IAPP CIPP-US Dumps

When developing a company privacy program, a privacy professional needs to understand the business objectives, processes, and risks of the organization, as well as the legal and regulatory requirements and best practices for privacy. To achieve this, a privacy professional should establish and maintain relationships with individuals across company departments and at different levels in the organization’s hierarchy, such as IT, marketing, human resources, legal, compliance, security, and senior management. These relationships will help the privacy professional to gather relevant information, identify privacy issues and gaps, communicate privacy policies and procedures, provide training and awareness, monitor compliance, and resolve conflicts. The other relationshipslisted are also important, but not as essential as the internal relationships for developing a company privacy program. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Developing a Privacy Program, Section 5.1: Privacy Program Framework, p. 145-146

IAPP CIPP/US Body of Knowledge, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 23

IAPP CIPP/US Exam Blueprint, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 7

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

The false statement regarding the provisions of the EPPA is C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits. The EPPA does not regulate psychological testing, only polygraph testing. Psychological testing is a broad term that covers various types of assessments that measure cognitive abilities, personality traits, interests, values, and skills. Employers may use psychological testing for various purposes, such as hiring, promotion, training, or development, as long as they comply with other laws and regulations, such as the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) guidelines, and the Uniform Guidelines on Employee Selection Procedures. However, employers should be careful to ensure that thepsychological tests they use are valid, reliable, job-related, and nondiscriminatory, and that they respect the privacy and dignity of the test takers. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 115-116.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 2: Employee Polygraph Protection Act.

IAPP CIPP/US Practice Questions, Question 142.

California’s SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver’s license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law. References:

California Senate Bill 1386 (2002)

California SB 1386: For the Love of Privacy

What Is the California Security Breach Information Act?

California Raises the Bar on Data Security and Privacy

A cookie is a small piece of data that a website sends to a user’s browser and stores on the user’s device, usually for the purpose of remembering the user’s preferences, settings, or actions1.

A cookie notice is a message that informs the user about the website’s use of cookies and the user’s choices regarding the acceptance or rejection of cookies2.

A legal choice is the mechanism that the website provides to the user to express their consent or dissent to the use of cookies2.

There are different types of legal choices for cookie notices, depending on the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States34.

The four types of legal choices mentioned in the question are:

Mandatory: The website does not allow the user to access the site unless they accept the use of cookies. This type of choice is generally considered unlawful and non-compliant with the GDPR and the CCPA34.

Implied consent: The website assumes that the user consents to the use of cookies by continuing to browse the site or by dismissing the cookie notice. This type of choice is often used by websites that operate in the U.S. or other jurisdictions that do not have strict cookie laws, but it may not be sufficient for the GDPR or the CCPA34.

Opt-in: The website requires the user to explicitly agree to the use of cookies by clicking a button or checking a box. This type of choice is usually compliant with the GDPR and the CCPA, as it ensures that the user gives informed and affirmative consent34.

Opt-out: The website allows the user to reject the use of cookies by clicking a link or changing their browser settings. This type of choice is also compliant with the GDPR and the CCPA, as it gives the user the right to withdraw their consent at any time34.

Based on the description of the cookie notice in the question, the type of legal choice that the notice provides is implied consent, as the website does not explicitly ask for the user’s agreement, but rather assumes that the user accepts the use of cookies by using the site. The notice also provides a link for the user to opt out of cookies by setting their browser to refuse them.

References: 1: Cookie 2: Cookie Notice 3: INSIGHT: Website Cookies and Privacy—GDPR, CCPA, and Evolving Standards for Online Consent 4: Do You Need A Cookie Notice

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees’ privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.

IAPP CIPP/US Practice Questions, Question 134.

 The design technique that would most effectively inform users of their data privacy rights and privileges when using the app is to offer information about data collection and uses at key data entry points. This technique is also known as “just-in-time” or “layered” notice, and it is recommended by the U.S. Federal Trade Commission (FTC) as a best practice for mobile app developers12

The idea behind this technique is to provide users with relevant and timely information about how their data is collected and used by the app, and what choices they have to control their data, at the moment when they are asked to provide or access their data. For example, if the app collects location data from the user’s device, it should display a pop-up notice explaining why it needs the location data, how it will use it, and how the user can opt-out or change the settings. This way, the user can make an informed decision about whether to allow or deny the app’s access to their data, and understand the consequences of their choice12

The advantage of this technique is that it avoids overwhelming the user with too much information at once, and instead provides concise and contextual information that is easy to understand and act upon. It also increases the user’s trust and confidence in the app, as they feel more in control of their data and privacy12

The other design techniques are less effective because they do not provide the user with sufficient or timely information about their data privacy rights and privileges when using the app. Publishing a privacy policy written in clear, concise, and understandable language is a good practice, but it is not enough to inform the user of their data privacy rights and privileges, as many users may not read or understand the policy, or may not be aware of where to find it. Presenting a privacy policy to users during the wellness program registration process is also a good practice, but it may not capture all the data collection and uses that the app may perform, and it may not give the user enough opportunity to review and consent to the policy. Providing a link to the wellness program privacy policy at the bottom of each screen is also a good practice, but it may not be noticeable or accessible to the user, and it may not provide the user with the specific information they need at the point of data entry or access12

References:

Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report (February 2013)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Privacy Program Management, Section 6.4: Privacy by Design

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

Uses the transferred data only for limited and specified purposes;

Provides the same level of privacy protection as is required by the Privacy Shield Principles;

Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:

CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.

California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).

CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

A. Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that wasincompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google’s privacy policy stated that "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."1

B. Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network. Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user’s frequent email contacts, would be made public by default.1

C. Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement. The FTC alleged that Google’s conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1 References: FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network, Google, Inc., In the Matter of, Google settles with FTC over Buzz; Privacy policies to be audited for two decades, Google Settles FTC Complaint over Google Buzz Privacy

 The Office for Civil Rights (OCR) within the HHS is the primary enforcer of the HIPAA Privacy Rule, which establishes national standards for the protection of individually identifiable health information by covered entities and business associates. The OCR investigates complaints, conducts compliance reviews, and provides technical assistance and guidance to ensure compliance with the Privacy Rule. The OCR can also impose civil monetary penalties for violations of the Privacy Rule, ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for the same violation. References: HIPAA Enforcement, IAPP CIPP/US Study Guide, Chapter 3, Section 3.1.1

The CCPA provides consumers with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. The CCPA defines personal information for this purpose as an individual’s name in combination with any of the following: social security number, driver’s license number, account number, credit or debit card number, medical information, or health insurance information. The CCPA allows consumers to seek damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. The CCPA also requires consumers to provide the business with 30 days’ written notice and an opportunity to cure the violation before initiating an action. Additionally, the CCPA requires consumers to notify the Attorney General within 30 days of filing the action and obtain the Attorney General’s approval or nonobjection before proceeding with the action. Therefore, John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm, as long as he meets the requirements of the CCPA. References:

CCPA Provides Private Right of Action for Data Security Breaches

CCPA Private Right of Action – Data Breach Security Requirement

CCPA Fines & Penalties for Data Protection Violations | MatrixPoint

The best way for Otto to minimize the privacy risks involved in using a cloud provider for the HR data is to ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit. This would allow Otto to verify that the cloud provider has implemented adequate security measures, such as encryption, access controls, and backup systems, to protect the HR data from unauthorized access, use, or disclosure. It would also allow Otto to check that the cloud provider is complying with the applicable privacy laws and regulations, such as the CCPA, the APEC Privacy Framework, and the breach notification requirements. By conducting an on-site audit, Otto can identify any gaps or weaknesses in the cloud provider’s privacy practices and address them promptly. This would also demonstrate due diligence and accountability on the part of Filtration Station, which could mitigate the legal and reputational consequences of a data breach. References:

[IAPP CIPP/US Study Guide], Chapter 3: Data Assessments, pp. 77-78.

IAPP CIPP/US Body of Knowledge, Section III: Government and Court Access to Private-sector Information, Subsection B: Cross-Border Data Transfer, Topic 2: APEC Privacy Framework.

IAPP CIPP/US Practice Questions, Question 125.

According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to adhere to its industry’s code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition. The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self-regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs. References:

Federal Trade Commission Act, Section 5 of

Self-Regulation | Federal Trade Commission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 3, page 79

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime. The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion123. References:

1: IAPP, Privacy Protection Act of 1980,

2: DOJ, Privacy Protection Act of 1980,

3: Wikipedia, Privacy Protection Act of 1980,

The Children’s Online Privacy Protection Act (COPPA) is a federal law that protects the privacy of children under 13 who use online sites and services. COPPA requires operators of such sites and services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to provide notice of their information practices to parents and the public. COPPA also gives parents the right to access, review, and delete their children’s personal information, and to limit further collection or use of such information.1

One way for operators to comply with COPPA is to participate in an approved self-regulatory program, also known as a “safe harbor” program. These are programs that are run by industry groups or other organizations that set and enforce standards for privacy protection that meet or exceed the requirements of COPPA. Operators that join a safe harbor program and follow its guidelines are deemed to be in compliance with COPPA and are subject to the review and disciplinary procedures of the program instead of FTC enforcement actions. The FTC has approved several safe harbor programs, such as CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, and TRUSTe.2

By participating in an approved self-regulatory program, the marketer in the scenario could have best changed its privacy management program to meet COPPA “Safe Harbor” requirements. This would mean that the marketer would have to adhere to the guidelines of the program, which would likely include obtaining verifiable parental consent before collecting personal information from children, providing clear and prominent privacy notices on its website and emails, honoring parents’ choices and requests regarding their children’s data, and ensuring the security and confidentiality of the data collected. The marketer would also benefit from the oversight and assistance of the program in ensuring compliance and resolving any complaints or disputes.3 References: 1: Complying with COPPA: Frequently Asked Questions4, Section A2: COPPA Safe Harbor Program3: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 143.

According to the FTC report, the most important directive for businesses is to adopt a “privacy by design” approach, which means integrating privacy protections throughout the entire product lifecycle, from initial design to disposal. This includes implementing reasonable security measures, collecting only the data needed for a specific purpose, retaining data only as long as necessary, and safely disposing of data that is no longer needed. The FTC report also recommends that businesses provide clear and transparent privacy notices, offer consumers meaningful choices about how their data is used, and increase their accountability for data practices. References: FTC Report, IAPP CIPP/US Study Guide (p. 32-33)

The “Discover” phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.

Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.

Understanding the laws that regulate a company’s collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the “Discover” phase, but rather in the “Implement” phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant. The tasks in this phase include:

Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.

Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.

Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency.

Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.

References:

IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective, Section A: Building a Privacy Program

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information Management from a U.S. Perspective, Section 1.1: Building a Privacy Program

Practice Exam - International Association of Privacy Professionals

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19

IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7

IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

The FTC has stated that it is a deceptive practice to make retroactive changes to a privacy policy that affect how a company uses or shares previously collected personal information, unless the company obtains affirmative consent from the affected consumers. This means that the company must clearly and conspicuously disclose the changes and obtain the consumers’ express agreement to them. Simply describing the policy changes on the website, publicizing them through social media, or reassuring customers of the security of their information are not sufficient to comply with the FTC’s position. References:

FTC Staff Revises Online Behavioral Advertising Principles, paragraph 3.

Do I really have to obtain consent from all my customers to make a change to my privacy policy?, paragraph 2.

IAPP CIPP/US Study Guide, page 64.

Data classification systematically categorizes information based on sensitivity and importance to determine its level of confidentiality. This process helps apply appropriate security and compliance measures to ensure each category receives proper protection1. This process also helps to identify which personal data is subject to specific GDPR requirements, such as obtaining explicit consent from data subjects, or notifying data subjects in the event of a data breach2. By classifying data, Cheryl can also make more informed decisions about where to store the information on her computer system and the nature of controls that are required based on classification3. This way, she can protect her customers’ privacy while maintaining the highest level of service. References:

Data Classification for GDPR Explained

A guide to data classification: confidential data vs. sensitive data vs. public information

Why Is Data Classification Important?

The USA FREEDOM Act is a law that was enacted in 2015 to reform the surveillance practices of the U.S. government. The law was a response to the revelations by Edward Snowden about the mass collection of phone records and internet data by the National Security Agency (NSA) under the authority of Section 215 of the USA PATRIOT Act. The USA FREEDOM Act ended the bulk collection of telephone data and internet metadata by the NSA, and instead required the government to obtain a specific order from the Foreign Intelligence Surveillance Court (FISC) to access such data from the telecommunication providers. The law also authorized the following practices:

Emergency exceptions that allow the government to target roamers: The law allows the government to temporarily target a non-U.S. person who is using a phone number or identifier of a U.S. person, without a court order, if there is an emergency situation that involves a threat of death or serious bodily harm. The government must obtain a court order within seven days to continue the surveillance.

An increase in the maximum penalty for material support to terrorism: The law increases the maximum prison term for providing material support or resources to a foreign terrorist organization from 15 years to 20 years.

An extension of the expiration for roving wiretaps: The law extends the sunset date for the roving wiretap provision of the USA PATRIOT Act, which allows the government to obtain a single order from the FISC to conduct surveillance on a target who switches devices or locations, without specifying the device or location. The law extends the expiration date from June 1, 2015 to December 15, 2019. References:

USA FREEDOM Act

USA FREEDOM Act Summary

USA FREEDOM Act FAQs

The Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personal information by federal agencies.

The Privacy Act of 1974 applies to records that are maintained in a system of records, which is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.

The Privacy Act of 1974 grants individuals the right to access and amend their records, and requires agencies to provide notice of their systems of records, establish safeguards for the protection of the records, and limit the disclosure of the records to certain authorized purposes.

The Privacy Act of 1974 also establishes civil and criminal penalties for violations of the law, such as unauthorized disclosure, failure to publish a notice, or refusal to grant access or amendment.

The Privacy Act of 1974 does NOT require agencies to obtain the consent of the individual before collecting their personal information. However, the Privacy Act of 1974 does require agencies to inform the individual of the authority for the collection, the purpose and use of the collection, and the effects of not providing the information.

References: : [Overview of the Privacy Act of 1974]

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services. The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123 References: 1: Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011. 2: Consumer Financial Protection Bureau, Wikipedia. 3: Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

 According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A non-affiliated third party is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the financial institution’s affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.

The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer’s opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.

The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.

The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.

References:

Guide to the Gramm–Leach–Bliley Act

GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates

Existing Privacy Laws Already Regulate Information Sharing

Why Do Banks Share Your Financial Information and Are They Allowed To?

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer’s informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:

Video Privacy Protection Act - Wikipedia

18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver’s license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH’s data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

References: 

The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

The ADA prohibits employers from discriminating against qualified individuals with disabilities in all aspects of employment, including hiring, firing, promotion, compensation, and training. The ADA also limits the types of medical inquiries and examinations that employers can make of applicants and employees. Under the ADA, a disability is defined as a physical or mental impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. The ADA covers current, past, and perceived drug addiction as a disability, unless the individual is currently engaging in the illegal use of drugs. Therefore, Felicia’s plan to ask applicants about drug addiction may violate the ADA, unless she can show that the inquiry is job-related and consistent with business necessity. The other laws are not directly relevant to Felicia’s plan, although they may have other implications for her business. References: ADA, IAPP CIPP/US Study Guide (p. 95-96)

Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person. However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.

Some of the privacy measures that should be considered when designing contact tracing apps are:

Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.

Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits.

User confidentiality: Contact tracing apps should protect the confidentiality of users’ personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.

Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose. Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app’s coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.

References:

[IAPP CIPP/US Study Guide], Chapter 2: Privacy by Design and Default, pp. 35-36.

[IAPP CIPP/US Body of Knowledge], Section II: Limits on Private-sector Collection and Use of Data, Subsection B: Privacy by Design, pp. 9-10.

[IAPP Glossary], Terms: Contact Tracing, Privacy by Design, Privacy by Default.

The Stored Communications Act (SCA) is a federal law that regulates the privacy of electronic communications that are stored by third-party service providers, such as email providers, cloud storage providers, or social media platforms. The SCA prohibits unauthorized access to or disclosure of such communications, unless authorized by law or by the consent of the user or the service provider . The SCA also provides exceptions for certain types of access or disclosure, such as those made for law enforcement purposes, for the protection of the service provider’s rights or property, or for the consent of the subscriber or customer .

One of the exceptions to the SCA is where the service provider gives consent to the access or disclosure of the stored communications. This means that if a third-party service provider agrees to cooperate with an investigation or a request for information, the access or disclosure is lawful under the SCA. Consent can be express or implied, depending on the circumstances and the terms of service of the provider. For example, if a service provider has a policy that allows it to disclose user information to third parties for legitimate purposes, the provider has impliedly consented to the access or disclosure of the stored communications. However, if a service provider has a policy that prohibits such disclosure, the provider has not consented to the access or disclosure of the stored communications.

In the scenario, Evan’s undercover investigation may have been authorized by the SCA if he obtained the consent of the third-party service provider that stored the electronic communications of the employee who was suspected of misconduct. For instance, if the employee used a company email account or a cloud storage service that had a policy that allowed the service provider to disclose user information to the employer or to law enforcement, Evan may have been able to access or disclose the stored communications with the consent of the service provider. However, if the employee used a personal email account or a cloud storage service that had a policy that protected user privacy and prohibited such disclosure, Evan may have violated the SCA by accessing or disclosing the stored communications without the consent of the service provider.

References: : [Stored Communications Act], 18 U.S.C. §§ 2701-2712 : [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.2. : [The Stored Communications Act: An Old Statute for Modern Problems], pp. 10-11.

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:

The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.

The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.

The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.

A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.

References:

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information

Practice Exam - International Association of Privacy Professionals

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. TheTSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

Data flow diagrams are graphical representations of how data moves within an organization or between different entities. They can help identify the sources, destinations, and processing of personal data, as well as the legal basis, retention periods, and security measures for each data flow. Reviewing the available data flow diagrams can help the data privacy leader to quickly and accurately respond to the urgent request from the EU-based retail partner, as well as to assess the potential risks and compliance gaps in the data transfer process. Data flow diagrams are also a key component of data protection impact assessments (DPIAs), which are required by the GDPR for high-risk processing activities. References:

IAPP CIPP/US Body of Knowledge, Section II, A, 2

[IAPP CIPP/US Study Guide, Chapter 2, Section 2.3]

[GDPR, Article 35]

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

Implied consent is a form of consent that is inferred from the actions or inactions of the data subject, rather than explicitly expressed by the data subject1.

Implied consent is generally considered a valid basis for processing personal data under certain circumstances, such as when the processing is necessary for the performance of a contract, the legitimate interests of the data controller, or the reasonable expectations of the data subject2.

However, implied consent may not be sufficient for processing sensitive personal data, such as health, biometric, or genetic data, or for sending marketing communications, depending on the applicable laws and regulations2.

In the U.S., there is no comprehensive federal privacy law that regulates the use of implied consent for data processing, but there are sector-specific laws and state laws that may impose different requirements and limitations3.

Based on the scenarios given in the question, the situation that is most likely to involve a company operating under the assumption of implied consent is A. An employer contacts the professional references provided on an applicant’s resume.

This is because the employer may reasonably infer that the applicant has consented to the contact of the references by voluntarily providing their information on the resume, and that the contact is necessary for the legitimate interest of the employer to verify the applicant’s qualifications and suitability for the job4.

The other situations may not involve implied consent, but rather require explicit consent or provide opt-out options for the data subjects, depending on the type and purpose of the data processing and the relevant laws and regulations5 . For example:

B. An online retailer subscribes new customers to an e-mail list by default. This may violate the CAN-SPAM Act, which requires online marketers to obtain affirmative consent from the recipients before sending commercial e-mail messages, and to provide a clear and conspicuous opt-out mechanism in every message5.

C. A landlord uses the information on a completed rental application to run a credit report. This may violate the Fair Credit Reporting Act, which requires landlords to obtain written authorization from the applicants before obtaining their consumer reports, and to provide them with a copy of the report and a summary of their rights if they take any adverse action based on the report.

D. A retail clerk asks a customer to provide a zip code at the check-out counter. This may violate the California Song-Beverly Credit Card Act, which prohibits retailers fromrequesting and recording personal identification information from customers who pay with a credit card, unless the information is necessary for a special purpose, such as shipping or fraud prevention.

References: 1: Implied Consent 2: Consent 3: U.S. Private-Sector Privacy (CIPP/US) 4: [Reference Checks: Tips for Job Applicants and Employers] 5: [CAN-SPAM Act: A Compliance Guide for Business] : [Using Consumer Reports: What Landlords Need to Know] : [California Song-Beverly Credit Card Act] : [Reference Checks: Tips for Job Applicants and Employers] : [CAN-SPAM Act: A Compliance Guide for Business] : [Using Consumer Reports: What Landlords Need to Know] : [California Song-Beverly Credit Card Act]

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.

If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.

If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.

References:

[IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.

CIPP/US Practice Questions (Sample Questions), Question 29.

The Wireless Domain Registry is a list of domain names that are used to transmit electronic messages to wireless devices, such as cell phones and pagers. The purpose of the registry is to protect wireless consumers from unwanted commercial electronic mail messages, by identifying the domain names for those who send such messages. Marketers are required to use the registry to avoid sending unsolicited emails to wireless devices, which may incur costs or inconvenience for the recipients. Sending such emails without the express prior authorization of the recipient is a violation of the CAN-SPAM Act of 2003. References: 

https://www.prnewswire.com/in/news-releases/the-wireless-registry-launches-worlds-first-global-registry-for-wireless-names-240222521.html

 The law that ACME violated by designing the service to prevent access to the information by a law enforcement agency is the Communications Assistance for Law Enforcement Act (CALEA)1. CALEA is a federal law that requires telecommunications carriers and manufacturers of telecommunications equipment to design their equipment, facilities, and services to ensure that they have the necessarysurveillance capabilities to comply with legal requests for interception of communications2. CALEA applies to all commercial messages, including text messages, and gives law enforcement agencies the authority to subpoena the records of such communications from the service providers3. By encrypting its text message records so that only the suspect could access this data, ACME violated CALEA’s duty to cooperate in the interception of communications for law enforcement purposes. References: 1: Communications Assistance for Law Enforcement Act - Wikipedia2: Home | CALEA® | The Commission on Accreditation for Law Enforcement Agencies, Inc.3: Communications Assistance for Law Enforcement Act : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Law Enforcement and National Security Access, p. 177

The Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the online collection and use of personal information from children under 13 years of age. COPPA requires operators of websites or online services that are directed to children, or that knowingly collect personal information from children, to obtain verifiable parental consent before collecting, using, or disclosing such information. Verifiable parental consent means any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, the child’s parent receives notice of the operator’s information practices and consents to those practices. COPPA also imposes other obligations on operators, such as providing parents with access to their children’s information, maintaining reasonable security measures, and limiting data retention. References: COPPA, IAPP CIPP/US Study Guide, Chapter 2, Section 2.3.1

In the United States, there is no comprehensive federal law that regulates employee monitoring in the private sector. Instead, there are various federal and state laws that address specific aspects of monitoring, such as electronic communications, video surveillance, GPS tracking, and biometric data. Generally, these laws provide more protection for employees’ privacy when they are using their own devices or personal accounts, or when they are outside of work hours or premises. However, when employees are using company-owned devices or accounts, or when they are performing work-related tasks, employers have broad authority to monitor their activities, as long as they have a legitimate business interest and do not violate any specific laws. Employers are also advised to inform employees of their monitoring practices and obtain their consent, either explicitly or implicitly, to avoid potential legal disputes or employee backlash123 References: 

Celeste has a misconception regarding the consent requirements for conducting credit checks of potential employees in California. She thinks that verbal consent from the applicants is sufficient, and that they only need to be offeredaccess to the results. However, under the California Consumer Credit Reporting Agencies Act (CCRAA), employers who want to obtain a consumer credit report for employment purposes must comply with the following consent and disclosure requirements12:

Before requesting a consumer credit report, the employer must provide the applicant with a clear and conspicuous written disclosure that informs them of the following:

The specific purpose for obtaining the report.

The source of the report.

The applicant’s right to obtain a free copy of the report from the source within 60 days.

The applicant’s right to dispute the accuracy or completeness of any information in the report.

The employer must also obtain the applicant’s written authorization to obtain the report.

If the employer intends to take an adverse action based on the report, such as denying employment, the employer must provide the applicant with a copy of the report and a summary of their rights under the CCRAA before taking the action.

After taking the adverse action, the employer must provide the applicant with a notice that includes the following:

The name, address, and telephone number of the source of the report.

A statement that the source of the report did not make the decision and cannot explain why the decision was made.

A statement that the applicant has the right to obtain another free copy of the report from the source within 60 days.

A statement that the applicant has the right to dispute the accuracy or completeness of any information in the report.

Therefore, Celeste is wrong to assume that verbal consent and optional access to the results are enough to comply with the CCRAA. She should follow the written consent and disclosure requirements to avoid violating the law and potentially facing civil penalties or lawsuits. References:

California Consumer Credit Reporting Agencies Act

Employment Credit Checks: What You Need to Know | Nolo

Federal anti-discrimination laws, such as Title VII of the Civil Rights Act of 1964, the Equal Pay Act of 1963, the Age Discrimination in Employment Act of 1967, and the Americans with Disabilities Act of 1990, prohibit employers from discriminating against employees or applicants based on certain protected characteristics, such as race, color, religion, sex, national origin, age, disability, and genetic information. These laws also limit the types of information that employers can collect, use, disclose, or retain about employees or applicants,in order to prevent discrimination or invasion of privacy. For example, employers cannot ask about an applicant’s medical history, disability status, genetic information, or religious beliefs, unless they are relevant to the job or a bona fide occupational qualification. Employers also cannot use such information to make adverse employment decisions, such as hiring, firing, promotion, or compensation, unless they are justified by a legitimate business necessity or a reasonable accommodation. Employers must also safeguard the confidentiality of such information and dispose of it properly when it is no longer needed. References:

Federal Laws Prohibiting Job Discrimination Questions And Answers

Laws Enforced by EEOC

Employment and Anti-Discrimination Laws in the Workplace

Protections Against Discrimination and Other Prohibited Practices

3. Who is protected from employment discrimination?

 A data ethics framework is a set of principles and guidelines that help organizations ensure that their data practices are ethical, responsible, and trustworthy. According to the IAPP CIPP/US Study Guide, some of the key components of a data ethics framework are1:

Data governance: the policies, processes, and standards that govern how data is collected, used, stored, and shared within an organization.

Preferability testing: the process of assessing the potential impacts and risks of data-driven solutions on stakeholders, such as customers, employees, and society.

Auditing: the process of monitoring, reviewing, and verifying the compliance and performance of data practices against the established ethical standards and legal requirements. Automated decision-making, on the other hand, is not a key component of a data ethics framework, but rather a data practice that may raise ethical issues and challenges. Automated decision-making refers to the use of algorithms, artificial intelligence, or machine learning to make decisions or recommendations without human intervention2. While automated decision-making can offer benefits such as efficiency, accuracy, and consistency, it can also pose risks such as bias, discrimination, lack of transparency, and accountability3. Therefore, automated decision-making should be subject to ethical evaluation and oversight, but it is not itself a part of a data ethics framework. References:

[IAPP CIPP/US Study Guide], Chapter 10, Section 10.4, page 287

[IAPP Glossary], Automated Decision-Making

IAPP Resources, Ethical Data Use and Automated Decision-Making: A Practical Guide

 According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student’s education records without consent if the disclosure meets one of the exceptions in 34 CFR § 99.31. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer (34 CFR § 99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student’s admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR § 99.34(a)(1)). References: 

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

The biggest potential privacy concern related to Chanel’s use of this new software is scanning a client’s social media accounts to use in a client profile without notice to the client. This could violate the client’s reasonable expectation of privacy and consent, as well as the privacy policies of the social media platforms. The client may not be aware that their social media posts are being used for this purpose, and may not have given their permission or opt-in consent for such data collection and processing. This could also expose the client to potential discrimination or harm based on their social media activity, such as losing their appointment or being charged a cancellation fee. Furthermore, this practice could conflict with the Fair Information Practice Principles (FIPPs), such as transparency, purpose specification, and data minimization12. References:

CIPP/US Practice Questions (Sample Questions), Question 149, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1, Section 1.1, p. 9-10.

 The most likely reason that states have adopted their own data breach notification laws is that many types of organizations are not currently subject to federal laws regarding breaches. As explained in the Data Breach Response: A Guide for Business from the Federal Trade Commission (FTC), certain federal laws govern obligations to report data breaches in particular industries, such as health care, financial services, or telecommunications. However, these laws do not cover all types of businesses or all types of personal information that may be compromised in a data breach. Therefore, states have enacted their own data breach notification laws to fill the gaps and protect the privacy andsecurity of their residents. According to the National Conference of State Legislatures, as of January 2022, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These state laws vary in terms of the definitions of personal information, the triggers for notification, the methods and timing of notification, the exemptions and exceptions, and the penalties and enforcement mechanisms.

References: 1: Data Breach Response: A Guide for Business, Section 2 2: 2022 Security Breach Legislation

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include the violation of collecting information from a childunder the age of thirteen without obtaining verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The COPPA Rule also applies to websites or online services that are directed to children under 13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child’s personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child’s personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data. References:

Children’s Privacy | Federal Trade Commission

Kids’ Privacy (COPPA) | Federal Trade Commission

FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy

FTC to Crack Down on Companies that Illegally Surveil Children Learning Online

FTC Takes Action Against Company for Collecting Children’s Personal Information Without Parental Permission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 165-168.

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.

One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.

References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.