The IT Law Wiki



Profiling is

the recording and classification of information about an individual. By utilizing information from various sources including customer transactions and demographic data, a profiler can create a picture of the targeted individual.
any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798, 3.85, to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.[1]


Online profiling is the practice of aggregating information about consumers' interests, gathered primarily by tracking his or her movements online. This can be done by analyzing the content, URLs, and other information about a user’s browsing habits and click stream.


Profiling is

[m]easuring the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling are running file integrity checking software on hosts to derive checksums for critical files and monitoring network bandwidth usage to determine what the average and peak usage levels are on various days and times. [2]

Internet profiling[]

Many of the banner ads displayed on Web pages are not selected and delivered by the website visited by a consumer, but by network advertising companies that manage and provide advertising for numerous unrelated websites. In general, these network advertising companies do not merely supply banner ads; they also gather data about the consumers who view their ads. Although the information gathered by network advertisers is often anonymous (i.e., the profiles are linked to the identification number of the advertising network's cookie on the consumer's computer rather than the name of a specific person), in some cases, the profiles derived from tracking consumers' activities on the Web are linked or merged with personally identifiable information. This consumer data can also be combined with data on the consumer's offline purchases, or information collected directly from consumers through surveys and registration forms.

The purpose of collecting and analyzing this data is to allow the network advertising companies to make a variety of inferences about each consumer's interests and preferences. The result is a detailed profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits and enables the network advertising companies' computers to make split-second decisions about how to deliver ads directly targeted to the consumer's specific interests. Nonetheless, network advertising companies are most often invisible to consumers. All that consumers see are the websites they visit. Unless the websites visited by consumers provide notice of the ad network's presence and data collection, consumers may be totally unaware that their activities online are being monitored.

Benefits of profiling[]

By making advertising more effective, profiling allows websites to charge more for advertising. This advertising revenue helps to subsidize their operations, making it possible to offer free content rather than charging fees for access. Profiles can also be used to create new products and services. First, entrepreneurs could use consumer profiles to identify and assess the demand for particular products or services. Second, targeted advertising could help small companies to more effectively break into the market by advertising only to consumers who have an interest in their products or services.

Concerns with profiling[]

Despite the benefits of targeted advertising, there is widespread concern about current profiling practices. Many critics object to network advertisers’ hidden monitoring of consumers and collection of extensive personal data without consumers’ knowledge or consent; they also noted that network advertisers offer consumers few, if any, choices about the use and dissemination of their individual information obtained in this manner.

The most consistent and significant concern expressed about profiling is that it is conducted without consumers’ knowledge.[3] The presence and identity of a network advertiser on a particular site, the placement of a cookie on the consumer’s computer, the tracking of the consumer’s movements, and the targeting of ads are simply invisible in most cases. This is true because, as a practical matter, there are only two ways for consumers to find out about profiling at a particular site before it occurs. The first is for websites that use the services of network advertisers to disclose that fact in their privacy policies. Unfortunately, this does not typically occur. The second way for consumers to detect profiling is to configure their browsers to notify them before accepting cookies.

A second concern is the extensive and sustained scope of the monitoring that occurs. Unbeknownst to most consumers, advertising networks monitor individuals across a multitude of seemingly unrelated websites and over an indefinite period of time. The result is a profile far more comprehensive than any individual website could gather. Although much of the information that goes into a profile is fairly innocuous when viewed in isolation, the cumulation over time of vast numbers of seemingly minor details about an individual produces a portrait that is quite comprehensive and, to many, inherently intrusive.

For many of those concerned about profiling, the privacy implications of profiling are not ameliorated where the profile contains no personally identifiable information. First, they feel that the comprehensive nature of the profiles and the technology used to create them make it reasonably easy to associate previously anonymous profiles with particular individuals. This means that anyone who obtains access to ostensibly anonymous data — either by purchasing the data or hacking into it — might be able to mine the data and link it to identifiable individuals. Second, they fear that companies could unilaterally change their operating procedures and begin associating personally identifiable information with non-personally identifiable data previously collected. Third, they noted that, regardless of whether they contain personally identifiable information, profiles are used to make decisions about the information individuals see and the offers they receive. These critics are concerned that companies could use profiles to determine the prices and terms upon which goods and services, including important services like life insurance, are offered to individuals (for example, products might be offered at higher prices to consumers whose profiles indicate that they are wealthy, or insurance might be offered at higher prices to consumers whose profiles indicate possible health risks).

Another concern is that, as consumers begin to learn more about companies’ monitoring activities, fear of online monitoring will discourage valuable uses of the Internet that are fostered by its perceived anonymity. By chilling use of the Internet for such inquiries, profiling may ultimately prevent access to important kinds of information. Finally, some critics argue that targeted advertising is inherently unfair and deceptive. They argued that targeted advertising is manipulative and preys on consumers’ weaknesses to create consumer demand that otherwise would not exist, and that, as a result, targeted advertising undermines consumers’ autonomy.

Internet users are overwhelmingly opposed to the wholesale dissemination of their personal information. Ultimately, consumers’ privacy concerns are businesses’ concerns; the electronic marketplace will not reach its full potential unless consumers feel comfortable browsing and purchasing online. That comfort is unlikely to come unless consumers are confident (1) that they are notified at the time and place information is collected who is collecting information about them, what information is being collected, and how it will be used and (2) that they can choose whether their personal information is gathered, how it is used, and to whom it is disseminated.


  1. Cal. Civ. Code § 1798.140(z).
  2. NIST Special Publication 800-61 (rev. 2), at 26.
  3. It is possible for consumers to learn about profiling after the fact by examining the cookie files on their hard drive; the text of a cookie will disclose the server that placed the cookie. Consumers can also delete the cookie files stored on their computers. Deletion will not erase any information stored by a network advertising company, but it will prevent future Web activity from being associated with past activity through the identification number of the deleted cookie.

See also[]