What is profiling and what are our clients doing about it in the US and abroad?
Personal information:
- This is the analysis of information about/regarding a person.
- The definition is broad, so if it’s attributable to a person — directly or indirectly (online identifier, device etc) — you can be in.
- Increasingly (see FTC in Avast) personal information we never thought was sensitive is regarded as such — creating a high bar for compliance.
In an automated way:
- Traditionally “full automated” under GDPR, but…
- Per the SCHUFA decision, “fully automated” can also be when a provider provides a score and the user uses the score somewhat as a “rubber stamp” (and providers could be implicated).
- Under Colorado CPA, there are definitions re: various levels of human involvement.
- You need to understand this and likely include some processes/policies/contractual provisions.
To evaluate and predict aspects relating to the person:
- Economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or performance at work.
With consequential (legal or similarly significant) effect, provision or denial of:
- Financial or lending services
- Housing
- Insurance
- Education enrollment or opportunity
- Criminal justice
- Employment opportunities
- Healthcare services
- Access to essential goods or services
If you fall under this, what do you do?
- Involve privacy counsel BEFORE you launch
- Do a data protection impact assessment BEFORE you launch.
- Provide expanded disclosure with a plain language explanation of what the processing is, the scoring and the output.
- In many cases, provide an opt out (aka human intervention in place of the automated one).
What’s at stake?
- GDPR is being enforced.
- AI laws are being implicated (EU AI Act, Colorado AI Act).
- FTC is taking action (see Rite Aid case on smart CCTV.
- State privacy laws are implicated and enforcement is happening already.