January 18, 2022

Volume XII, Number 18

Advertisement
Advertisement
Advertisement

What Is Considered ‘Profiling’?

Modern privacy statutes create special rules for activities that involve “profiling.” As the following chart indicates, the term is defined in a similar way between modern United States and European privacy statutes:

Source

GDPR

CCPA

CPRA (effective 2023)

VCDPA (effective 2023)

CPA (effective 2023)

Term

Profiling

Profiling

Profiling

Profiling

Profiling

Definition

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.[1]

Not defined

“Profiling” means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[2]

“Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[3]

“Profiling” means nay form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.[4]

While there has been relatively little regulatory or judicial interpretation of the above definitions to determine what specific activities ultimately constitute “profiling” in the United States, the Article 29 Working Party has interpreted the GDPR’s definition to constitute three elements:

  1. An activity must involve “an automated form of processing;”

  2. An activity must be “carried out on personal data;”

  3. The objective of the activity must be “to evaluate personal aspects about a natural person.”[5]

It should be noted that, under the GDPR, the first element above is satisfied if an activity involves any form of automated processing, even if the automated processing is done in conjunction with non-automated processing. In other words, the existence of human involvement or intervention does not necessarily take an activity out of the definition of “profiling.”[6]


[1] GDPR Art. 4(2).

[2] Cal. Civ. Code 1798.140(z) (2021).

[3] Va. Code 59.1-571 (2021).

[4] C.R.S. 6-1-1303(20) (2021).

[5] WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017.

[6]Id. at 6.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 319
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement