A bank that does business in several states uses a fully automated model to approve or deny consumer credit-line increases with no human involvement. Counsel is mapping which state comprehensive privacy laws give the consumer a right to opt out of this kind of profiling. Under the leading state comprehensive privacy model, what is the threshold that determines whether the consumer has an opt-out right over this automated decision?
- AWhether the automated model processes any personal data at all, since all automated processing triggers the profiling opt-out.
- BWhether the consumer has previously exercised a separate right to delete their personal data held by the bank.
- CWhether the profiling is carried out in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Correct
- DWhether the bank has annual revenue above a fixed dollar figure set by each state's profiling provision.
Why A is wrong: It is tempting to assume any automated processing triggers the right, but the opt-out is tied to significant-effect profiling, not to processing generally, so this overstates the scope.
Why B is wrong: Deletion and profiling opt-out are independent rights, so making one a precondition of the other confuses two distinct consumer entitlements under these statutes.
Why C is correct: State comprehensive laws such as the Colorado, Connecticut, and Virginia models grant an opt-out of profiling specifically when it is in furtherance of decisions producing legal or similarly significant effects, which a credit-line decision is.
Why D is wrong: Revenue thresholds appear in the applicability sections of some privacy laws, but the profiling opt-out is defined by the nature of the decision and its effect, not by a revenue figure inside the profiling provision.