Listen to this post

With a little less than a week before the next US state “comprehensive” privacy laws (Colorado and Connecticut) go into effect, many are reviewing existing practices. One that keeps coming up is the concept of “profiling.” As a reminder, we now have 11 states with comprehensive privacy laws: California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia.

Profiling has a very specific definition under these states’ laws (with the exception of Indiana and Utah), following similar themes:

StateDefinitionOpt-Out Required
Californiaautomated processing of personal information…to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.x
[regulations on mechanism pending]
Colorado, Connecticutautomated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.x
Florida, Indiana, Montanasolely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, [health records, Indiana] personal preferences, interests, reliability, behavior, location, or movements.x
Tennessee, Texassolely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.x
Virginiaautomated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.x

The states regulate profiling if it produces a legal or similarly significant effect. Additionally, if a company is engaging in profiling in California, Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas and Virginia then an individual needs to be able to opt out of that activity (Iowa and Utah do not contain specific provisions about profiling in their laws).

In addition to providing choices around profiling, under many state laws a risk assessment must be conducted, Namely, in Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas and Virginia, if there is a risk of:

  • Unfair or deceptive treatment
  • Financial, physical or reputational injury
  • Physical or other intrusion upon the solitude or seclusion
  • Other substantial injury to consumer

Colorado, under its regulations, outlines specific steps that a company must take for a risk assessment. This includes engaging in a “genuine, thoughtful analysis” of the processing activity. The assessment must also involve all stakeholders. The assessment itself must, inter alia (1) summarize the processing activity, (2) list categories of personal information to be processed, (3) the context of processing activity, (4) nature of processing, (5) sources of information, and (6) names of recipients.

Putting it into Practice: If your organization is engaging in profiling that will have a “significant legal or similar impact” on individuals, keep in mind the choice and assessment obligations under the comprehensive privacy laws. Colorado’s regulations provide detail that can be helpful in determining how to conduct a data protection assessment.