Are companies prohibited from making choices based on profiling?

Not necessarily.

Under modern privacy statutes in the United States and Europe, an activity constitutes profiling if the following three elements are met:

1. An activity must involve “an automated form of processing;”

2. An activity must be “carried out on personal data;”

3. The objective of the activity must be “to evaluate personal aspects about a natural person.”^[1]

Modern data privacy statutes do not per se prohibit companies from using profiling to make decisions. Rather, privacy statutes distinguish between choices that result in outcomes with a “legal or similarly significant effect” upon an individual and choices which do not.^[2] If a decision will have a legal or similarly significant effect, most modern privacy statutes in the United States give individuals the right to opt out of being subjected to the automated decision making that relied upon profiling.^[3] In comparison, within Europe such decisions are prohibited unless certain conditions are met.^[4] The European approach typically means that a company either has to show that the automated decision making is necessary to perform a contract or that the individual has provided their consent for a controller to use automated decision making based upon profiling.

FOOTNOTES

^[1] WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017. Cf, Va. Code Ann. 59.1-575 (2023).

^[2] See Va. Code Ann. § 59.1-575 (2023).

^[3] See Va. Code Ann. § 59.1-577(A)(5) (2023).

^[4] GDPR, Art. 22(1), (2).