CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Question and Answers

 The law that ACME violated by designing the service to prevent access to the information by a law enforcement agency is the Communications Assistance for Law Enforcement Act (CALEA)1. CALEA is a federal law that requires telecommunications carriers and manufacturers of telecommunications equipment to design their equipment, facilities, and services to ensure that they have the necessarysurveillance capabilities to comply with legal requests for interception of communications2. CALEA applies to all commercial messages, including text messages, and gives law enforcement agencies the authority to subpoena the records of such communications from the service providers3. By encrypting its text message records so that only the suspect could access this data, ACME violated CALEA’s duty to cooperate in the interception of communications for law enforcement purposes. References: 1: Communications Assistance for Law Enforcement Act - Wikipedia2: Home | CALEA® | The Commission on Accreditation for Law Enforcement Agencies, Inc.3: Communications Assistance for Law Enforcement Act : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Law Enforcement and National Security Access, p. 177

The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN’s main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs. References:

• Home (public) | Global Privacy Enforcement Network
• Global Privacy Enforcement Network - International Association of Privacy Professionals
• International Partnerships - Office of the Privacy Commissioner of Canada
• Specialised networks – Global Privacy Assembly
• Action Plan for the Global Privacy Enforcement Network (GPEN)
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:

• The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
• The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
• The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
• The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
• The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
• The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
• The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
• The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
• IAPP CIPP/US Body of Knowledge, Section III.C.2
• IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
• FTC Mobile Device Security

The correct answer is C because the California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents the right to request the deletion of their personal information that a business has collected from them. The CCPA applies to any business that collects personal information from California residents, regardless of where the business is located, as long as the business meets certain thresholds of revenue, data volume, or data sharing. Therefore, the social media platform that Sarah uses is subject to the CCPA and must honor Sarah’s deletion request, unless an exception applies. The CCPA also requires businesses to provide notice and choice to consumersabout their data collection and use practices, and to respond to consumer requests within 45 days.

The other answers are incorrect because:

• A is incorrect because the General Data Protection Regulation (GDPR) is a European Union privacy law that applies to the processing of personal data of individuals who are in the EU, regardless of where the data controller or processor is located. However, the GDPR does not apply to the processing of personal data of individuals who are outside the EU, unless the processing relates to the offering of goods or services to such individuals or the monitoring of their behavior within the EU. Therefore, the GDPR does not apply to Sarah’s personal data, since she is not in the EU and the social media platform is not targeting or tracking her in the EU.
• B is incorrect because Section 5 of the FTC Act is a federal law that prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC has used its Section 5 authority to enforce privacy and data security standards against businesses that violate their own privacy policies, misrepresent their data practices, or fail to protect consumer data from unauthorized access or disclosure. However, the FTC has not held that refusing to delete an individual’s personal information upon request constitutes an unfair practice per se, unless the refusal is inconsistent with the business’s privacy policy or representations, or causes substantial injury to consumers that is not reasonably avoidable or outweighed by countervailing benefits.
• D is incorrect because the New York SHIELD Act is a state law that imposes data breach notification and data security requirements on any person or business that owns or licenses computerized data that includes the private information of a New York resident. The SHIELD Act does not grant New York residents the right to request the deletion of their personal information, nor does it apply to businesses that do not collect or hold the private information of New York residents. Therefore, the SHIELD Act does not apply to Sarah’s personal data, since she is not a New York resident and the social media platform may not have her private information as defined by the SHIELD Act. References:
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 7, Section 7.2.1, pp. 183-186.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 7, Section 7.2, pp. 217-219.

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, hemay still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

• Summary of the HIPAA Privacy Rule
• Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

A consent decree is a legal document that resolves a dispute between a governmental agency and an adverse party without admission of guilt or liability by either side. It is approved by a judge and has the force of a court order. A consent decree may include terms such as compliance, monitoring, reporting, or remediation. A consent decree is often used to settle civil enforcement actions brought by federal agencies such as the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), or the Department of Justice (DOJ). References:

• IAPP Glossary, entry for “consent decree”
• [IAPP CIPP/US Study Guide], p. 39, section 2.1.3
• [IAPP CIPP/US Body of Knowledge], p. 9, section B.1.a

According to the Wiley study guide, one of the steps in developing a privacy policy is to conduct a privacy assessment, which involves identifying the organization’s information goals and needs, as well as the legal and regulatory requirements that apply to its data collection and use practices3. By spending more time understanding the company’s information goals, Janice would have been able to tailor the privacy policy to fit the company’s business model and customer expectations, while still complying with the relevant privacy laws and standards. This would have also helped Janice to address Cheryl’s concerns about the impact of the policy on the company’s operations and customer relationships, and to propose solutions that balance privacy protection and service delivery.

References:

1: https://iapp.org/certify/cippus/

2: https://iapp.org/certify/get-certified/cippus/

3: https://www.wiley.com/en-be/IAPP+CIPP+US+Certified+Information+Privacy+Professional+Study+Guide-p-9781119755517

4: https://www.techtarget.com/searchsecurity/quiz/10-CIPP-US-practice-questions-to-test-your-privacy-knowledge

5: https://www.study4exam.com/iapp/free-cipp-us-questions

https://www.passitcertify.com/iapp/cipp-us-questions.html

In the United States, there is no comprehensive federal law that regulates employee monitoring in the private sector. Instead, there are various federal and state laws that address specific aspects of monitoring, such as electronic communications, video surveillance, GPS tracking, and biometric data. Generally, these laws provide more protection for employees’ privacy when they are using their own devices or personal accounts, or when they are outside of work hours or premises. However, when employees are using company-owned devices or accounts, or when they are performing work-related tasks, employers have broad authority to monitor their activities, as long as they have a legitimate business interest and do not violate any specific laws. Employers are also advised to inform employees of their monitoring practices and obtain their consent, either explicitly or implicitly, to avoid potential legal disputes or employee backlash123 References: https://www.jibble.io/article/us-employee-monitoring

https://www.worktime.com/most-asked-questions-on-us-employee-monitoring-laws

The state UDAP statute, which stands for Unfair and Deceptive Acts and Practices, is a law that protects consumers from unfair or deceptive business practices. In this case, the employer’s failure to protect the employee’s personal information from a phishing attack could be considered an unfair or deceptive act or practice that harmed the employee. The employee could sue the employer under the state UDAP statute for damages, injunctive relief, or other remedies. The other options are not relevant to this scenario, as they deal with different aspects of data protection, such as confidentiality, access, or destruction of personal information. References:

• [IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.1, page 227
• IAPP CIPP/US Practice Questions, Question 153, page 13

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19
• IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7
• IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.

One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.

References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

 According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:

• Registered Data Brokers in the United States: 2021 | Privacy Rights …
• Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

• If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.
• If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.
• If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.

References:

• [IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.
• CIPP/US Practice Questions (Sample Questions), Question 29.

The APEC Privacy Framework is a set of non-binding principles adopted by the Asia-Pacific Economic Cooperation (APEC) that aim to promote electronic commerce and protect information privacy in the region. The Framework is consistent with the core values of the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and reaffirms the value of privacy to individuals and to the information society. The Framework consists of nine principles: Preventing Harm, Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability. Privacy by Design is not one of the principles in the APEC Privacy Framework, although it is a concept that is endorsed by the OECD Guidelines and other privacyframeworks. References: APEC Privacy Framework (2015), APEC Privacy Principles, IAPP CIPP/US Study Guide, Chapter 4.

 According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student’s education records without consent if the disclosure meets one of the exceptions in 34 CFR § 99.31. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer (34 CFR § 99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student’s admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR § 99.34(a)(1)). References: https://studentprivacy.ed.gov/ferpa

https://studentprivacy.ed.gov/ferpa

The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation. References: [IAPP CIPP/US Study Guide], Chapter 5: Data Management, p. 97-98; IAPP Privacy Tech Vendor Report, Data Mapping and Inventory, p. 9-10.

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

• A. Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that wasincompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google’s privacy policy stated that "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."1
• B. Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network. Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user’s frequent email contacts, would be made public by default.1
• C. Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement. The FTC alleged that Google’s conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1 References: FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network, Google, Inc., In the Matter of, Google settles with FTC over Buzz; Privacy policies to be audited for two decades, Google Settles FTC Complaint over Google Buzz Privacy

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce.”1 This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2 Therefore, among the four options, only an online merchant’s free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity thatcould potentially mislead or harm consumers. For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3 References: 1: Section 5 | Federal Trade Commission 2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

• Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12
• Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12
• Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

• Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

When selecting a vendor to manage personal information, the company should consider various criteria, such as the vendor’s reputation, financial health, employee training program, privacy policies, security practices, compliance record, contractual terms, and service quality. However, the vendor’s employee retention rates may not be as important as the other factors, as they do not directly affect the vendor’s ability to protect and process the personal information entrusted to them. While high employee turnover may indicate some issues with the vendor’s management or culture, it may not necessarily impact the vendor’s performance or reliability, as long as the vendor has adequate measures to ensure continuity, accountability, and confidentiality of the personal information they handle. References:

• Vendor Selection Process: a Step-by-Step Guide, section “Step 2: Define the vendor selection criteria”
• [IAPP CIPP/US Study Guide], p. 81-82, section 3.4.1
• [IAPP CIPP/US Body of Knowledge], p. 18-19, section C.2.a

Unlike many other countries, the United States does not have a comprehensive federal law that regulates the privacy of private-sector employees. Instead, the privacy protection of employees depends largely on state law, contract law, and tort law. State law may provide specific rights and remedies for employees regarding issues such as drug testing, background checks, electronic monitoring, social media access, and genetic information. Contract law may create obligations and expectations for employers and employees based on written or implied agreements, such as employment contracts, employee handbooks, or collective bargaining agreements. Tort law may allow employees to sue their employers for invasion of privacy, such as intrusion upon seclusion, public disclosure of private facts, false light, or appropriation of name or likeness. The other options are less likely to provide privacy protection to private-sector employees in the United States. The FTC Act primarily regulates the privacy practices of businesses that collect and use consumer data, not employee data. The U.S. Constitution only protects individuals from unreasonable searches and seizures by the government, not by private employers. The HHS only enforces the HIPAA Privacy Rule, which applies to covered entities and business associates that handle protected health information, not to all private-sector employers. References:

• IAPP CIPP/US Study Guide, Chapter 6: Workplace Privacy
• Privacy Rights of Employees Using Workplace Computers in the United States
• Employee Privacy Laws

Under the GDPR, the complainant’s request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort. References:

• Everything you need to know about the “Right to be forgotten”
• Right to erasure | ICO
• Art. 17 GDPR – Right to erasure (‘right to be forgotten’) - General …
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

 The Driver’s Privacy Protection Act (DPPA) is a federal law that regulates the disclosure of personal information obtained by state departments of motor vehicles (DMVs). The DPPA prohibits DMVs and other entities that receive such information from DMVs from disclosing it to anyone without the express consent of the individual to whom the information pertains, unless the disclosure falls under one of the 14 exceptions listed in the statute.

Some of the exceptions that allow disclosure of personal information from DMV records without consent are:

• For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a government agency in carrying out its functions.
• For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
• For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
• For use in connection with any civil, criminal, administrative, or arbitral proceeding in any federal, state, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state, or local court.
• For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
• For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
• For use in providing notice to the owners of towed or impounded vehicles.
• For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
• For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver’s license that is required under chapter 313 of title 49.
• For use in connection with the operation of private toll transportation facilities.
• For any other use specifically authorized under the law of the state that holds the record, if such use is related to the operation of a motor vehicle or public safety.

None of the exceptions above apply to the use of personal information from DMV records by marketers wishing to distribute bulk materials. Therefore, such use would require the consent of the individual to whom the information pertains, according to the DPPA. Hence, option D is the correct answer.

Option A is incorrect, as law enforcement agencies performing investigations are exempt from the consent requirement under the first exception.

Option B is incorrect, as insurance companies needing to investigate claims are exempt from the consent requirement under the sixth exception.

Option C is incorrect, as attorneys gathering information related to lawsuits are exempt from the consent requirement under the fourth exception.

References:

• [IAPP CIPP/US Study Guide], Chapter 8: Federal Privacy Laws, pp. 181-182.
• CIPP/US Practice Questions (Sample Questions), Question 31.

According to the FTC report, the most important directive for businesses is to adopt a “privacy by design” approach, which means integrating privacy protections throughout the entire product lifecycle, from initial design to disposal. This includes implementing reasonable security measures, collecting only the data needed for a specific purpose, retaining data only as long as necessary, and safely disposing of data that is no longer needed. The FTC report also recommends that businesses provide clear and transparent privacy notices, offer consumers meaningful choices about how their data is used, and increase their accountability for data practices. References: FTC Report, IAPP CIPP/US Study Guide (p. 32-33)

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver’s license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH’s data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

References: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and-Notifying-Data-Breaches-under-the-PDPA-15-Mar-2021.pdf?la=en

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

 U.S. federal laws protect individuals from employment discrimination based on a number of protected characteristics, such as age, pregnancy, and genetic information. However, marital status is not one of them. There is no federal law that prohibits employment discrimination based on marital status, although some states and localities have enacted such laws. The other statements are incorrect because:

• A. Age is a protected characteristic under the Age Discrimination in Employment Act of 1967 (ADEA), which protects people who are 40 or older from discrimination because of age1.
• B. Pregnancy is a protected characteristic under the Pregnancy Discrimination Act, which amended Title VII of the Civil Rights Act of 1964 to make it illegal to discriminate against a woman because of pregnancy, childbirth, or a medical condition related to pregnancy or childbirth2.
• D. Genetic information is a protected characteristic under the Genetic Information Nondiscrimination Act of 2008 (GINA), which makes it illegal to discriminate against employees or applicants because of genetic information, such as family medical history, genetic tests, or participation in genetic research2. References: Prohibited Employment Policies/Practices, Employment discrimination law in the United States, Civil Rights Requirements- Federal Employment Discrimination Laws

The Consumer Privacy Bill of Rights is a set of principles that the Obama administration proposed in 2012 to guide the development of privacy legislation and policies in the United States. The report that introduced the bill of rights stated that it was "generally based on the widely accepted Fair Information Practice Principles (FIPPs)"1, which are a set of standards that originated in the 1970s and have influenced many privacy laws and frameworks around the world. The FIPPs include concepts such as individual control, transparency, security, accountability, and data minimization2. The Consumer Privacy Bill of Rights adapted and expanded these principles to address the challenges and opportunities of the digital economy1. References: 1: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy2, page 92: IAPP CIPP/US Certified Information Privacy Professional Study Guide3, page 17.

 The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1. A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2. A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service. References:

• 1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule
• 2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business, https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business
• 3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks, https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/

The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child,the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee’s spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.

The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee’s ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:

• Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee’s own serious health condition or that of a family member.
• Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee’s own serious health condition or that of a family member, or for planned medical treatment.
• A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee’s spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.
• Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.

The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:

• Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees’ family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.
• Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.
• Limit the disclosure of such records to supervisors and managers who need to know about an employee’s FMLA leave, first aid and safety personnel when an employee’s medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.
• Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee’s health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.
• Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee’s complete medical records or information unrelated to the FMLA leave request.
• Respect the employee’s right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.

References:

• The Family and Medical Leave Act (FMLA)
• FMLA Employee Guide
• FMLA Employer Guide
• FMLA Regulations
• FMLA Forms

The CAN-SPAM Act is a federal law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations1. The main purpose of the act is to protect consumers from unwanted and deceptive email messages and to give them more control over their online privacy2. The act applies to all commercial messages, which are defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"1. The act does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship1. The act also does not apply to non-commercial messages, such as political or charitable solicitations3. References: 1: CAN-SPAM Act: A Compliance Guide for Business2: What is the CAN-SPAM Act? | Proton3: What is the CAN-SPAM Act? | Cloudflare

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:

• The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
• The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
• The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.

A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.

References:

• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
• Practice Exam - International Association of Privacy Professionals

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged intelemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

• Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

 According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A non-affiliated third party is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the financial institution’s affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.

The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer’s opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.

The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.

The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.

References:

• Guide to the Gramm–Leach–Bliley Act
• GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates
• Existing Privacy Laws Already Regulate Information Sharing
• Why Do Banks Share Your Financial Information and Are They Allowed To?
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

• Uses the transferred data only for limited and specified purposes;
• Provides the same level of privacy protection as is required by the Privacy Shield Principles;
• Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
• Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
• Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
• Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices. References: CCPA (Section 1798.150), IAPP CIPP/US Study Guide (p. 63-64)

The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation. References: [IAPP CIPP/US Study Guide], Chapter 5: Data Management, p. 97-98; IAPP Privacy Tech Vendor Report, Data Mapping and Inventory, p. 9-10.

The ADA prohibits employers from discriminating against qualified individuals with disabilities in all aspects of employment, including hiring, firing, promotion, compensation, and training. The ADA also limits the types of medical inquiries and examinations that employers can make of applicants and employees. Under the ADA, a disability is defined as a physical or mental impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. The ADA covers current, past, and perceived drug addiction as a disability, unless the individual is currently engaging in the illegal use of drugs. Therefore, Felicia’s plan to ask applicants about drug addiction may violate the ADA, unless she can show that the inquiry is job-related and consistent with business necessity. The other laws are not directly relevant to Felicia’s plan, although they may have other implications for her business. References: ADA, IAPP CIPP/US Study Guide (p. 95-96)

The Children’s Online Privacy Protection Act (COPPA) is a federal law that regulates the online collection and use of personal information from children under 13 years of age. COPPA requires operators of websites or online services that are directed to children, or that knowingly collect personal information from children, to obtain verifiable parental consent before collecting, using, or disclosing such information. Verifiable parental consent means any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, the child’s parent receives notice of the operator’s information practices and consents to those practices. COPPA also imposes other obligations on operators, such as providing parents with access to their children’s information, maintaining reasonable security measures, and limiting data retention. References: COPPA, IAPP CIPP/US Study Guide, Chapter 2, Section 2.3.1

• The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994. The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.
• The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.
• The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.
• A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.
• The TSR requires an entity to share a do-not-call request across its organization when the operational structures of its divisions are not transparent to consumers3. This means that the entity must treat the do-not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.
• The TSR does not require an entity to share a do-not-call request across its organization in the following situations:

References: 1: Telemarketing Sales Rule 2: Q&A for Telemarketers & Sellers About DNC Provisions in TSR 3: Federal Register :: Telemarketing Sales Rule