No. The European GDPR does not use the term “service provider” and, instead, refers to “processors.” Click here to read the full answer, published by the Washington Legal Foundation.
What is de-identified data?
The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy- and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes set to
Can individuals request access to the logic used by an organization in its automatic decision making?
It depends.
While most modern data privacy statutes allow individuals to request access to the personal information held by an organization about the individual, they do not confer upon individuals a right to understand how or why a business has made decisions about them. That said, one privacy statute – the California Privacy Rights Act
What is an organization required to do in the United States if it engages in profiling?
Modern U.S. data privacy laws (e.g., the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act) will impose three types of obligations upon companies that engage in profiling when they go into effect in 2023.
First, the general rights given to individuals under modern
Does classifying individuals based upon factual characteristics (e.g., their age) constitute ‘profiling’ even if no inferences are made based upon the classification?
Possibly.
While modern privacy statutes in the United States and Europe adopt a similar definition of “profiling,” the term has yet to be judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:
- An activity
What is considered ‘profiling’?
Modern privacy statutes create special rules for activities that involve “profiling.” As the following chart indicates, the term is defined in a similar way between modern United States and European privacy statutes:
| Source | GDPR | CCPA | CPRA (effective 2023) | VCDPA (effective 2023) | CPA (effective 2023) |
| Term | Profiling | Profiling | Profiling | Profiling | Profiling |
| Definition | “Profiling” means any form |
Under the Virginia Consumer Data Protection Act, are companies required to offer consumers the ability to opt out of behavioral advertising if they have already received opt-in consent?
The Virginia Consumer Data Protection Act, which is scheduled to go into effect in 2023, states that a consumer has the right to “opt out of the processing of the personal data for purposes of [] targeted advertising . . . .”1 Unlike other state statutes, such as the CPRA, the Virginia Consumer Data
Nov. 17 Event | Crash Course: The State of Privacy Law in California
Hosted by the University of Colorado Law School, U.S. Data, Privacy, and Cybersecurity Practice Co-Chair David Zetoony will present on his new book, “The Desk Reference Companion to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).” This reference guide collects over 500 of the most common questions concerning
Under the Colorado Privacy Act, will companies be required to offer consumers the ability to opt out of behavioral advertising if they have already received opt-in consent?
The Colorado Privacy Act, which is scheduled to go into effect in 2023, states that a consumer “has the right to opt out of the processing of personal data” for the purposes of “targeted advertising.”1 Unlike other state statutes, such as the CPRA, the Colorado Privacy Act does not contain an exemption for situations
Under the CPRA will companies be required to offer consumers the ability to opt-out of behavioral advertising if they have already received opt-in consent?
The California Privacy Rights Act, which is scheduled to go into effect in 2023, states that if a company “shares” personal information with a third party that is engaged in cross-context behavioral advertising, the company must provide the consumer with the ability to “opt-out” of the sharing.1 Furthermore, under the CPRA a business must