March 28, 2023

Volume XIII, Number 87


March 27, 2023

Subscribe to Latest Legal News and Analysis

Are companies prohibited from making choices based on profiling?

Not necessarily.

Under modern privacy statutes in the United States and Europe, an activity constitutes profiling if the following three elements are met:

  1. An activity must involve “an automated form of processing;”

  2. An activity must be “carried out on personal data;”

  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”[1]

Modern data privacy statutes do not per se prohibit companies from using profiling to make decisions. Rather, privacy statutes distinguish between choices that result in outcomes with a “legal or similarly significant effect” upon an individual and choices which do not.[2] If a decision will have a legal or similarly significant effect, most modern privacy statutes in the United States give individuals the right to opt out of being subjected to the automated decision making that relied upon profiling.[3] In comparison, within Europe such decisions are prohibited unless certain conditions are met.[4] The European approach typically means that a company either has to show that the automated decision making is necessary to perform a contract or that the individual has provided their consent for a controller to use automated decision making based upon profiling.


[1] WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017. Cf, Va. Code Ann. 59.1-575 (2023).

[2] See Va. Code Ann. § 59.1-575 (2023).

[3] See Va. Code Ann. § 59.1-577(A)(5) (2023).

[4] GDPR, Art. 22(1), (2).

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XIII, Number 38

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...