Skip to content

Possibly.

While modern privacy statutes in the United States and Europe adopt a similar definition of “profiling,” the term has yet to be judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”[1]

The Working Party noted that, by looking at personal aspects of a person, an organization might be evaluating them, without necessarily making any further predictions or inferences. As a result, the Working Party stated that “simply assessing or classifying individuals based on characteristics such as their age, sex, and height could be considered profiling, regardless of any predictive purpose.”[2] It is not clear whether courts within the United States will interpret state privacy statutes with similar “profiling” definitions that go into force in 2023 – such as the California Privacy Rights Act, the Colorado Privacy Act, or the Virginia Consumer Data Protection Act – in a similar manner, or whether they will find that for an activity to constitute profiling some degree of prediction or inference must be made.


[1] WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017.

[2] WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, at 7.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).