Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
As machine learning models and recommendation algorithms become more sophisticated, so too do their abilities to make inferences about users, particularly in ways that reveal deep personal vulnerabilities.
One emerging area of legal and ethical concern is whether the inference of insecurity about one's physical appearance — facial asymmetry, acne, aging, weight or other aesthetic traits — can be classified and regulated as sensitive personal data.
The legal definition of sensitive data
Under most data protection laws, sensitive personal data refers to categories of data that, if misused, could result in significant harm or discrimination. This includes data relating to racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation and biometric or genetic data. Article 9 of the EU General Data Protection Regulation elevates the protection of these categories, requiring explicit consent or an enumerated legal basis for processing.
However, inferred data — especially when it pertains to a user's self-perception, mental health or body image — exists in a gray zone. If a platform like TikTok infers a user is insecure about their nose, lips or weight based solely on behavior — like pausing on aesthetic procedure videos, interacting with cosmetic influencers, or frequently using face-slimming filters — does that inferred profile meet the threshold for legal sensitivity?
From aesthetic preferences to health-adjacent inferences
The line between aesthetic interest and health-related inference is blurrier than it may appear. Inferring someone is insecure about their appearance may also suggest mental health vulnerabilities such as low self-esteem, depression or body dysmorphia. These are issues that fall under protected health categories in many jurisdictions.
Under U.S. law, for instance, inferred health data may not be protected by the Health Insurance Portability and Accountability Act, which applies only to covered entities, but state-level laws such as the California Privacy Rights Act recognize "sensitive personal information" to include health data, precise geolocation and contents of communications. The CPRA further empowers consumers to limit the use of such information, even when it is not directly provided but deduced through profiling.
Profiling and the risk of discrimination
If platforms are using inferred insecurity to tailor content, ads or experiences — such as directing users to cosmetic surgeons, diet products or anti-aging treatments — this creates a discriminatory risk. Platforms are essentially assigning vulnerability scores and monetizing them, often without transparency or consent.
In this context, inferred data could be considered discriminatory profiling, particularly if the user is a minor, a protected demographic or struggling with mental health. As such, there is a compelling argument that inferred insecurity should be regulated similarly to biometric or health-related data.
Masking data: A false promise?
Another layer involves third-party tools linked via beauty apps, augmented reality simulators and booking platforms. These tools often justify their practices under the guise of "masking" or "anonymizing" user data before further processing or sharing. In theory, this masking is intended to prevent direct identification of individuals and, thus, lower the regulatory burdens associated with sensitive data.
However, in practice, the effectiveness of such masking is deeply questionable. Behavioral signals — such as the type of procedures explored, the sequence of interactions and device fingerprints — can often be re-identified with startling ease, especially when aggregated with other data points. As a result, interest data, sometimes health-related, may be sold to advertisers or data brokers without transparent user consent or true anonymization.
The narrative of "masking" provides a convenient cover for what remains fundamentally intrusive profiling. Thus, regulatory frameworks must critically evaluate not just whether data is "anonymized" in name, but whether it is genuinely irreversible and unlinkable in practice.
Real-world examples of re-identification risks
Clearview AI scraped billions of facial images from social media and other online sources, claiming its database was used for legitimate security purposes. However, privacy advocates and regulators argued the technology enabled mass surveillance without consent, illustrating how easily supposedly "public" or "anonymized" data could be weaponized.
In the now infamous Facebook scandal, Cambridge Analytica leveraged seemingly trivial user engagement data — such as "likes" — to build detailed psychographic profiles. This showed that even benign behavioral data can be reconstituted into powerful, identifiable intelligence about political leanings, insecurities and vulnerabilities.
Both cases highlight that inferential profiling based on minimally sensitive or "masked" data can still yield highly sensitive, identifiable information — often without user knowledge or consent.
Precedents and regulatory trends
The European Data Protection Board has already highlighted the need to regulate inferred sensitive data, noting that behavioral predictions and profiling can lead to unjust outcomes. In 2023, the U.K. Information Commissioner's Office expressed concern for online services likely to be accessed by children, aiming to protect their data and well-being. Naturally this includes the use of beauty filters and self-image manipulations that affect children's mental health. The ICO urges platforms to consider these implications when applying the U.K. Children's Code.
In the U.S., the FTC has increasingly turned its focus to dark patterns, manipulative design and exploitative personalization — an umbrella that may soon include the inferencing of psychological vulnerabilities.
The path forward
To truly safeguard user autonomy and dignity in digital environments, regulators must expand the definition of sensitive data to explicitly include inferred data that pertains to:
• Physical appearance insecurity.
• Body dysmorphia or low self-esteem.
• Behavioral indicators of mental health vulnerabilities.
This does not mean banning all profiling, but rather demanding greater accountability and transparency:
• Platforms must disclose when they are inferring insecurities or vulnerabilities.
• Users should be able to access, challenge, and erase such inferences.
• Where inferences relate to protected characteristics or health-related concerns, explicit consent should be required.
Conclusion
In the digital age, what platforms guess about us can be more revealing — and more dangerous — than what we explicitly share. As platforms continue to infer and exploit aesthetic insecurities, it is imperative that the law evolves to recognize such inferred traits as sensitive personal data deserving of protection.
The integrity of data privacy law depends not just on what data is collected — but on how it is interpreted, inferred and ultimately used against us.
Li-Rou Jane Foong, CIPP/E, CIPM, FIP, is a Master's in Law candidate with a focus on privacy law and cybersecurity. Foong was previously a global privacy specialist at Rakuten Group in Tokyo and is a dual-qualified lawyer.
