Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:
- An activity must involve “an automated form of processing;”
- An activity must be “carried out on personal data;”
- The objective of the activity must be “to evaluate personal aspects about a natural person.”1
As indicated above, profiling occurs when an organization is attempting to evaluate personal aspects about a data subject. Profiling does not necessarily indicate, however, that an organization takes action based upon the information it has evaluated.
Automated decision making refers to making a decision by technological means without human intervention.2 While automated decision making can rely upon profiling when rendering a decision, it does not necessarily need to do so. For example, if an algorithm is configured to render a decision about an individual’s eligibility to participate in a program open only to individuals over the age of 18 based directly on information an individual provides on a webform (e.g., their date of birth or their age), that activity would constitute “automated decision making,” but it would not necessarily constitute profiling, as the process of making the decision did not evaluate any personal aspects of the person. In contrast, if an algorithm is configured to infer a person’s age by their online behavior and based on the inference render a decision about an individual’s eligibility to participate in a program open only to individuals over the age of 18, that activity would constitute both profiling (i.e., using automated means to evaluate or infer a person’s age) as well as automated decision making (i.e., rendering a decision regarding eligibility based upon the profiling).
1 See, e.g., WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017. Cf Va. Code 59.1-571 (2021); C.R.S. 6-1-1303(20) (2021).
2 WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, at 7.