Within the United States organizations will only be required to conduct data protection assessments under the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) beginning in 2023 if the processing of personal data for purposes of profiling presents a “reasonably foreseeable risk” to individuals. The type of risks contemplated by the statutes include situations in which individuals may experience:1
- Unfair or deceptive treatment,
- Unlawful disparate impact,
- Financial injury,
- Physical injury,
- Reputational injury,2
- Physical intrusion upon solitude or seclusion which would be “offensive to a reasonable person,”
- Non-physical (e.g., electronic) intrusion upon solitude or seclusion which would be “offensive to a reasonable person,”
- Intrusion upon private affairs or concerns which would be “offensive to a reasonable person,” or
- Other substantial injury.
Under the European General Data Protection Regulation (GDPR), organizations that utilize profiling are typically only required to conduct a data protection impact assessment in the following three situations:
- The organization is utilizing profiling in conjunction with automated decision-making,3
- The organization its utilizing, on a large scale, special category information to conduct profiling,4 or
- The organization is utilizing profiling as part of the systematic monitoring of a publicly accessible area on a large scale.5
1 Va. Code 59.1-579(A)(3) (2021); C.R.S. 6-1-1309(2)(A)(I)-(IV) (2021).
2 Note that the Colorado Privacy Act does not identify reputational injury as a risk warranting a data protection assessment in the context of profiling.
3 GDPR, Art. 35(3)(a); WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, at 27.
4 GDPR, Art. 35(3)(b).
5 GDPR, Art. 35(3)(c).