Skip to content
Photo of David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

Profiling is defined in several statutes as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[1] Profiling activities can loosely be grouped into the following three categories or buckets with the

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy- and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes set to

It depends.

While most modern data privacy statutes allow individuals to request access to the personal information held by an organization about the individual, they do not confer upon individuals a right to understand how or why a business has made decisions about them. That said, one privacy statute – the California Privacy Rights Act

No.

Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of

No.

Within the United States organizations will only be required to conduct data protection assessments under the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) beginning in 2023 if the processing of personal data for purposes of profiling presents a “reasonably foreseeable risk” to individuals. The type of risks contemplated by

While state privacy statutes in the United States scheduled to go into force in 2023 and modern European privacy regulations adopt a similar definition of “profiling,” the term has yet to judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute

Modern U.S. data privacy laws (e.g., the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act) will impose three types of obligations upon companies that engage in profiling when they go into effect in 2023.

First, the general rights given to individuals under modern

Possibly.

While modern privacy statutes in the United States and Europe adopt a similar definition of “profiling,” the term has yet to be judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:

  1. An activity

Modern privacy statutes create special rules for activities that involve “profiling.” As the following chart indicates, the term is defined in a similar way between modern United States and European privacy statutes:

Source GDPR CCPA CPRA (effective 2023) VCDPA (effective 2023) CPA (effective 2023)
Term Profiling Profiling Profiling Profiling Profiling
Definition “Profiling” means any form

While the CCPA went into effect on Jan. 1, 2020, it did not become fully enforceable until July 1, 2020. When we passed the one-year anniversary of the CCPA becoming law, it provided an opportunity to assess the impact of the CCPA on privacy programs and to begin to benchmark against emerging industry standards. To