing and analyzing job applications with applicant tracking systems (ATSs)
- Handling financial and benefits data
- Conducting performance evaluations
- Performing background checks
HR data is especially crucial to handle with care. Not only is it often highly sensitive, but HR may need to facilitate employee DSARs and meet additional privacy law standards around profiling and automated decision-making.
What to Do If You Process Personal Data
If you’ve reviewed this list and were surprised to find that this or that activity counts as processing personal data, don’t panic. Your next step is to learn whether this means you’re subject to a data privacy law, and if so, what your major requirements are.
Our overview of current data privacy laws is a good place to start. Take a look at the various thresholds associated with each law and consider whether your processing activities meet those thresholds.
For example, if your app automatically generates content for users or if you use heat maps on your website, consider whether you have 35,000 or more annual users based out of New Hampshire or any users whatsoever in the EU, Texas, or California.
Once you know what laws you’re subject to, it’s time to understand your requirements. This can feel overwhelming—the important thing is to get started on the most important and impactful compliance obligations. For many businesses, that means managing cookie consent and subject rights. If these are new concepts for you, check out our articles on the subject:
