Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). DPIAs are intended to make an organization identify and weigh the benefits that may flow from processing personal

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to

Profiling is defined in several statutes as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[1] Profiling activities can loosely be grouped into the following three categories or buckets with the

It depends.

While most modern data privacy statutes allow individuals to request access to the personal information held by an organization about the individual, they do not confer upon individuals a right to understand how or why a business has made decisions about them. That said, one privacy statute – the California Privacy Rights Act

No.

Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:

  1. An activity must involve “an automated form of processing;”
  2. An activity must be “carried out on personal data;”
  3. The objective of

No.

Within the United States organizations will only be required to conduct data protection assessments under the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) beginning in 2023 if the processing of personal data for purposes of profiling presents a “reasonably foreseeable risk” to individuals. The type of risks contemplated by

While state privacy statutes in the United States scheduled to go into force in 2023 and modern European privacy regulations adopt a similar definition of “profiling,” the term has yet to judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute

Modern U.S. data privacy laws (e.g., the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act) will impose three types of obligations upon companies that engage in profiling when they go into effect in 2023.

First, the general rights given to individuals under modern

Possibly.

While modern privacy statutes in the United States and Europe adopt a similar definition of “profiling,” the term has yet to be judicially interpreted or applied in the United States. Within Europe, the Article 29 Working Party took the position that for an action to constitute profiling three elements must be met:

  1. An activity

Modern privacy statutes create special rules for activities that involve “profiling.” As the following chart indicates, the term is defined in a similar way between modern United States and European privacy statutes:

Source GDPR CCPA CPRA (effective 2023) VCDPA (effective 2023) CPA (effective 2023)
Term Profiling Profiling Profiling Profiling Profiling
Definition “Profiling” means any form