Skip to content

Modern privacy statutes create special rules for activities that involve “profiling.” As the following chart indicates, the term is defined in a similar way between modern United States and European privacy statutes:

Source GDPR CCPA CPRA (effective 2023) VCDPA (effective 2023) CPA (effective 2023)
Term Profiling Profiling Profiling Profiling Profiling
Definition “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.[1] Not defined “Profiling” means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[2] “Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[3] “Profiling” means nay form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[4]

While there has been relatively little regulatory or judicial interpretation of the above definitions to determine what specific activities ultimately constitute “profiling” in the United States, the Article 29 Working Party has interpreted the GDPR’s definition to constitute three elements:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”[5]

It should be noted that, under the GDPR, the first element above is satisfied if an activity involves any form of automated processing, even if the automated processing is done in conjunction with non-automated processing. In other words, the existence of human involvement or intervention does not necessarily take an activity out of the definition of “profiling.”[6]


[1] GDPR Art. 4(2).

[2] Cal. Civ. Code 1798.140(z) (2021).

[3] Va. Code 59.1-571 (2021).

[4] C.R.S. 6-1-1303(20) (2021).

[5] WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017.

[6]Id. at 6.