Skip to content

Attorneys familiar with the European GDPR are acquainted with the bifurcation of the world into controllers and processors. For purposes of European data privacy, a “controller” refers to a company that either jointly or alone “determines the purposes and means” of how personal data will be processed.[1] A “processor” refers to a company (or a person such as an independent contractor) that “processes personal data on behalf of [a] controller.”[2]

While most modern U.S. privacy laws also use the terms “controller” and “processor,” California’s laws refer to the terms “businesses” and “service providers.”[3] Regardless of what terms are used in the United States, the concepts have similar (but not identical) meanings to their European counterparts. For example, in order to qualify as a “business” under the CCPA, an entity must “determine[] the purposes and means of the processing of consumers’ personal information,”— phraseology that mirrors that found within the GDPR’s definition of a controller.[4] Similarly, in order to qualify as a “service provider” under the CCPA, an entity must, in part, “process information on behalf of a business.”[5] Unlike the European GDPR, however, regulators in the United States have not issued extensive guidance applying the categories to specific types of entities. Furthermore, when European supervisory authorities have had to analyze which category a particular organization falls into, they have often looked to factors within the GDPR that have no analog in the United States, or are treated differently in the United States. For example, European supervisory authorities have taken the position that if an organization is required by law to process personal data, the organization is typically a “controller.”[6] Modern U.S. privacy laws, on the other hand, anticipate and permit processors to process personal data where required by law.[7] The net result is that a determination by a European supervisory authority that a particular entity is a controller or a processor may not be probative of how a US regulator (or a US court) would view the same organization in the United States.

Ultimately, whether an organization that utilizes personal information to train an artificial intelligence engine is considered a controller or a processor in the United States may depend in part on the degree to which the organization determines the purpose for which the data will be used and the “essential” means of processing. Note that a processor may remain responsible for determining non-essential means of processing. It may also depend in large part on whether the organization is building the artificial intelligence for its own use (or to license to multiple third parties) or has been retained by a third party to construct the artificial intelligence according to that third party’s instructions.

[1] GDPR, Article 4(7).

[2] GDPR, Article 4(8).

[3] Cal. Civ. Code § 1798.140(d)(1), (ag) (West 2021). It is worth nothing that the California Attorney General was asked to expressly adopt the terms “controller” and “processor.” FSOR, Appendix A at 15 (Response 53.). The Attorney General rejected the request on the grounds that the terms were “inconsistent with the text and structure” of the CCPA, but he did not provide any analysis comparing or contrasting the GDPR and CCPA terminology. Id.

[4] Cal. Civ. Code § 1798.140(d) (West 2021). Unlike the GDPR, the CCPA only considers an entity to be a “business” if it also satisfies the requirements discussed in Q 43 including meeting one of three size / volume thresholds (e.g., revenue in excess of $25 million, transacts data relating to 50,000 data subjects, or derives 50 percent or more of its revenue from selling personal information).

[5] Cal. Civ. Code § 1798.140(ag)(1) (West 2021).

[6] See discussion of control “stemming from legal provisions” within EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Version 1.0) adopted on 02 September 2020 at page 10 (paras. 21 -22).

[7] See, e.g., Va. Code § 59.1-582(A)(1) (exempting from the scope of the privacy statute any processing required of a processor under federal, state, or local law).