Profiling has a very specific definition under these states’ laws (with the exception of Indiana and Utah), following similar themes:

The states regulate profiling if it produces a legal or similarly significant effect. Additionally, if a company is engaging in profiling in California, Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas and Virginia then an individual needs to be able to opt out of that activity (Iowa and Utah do not contain specific provisions about profiling in their laws).

In addition to providing choices around profiling, under many state laws a risk assessment must be conducted, Namely, in Colorado, Connecticut, Florida, Indiana, Montana, Tennessee, Texas and Virginia, if there is a risk of:

• Unfair or deceptive treatment
• Financial, physical or reputational injury
• Physical or other intrusion upon the solitude or seclusion
• Other substantial injury to consumer

Colorado, under its regulations, outlines specific steps that a company must take for a risk assessment. This includes engaging in a “genuine, thoughtful analysis” of the processing activity. The assessment must also involve all stakeholders. The assessment itself must, inter alia (1) summarize the processing activity, (2) list categories of personal information to be processed, (3) the context of processing activity, (4) nature of processing, (5) sources of information, and (6) names of recipients.

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting it into Practice: If your organization is engaging in profiling that will have a “significant legal or similar impact” on individuals, keep in mind the choice and assessment obligations under the comprehensive privacy laws. Colorado’s regulations provide detail that can be helpful in determining how to conduct a data protection assessment.