December 6, 2021

Volume XI, Number 340

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

In the United States, What Are the Different “Types” of Profiling for Privacy Compliance Purposes?

Profiling is defined in several statutes as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[1] Profiling activities can loosely be grouped into the following three categories or buckets with the corresponding compliance-related obligations:

 

Bucket 1

Profiling that does not (1) impose a reasonably foreseeable risk to data subjects or (2) factor into a decision that produces a legal or similarly significant effect.

Bucket 2

Profiling that does impose a reasonably foreseeable risk to data subjects but does not factor into a decision that produces a legal or similarly significant effect.

Bucket 3

Profiling that does factor into a decision that produces a legal or similarly significant effect.[2]

Access right for input data.[3]

 

Access right for output data.

Deletion right for input data.

Deletion right for output data.

Correction right for input data.

Correction right for output data.

Conduct a Data Protection Impact Assessment to analyze potential for unfair or deceptive treatment, disparate impact, financial, injury, etc.

✔[4]

✔[5]

Opt-out right from processing.

✔[6]

 

[1] C.R.S. 6-1-1303(20) (2021).

[2] While European regulators have offered guidance as to what types of decisions might product legal or similar effects, it is unclear whether that guidance will be followed by regulators in the United States.

[3] The word “rights” in this chart refers only to the right of an individual to request the action; it does not necessarily mean that an organization must honor the request. Modern privacy statutes contain a number of exceptions that may apply to specific requests to access, delete, or correct personal information.

[4] Va. Code 59.1-573(A)(5) (2021); C.R.S. 6-1-1306(1)(a)(I)(C) (2021).

[5] Va. Code 59.1-573(A)(5) (2021); C.R.S. 6-1-1306(1)(a)(I)(C) (2021).

[6] Va. Code 59.1-573(A)(5) (2021); C.R.S. 6-1-1306(1)(a)(I)(C) (2021).

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 327
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement