Profiling is defined in several statutes as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[1] Profiling activities can loosely be grouped into the following three categories or buckets with the

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy- and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes set to

It depends.

While most modern data privacy statutes allow individuals to request access to the personal information held by an organization about the individual, they do not confer upon individuals a right to understand how or why a business has made decisions about them. That said, one privacy statute – the California Privacy Rights Act

No.

Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of

No.

Within the United States organizations will only be required to conduct data protection assessments under the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) beginning in 2023 if the processing of personal data for purposes of profiling presents a “reasonably foreseeable risk” to individuals. The type of risks contemplated by

While state privacy statutes in the United States scheduled to go into force in 2023 and modern European privacy regulations adopt a similar definition of “profiling,” the term has yet to judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute

Modern U.S. data privacy laws (e.g., the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act) will impose three types of obligations upon companies that engage in profiling when they go into effect in 2023.

First, the general rights given to individuals under modern

Possibly.

While modern privacy statutes in the United States and Europe adopt a similar definition of “profiling,” the term has yet to be judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:

  1. An activity

Modern privacy statutes create special rules for activities that involve “profiling.” As the following chart indicates, the term is defined in a similar way between modern United States and European privacy statutes:

Source GDPR CCPA CPRA (effective 2023) VCDPA (effective 2023) CPA (effective 2023)
Term Profiling Profiling Profiling Profiling Profiling
Definition “Profiling” means any form

The Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”1