What is an Organization Required to Do in The United States if It Engages in Profiling?

Modern U.S. data privacy laws (e.g., the California Consumer Privacy Act, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act) will impose three types of obligations upon companies that engage in profiling when they go into effect in 2023.

First, the general rights given to individuals under modern privacy statutes may have an impact upon profiling. For example, if a state privacy statute confers rights to access, deletion, or correction, an organization may need to decide, based upon the specific statute involved, whether it is required to:

• provide access to the personal information used to conduct profiling (i.e., input data),

• provide access to inferences or predictions made as a result of the profiling (i.e., output data),

• delete the input data upon request (e.g., some modern privacy statutes only require the deletion of personal information that is obtained from a consumer; others require the deletion of all personal information concerning a consumer),

• delete the output data upon request,

• correct the input data if an individual claim it is inaccurate, or

• correct the output data if an individual claim it is inaccurate.

Second, some state statutes – such as the VCDPA and the CPA – require that organizations determine if the processing of personal data for purposes of profiling presents a “reasonably foreseeable risk” to individuals and, if so, that the organization conduct a data protection assessment. The type of risks contemplated by the statutes include situations in which individuals may experience:

• Unfair or deceptive treatment,

• Unlawful disparate impact,

• Financial injury,

• Physical injury,

• Reputational injury,¹

• Physical intrusion upon solitude or seclusion which would be “offensive to a reasonable person,”

• Non-physical (e.g., electronic) intrusion upon solitude or seclusion which would be “offensive to a reasonable person,”

• Intrusion upon private affairs or concerns which would be “offensive to a reasonable person,” or

• Other substantial injuries.²

Third, some state statutes will require that organizations provide, by 2023, a right to opt-out of profiling if the profiling is connected to “decisions that produce legal or similarly significant effects.”³ While European regulators have offered guidance as to what types of decisions might product legal or similar effects, it is unclear whether that guidance will be followed by regulators in the United States.

FOOTNOTES

¹ Note that the Colorado Privacy Act does not identify reputational injury as a risk warranting a data protection assessment in the context of profiling.

² Va. Code 59.1-579(A)(3) (2021); C.R.S. 6-1-1309(2)(A)(I)-(IV) (2021).

³ Va. Code 59.1-573(A)(5) (2021); C.R.S. 6-1-1306(1)(a)(I)(C) (2021).