What is profiling and what are our clients doing about it in the US and abroad?

Personal information:

  • This is the analysis of information about/regarding a person.
  • The definition is broad, so if it’s attributable to a person — directly or indirectly (online identifier, device etc) — you can be in.
  • Increasingly (see FTC in Avast) personal information we never thought was sensitive is regarded as such — creating a high bar for compliance.

In an automated way:

  • Traditionally “full automated” under GDPR, but…
  • Per the SCHUFA decision, “fully automated” can also be when a provider provides a score and the user uses the score somewhat as a “rubber stamp” (and providers could be implicated).
  • Under Colorado CPA, there are definitions re: various levels of human involvement.
  • You need to understand this and likely include some processes/policies/contractual provisions.

To evaluate and predict aspects relating to the person:

  • Economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or performance at work.

With consequential (legal or similarly significant) effect, provision or denial of:

  • Financial or lending services
  • Housing
  • Insurance
  • Education enrollment or opportunity
  • Criminal justice
  • Employment opportunities
  • Healthcare services
  • Access to essential goods or services

If you fall under this, what do you do?

  • Involve privacy counsel BEFORE you launch
  • Do a data protection impact assessment BEFORE you launch.
  • Provide expanded disclosure with a plain language explanation of what the processing is, the scoring and the output.
  • In many cases, provide an opt out (aka human intervention in place of the automated one).

What’s at stake?

  • GDPR is being enforced.
  • AI laws are being implicated (EU AI Act, Colorado AI Act).
  • FTC is taking action (see Rite Aid case on smart CCTV.
  • State privacy laws are implicated and enforcement is happening already.