CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Question and Answers

Janice’s first draft of the privacy policy may be too restrictive and impractical for Fitness Coach, Inc. to follow, given the nature of its business and the expectations of its customers. By limiting the retention of personal information to one year and requiring written consent for any third-party sharing, the policy may create operational challenges and customer dissatisfaction. For example, customers may want to resume their fitness programs after a long hiatus and expect the company to have their previous records and preferences. Similarly, third-party contractors may need access to customer information to provide better services and tailor their classes. If the company fails to adhere to its own privacy policy, it may face legal consequences, reputational damage, and loss of trust from its customers. Therefore, the company should adopt a more realistic and flexible privacy policy that balances its business needs and its customers’ privacy rights. References:

Privacy Policy for Health Coaches

Privacy Policies for Online Coaches

Privacy Policy - Coaching.com

A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcingprivacy rights. Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC’s enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation. References:

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 2, Section 2.3.3, pp. 35-36.

How to end the deadlock on the private right of action by Paula Bruening, IAPP Privacy Perspectives, Jan 20, 2022.

Private Right of Action (Legal Definition & Examples) by Lawrina, accessed on Jan 25, 2022.

The CCPA provides consumers with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. The CCPA defines personal information for this purpose as an individual’s name in combination with any of the following: social security number, driver’s license number, account number, credit or debit card number, medical information, or health insurance information. The CCPA allows consumers to seek damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. The CCPA also requires consumers to provide the business with 30 days’ written notice and an opportunity to cure the violation before initiating an action. Additionally, the CCPA requires consumers to notify the Attorney General within 30 days of filing the action and obtain the Attorney General’s approval or nonobjection before proceeding with the action. Therefore, John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm, as long as he meets the requirements of the CCPA. References:

CCPA Provides Private Right of Action for Data Security Breaches

CCPA Private Right of Action – Data Breach Security Requirement

CCPA Fines & Penalties for Data Protection Violations | MatrixPoint

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees’ privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.

IAPP CIPP/US Practice Questions, Question 134.

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

Cheryl’s suggested method of communicating the new privacy policy by creating documents listing applicable parts of the new policy for each department and implementing it gradually over several months may create confusion and inconsistency among employees and customers. Different departments may have different interpretations and expectations of the policy, and customers may not be aware of the changes or their rights under the policy. This may lead to errors, complaints, and violations of the policy and the applicable laws. A better approach would be to communicate the policy in full to all employees and customers at once, and provide training and guidance on how to comply with it. The policy should also be easily accessible and updated on the company’s website and other channels. References:

Privacy Policy for Health Coaches

Privacy Policies for Online Coaches

Privacy Policy - Coaching.com

The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer’s informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:

Video Privacy Protection Act - Wikipedia

18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)

The Consumer Privacy Bill of Rights is a set of principles that the Obama administration proposed in 2012 to guide the development of privacy legislation and policies in the United States. The report that introduced the bill of rights stated that it was "generally based on the widely accepted Fair Information Practice Principles (FIPPs)"1, which are a set of standards that originated in the 1970s and have influenced many privacy laws and frameworks around the world. The FIPPs include concepts such as individual control, transparency, security, accountability, and data minimization2. The Consumer Privacy Bill of Rights adapted and expanded these principles to address the challenges and opportunities of the digital economy1. References: 1: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy2, page 92: IAPP CIPP/US Certified Information Privacy Professional Study Guide3, page 17.

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws

 The design technique that would most effectively inform users of their data privacy rights and privileges when using the app is to offer information about data collection and uses at key data entry points. This technique is also known as “just-in-time” or “layered” notice, and it is recommended by the U.S. Federal Trade Commission (FTC) as a best practice for mobile app developers12

The idea behind this technique is to provide users with relevant and timely information about how their data is collected and used by the app, and what choices they have to control their data, at the moment when they are asked to provide or access their data. For example, if the app collects location data from the user’s device, it should display a pop-up notice explaining why it needs the location data, how it will use it, and how the user can opt-out or change the settings. This way, the user can make an informed decision about whether to allow or deny the app’s access to their data, and understand the consequences of their choice12

The advantage of this technique is that it avoids overwhelming the user with too much information at once, and instead provides concise and contextual information that is easy to understand and act upon. It also increases the user’s trust and confidence in the app, as they feel more in control of their data and privacy12

The other design techniques are less effective because they do not provide the user with sufficient or timely information about their data privacy rights and privileges when using the app. Publishing a privacy policy written in clear, concise, and understandable language is a good practice, but it is not enough to inform the user of their data privacy rights and privileges, as many users may not read or understand the policy, or may not be aware of where to find it. Presenting a privacy policy to users during the wellness program registration process is also a good practice, but it may not capture all the data collection and uses that the app may perform, and it may not give the user enough opportunity to review and consent to the policy. Providing a link to the wellness program privacy policy at the bottom of each screen is also a good practice, but it may not be noticeable or accessible to the user, and it may not provide the user with the specific information they need at the point of data entry or access12

References:

Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report (February 2013)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Privacy Program Management, Section 6.4: Privacy by Design

The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

 The Driver’s Privacy Protection Act (DPPA) is a federal law that regulates the disclosure of personal information obtained by state departments of motor vehicles (DMVs). The DPPA prohibits DMVs and other entities that receive such information from DMVs from disclosing it to anyone without the express consent of the individual to whom the information pertains, unless the disclosure falls under one of the 14 exceptions listed in the statute.

Some of the exceptions that allow disclosure of personal information from DMV records without consent are:

For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a government agency in carrying out its functions.

For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.

For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.

For use in connection with any civil, criminal, administrative, or arbitral proceeding in any federal, state, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state, or local court.

For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.

For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.

For use in providing notice to the owners of towed or impounded vehicles.

For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.

For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver’s license that is required under chapter 313 of title 49.

For use in connection with the operation of private toll transportation facilities.

For any other use specifically authorized under the law of the state that holds the record, if such use is related to the operation of a motor vehicle or public safety.

None of the exceptions above apply to the use of personal information from DMV records by marketers wishing to distribute bulk materials. Therefore, such use would require the consent of the individual to whom the information pertains, according to the DPPA. Hence, option D is the correct answer.

Option A is incorrect, as law enforcement agencies performing investigations are exempt from the consent requirement under the first exception.

Option B is incorrect, as insurance companies needing to investigate claims are exempt from the consent requirement under the sixth exception.

Option C is incorrect, as attorneys gathering information related to lawsuits are exempt from the consent requirement under the fourth exception.

References:

[IAPP CIPP/US Study Guide], Chapter 8: Federal Privacy Laws, pp. 181-182.

CIPP/US Practice Questions (Sample Questions), Question 31.

A consent decree is a settlement agreement between the FTC and a company that has engaged in unfair or deceptive privacy practices. A consent decreetypically requires the company to stop the unlawful conduct, implement remedial measures, pay a civil penalty, and submit to ongoing monitoring and reporting. A consent decree benefits both parties involved because it spares the expense of going to trial, which can be costly, time-consuming, and uncertain. A consent decree also allows the parties to negotiate the terms of the settlement, rather than having a court impose a judgment. A consent decree does not admit liability or wrongdoing by the company, but it has the force of law and can be enforced by the FTC or the courts if the company violates its terms. References:

IAPP CIPP/US Body of Knowledge, Section I.A.1.a

IAPP CIPP/US Textbook, Chapter 1, pp. 10-11

FTC Consent Decrees

 A data ethics framework is a set of principles and guidelines that help organizations ensure that their data practices are ethical, responsible, and trustworthy. According to the IAPP CIPP/US Study Guide, some of the key components of a data ethics framework are1:

Data governance: the policies, processes, and standards that govern how data is collected, used, stored, and shared within an organization.

Preferability testing: the process of assessing the potential impacts and risks of data-driven solutions on stakeholders, such as customers, employees, and society.

Auditing: the process of monitoring, reviewing, and verifying the compliance and performance of data practices against the established ethical standards and legal requirements. Automated decision-making, on the other hand, is not a key component of a data ethics framework, but rather a data practice that may raise ethical issues and challenges. Automated decision-making refers to the use of algorithms, artificial intelligence, or machine learning to make decisions or recommendations without human intervention2. While automated decision-making can offer benefits such as efficiency, accuracy, and consistency, it can also pose risks such as bias, discrimination, lack of transparency, and accountability3. Therefore, automated decision-making should be subject to ethical evaluation and oversight, but it is not itself a part of a data ethics framework. References:

[IAPP CIPP/US Study Guide], Chapter 10, Section 10.4, page 287

[IAPP Glossary], Automated Decision-Making

IAPP Resources, Ethical Data Use and Automated Decision-Making: A Practical Guide

The U.S. Department of Commerce (DOC) is a federal agency that promotes economic growth, trade, and innovation, but does not have regulatory authority related to privacy. The DOC administers several voluntary privacy frameworks, such as the Privacy Shield, the APEC Cross-Border Privacy Rules, and the NIST Privacy Framework, but these are not legally binding or enforceable by the DOC12. The DOC also participates in international privacy negotiations and dialogues, but does not have the power to issue rules or regulations on privacy matters3.

The other three options are examples of federal agencies that do have regulatory authority related to privacy. The Consumer Financial Protection Bureau (CFPB) is an independent agency that enforces consumer protection laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Dodd-Frank Act, which contain privacy and data security provisions4. The U.S. Department of Transportation (DOT) is a federal agency that regulates transportation safety, security, and infrastructure, and has issued privacy rules for airlines, motor carriers, and railroads. The FederalReserve (FRB) is an independent agency that oversees the nation’s monetary policy, banking system, and financial stability, and has issued privacy rules for financial institutions under its jurisdiction. References: 1: Privacy Shield Program Overview | International Trade Administration 2: NIST Privacy Framework | NIST 3: Privacy and Data Security | U.S. Department of Commerce 4: Consumer Financial Protection Bureau - Wikipedia : [Privacy | US Department of Transportation] : [Privacy - Federal Reserve Board]

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.

One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.

References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

Redaction is the permanent removal of sensitive data—the digital equivalent of “blacking out” text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders. Redaction is often used to protect personal information, such as names, addresses, social security numbers, or financial data, on documents that are disclosed in litigation, such as pleadings, exhibits, or discovery responses. Redaction is required by courts to comply with privacy laws and rules, such as the Federal Rules of Civil Procedure (FRCP), which mandate that parties must redact certain types of personal information from documents filed with the court or produced to the other party. Redaction is also a best practice to minimize the risk of unauthorized access, identity theft, or reputational harm that may result from exposing personal information in litigation. References:

When to redact, or not, disclosable documents in litigation - Stewarts

The approach to redaction – High Court guidance - Lexology

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.2: Federal Rules of Civil Procedure (FRCP).

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States. The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship. The law also does not apply to non-commercial messages, such as political or charitable solicitations12

The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers’ requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request. The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transferthe e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12

By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content. The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12

References:

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act

The Federal Trade Commission (FTC) issued its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC’s privacy enforcement and policy efforts, which were:

Data brokers

Large platform providers

Mobile

Promoting enforceable self-regulatory codes

International data transfers

Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.

The biggest potential privacy concern related to Chanel’s use of this new software is scanning a client’s social media accounts to use in a client profile without notice to the client. This could violate the client’s reasonable expectation of privacy and consent, as well as the privacy policies of the social media platforms. The client may not be aware that their social media posts are being used for this purpose, and may not have given their permission or opt-in consent for such data collection and processing. This could also expose the client to potential discrimination or harm based on their social media activity, such as losing their appointment or being charged a cancellation fee. Furthermore, this practice could conflict with the Fair Information Practice Principles (FIPPs), such as transparency, purpose specification, and data minimization12. References:

CIPP/US Practice Questions (Sample Questions), Question 149, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1, Section 1.1, p. 9-10.

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

A. Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that wasincompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google’s privacy policy stated that "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."1

B. Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network. Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user’s frequent email contacts, would be made public by default.1

C. Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement. The FTC alleged that Google’s conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1 References: FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network, Google, Inc., In the Matter of, Google settles with FTC over Buzz; Privacy policies to be audited for two decades, Google Settles FTC Complaint over Google Buzz Privacy

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include the violation of collecting information from a childunder the age of thirteen without obtaining verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The COPPA Rule also applies to websites or online services that are directed to children under 13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child’s personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child’s personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data. References:

Children’s Privacy | Federal Trade Commission

Kids’ Privacy (COPPA) | Federal Trade Commission

FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy

FTC to Crack Down on Companies that Illegally Surveil Children Learning Online

FTC Takes Action Against Company for Collecting Children’s Personal Information Without Parental Permission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 165-168.

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, hemay still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

Summary of the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

In the United States, there is no comprehensive federal law that regulates employee monitoring in the private sector. Instead, there are various federal and state laws that address specific aspects of monitoring, such as electronic communications, video surveillance, GPS tracking, and biometric data. Generally, these laws provide more protection for employees’ privacy when they are using their own devices or personal accounts, or when they are outside of work hours or premises. However, when employees are using company-owned devices or accounts, or when they are performing work-related tasks, employers have broad authority to monitor their activities, as long as they have a legitimate business interest and do not violate any specific laws. Employers are also advised to inform employees of their monitoring practices and obtain their consent, either explicitly or implicitly, to avoid potential legal disputes or employee backlash123 References: https://www.jibble.io/article/us-employee-monitoring

https://www.worktime.com/most-asked-questions-on-us-employee-monitoring-laws

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records and gives parents or eligible students the right to access, amend, and control the disclosure of their records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education12

FERPA requires schools to do all of the following:

Verify the identity of students who make requests for access to their records. Schools must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom they disclose education records12

Provide students with access to their records within a specified amount of time. Schools must provide parents or eligible students with an opportunity to inspect and review the student’s education records within 45 days of receiving a request. Schoolsare not required to provide copies of records unless it is impossible for parents or eligible students to review the records at the school12

Respond to all reasonable student requests regarding explanation of their records. Schools must provide parents or eligible students with an opportunity to request the amendment of the student’s education records that they believe are inaccurate, misleading, or otherwise in violation of the student’s privacy rights. Schools must consider the request and decide whether to amend the records within a reasonable time. If the school decides not to amend the records, it must inform the parent or eligible student of their right to a hearing on the matter12

FERPA does not require schools to do the following:

Obtain student authorization before releasing directory information in their records. Directory information is information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Examples of directory information include the student’s name, address, phone number, e-mail address, date and place of birth, major field of study, participation in sports and activities, dates of attendance, degrees and awards received, and most recent school attended. Schools may disclose directory information without consent unless the parent or eligible student has opted out of such disclosure. Schools must notify parents and eligible students of the types of information they designate as directory information and of their right to opt out of directory information disclosure12

Therefore, the correct answer is D. Obtain student authorization before releasing directory information in their records.

References:

Family Educational Rights and Privacy Act (FERPA)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.3: The Family Educational Rights and Privacy Act (FERPA)

A company that develops a privacy policy with standards that are much higher than its competitors may face the risk of being more closely scrutinized for any breaches of policy by regulators, customers, media, or other stakeholders. This is because the company sets a higher expectation for its privacy practices and may be held to a higher standard of accountability and transparency. If the company fails to comply with its own policy or experiences a data breach, it may face more severe consequences, such as reputational damage, loss of trust, legal liability, or regulatory sanctions. References:

IAPP CIPP/US Body of Knowledge, Section I, B, 2

[IAPP CIPP/US Study Guide, Chapter 1, Section 1.4]

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.

17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).

IAPP CIPP/US Study Guide, page 65.

 E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter1. The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology2. For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e-discovery, as well as the sanctions for failing to comply withe-discovery obligations3. The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively4. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.

The other options are not the main purpose of the rules for e-discovery, although they may be related or affected by them. The rules for e-discovery do not directly prevent the loss of information due to poor data retention practices, although they do impose a duty to preserve relevant ESI when litigation is reasonably anticipated5. The rules for e-discovery do not directly prevent the practice of employees using personal devices for work, although they do require parties to identify and disclose the sources of ESI that may be subject to discovery, including personal devices6. The rules for e-discovery do not directly prevent a breach of an organization’s data retention program, although they do require parties to produce ESI in a reasonably usable form and to protect privileged or confidential information7.

References: 1: Everything You Need to Know About E-Discovery, The National Law Review. 2: E-Discovery: The Basics of E-Discovery Guide - Exterro, Exterro.com. 3: Federal Court and Government Agency E-Discovery Rules and Guidelines, Crowell & Moring LLP. 4: FRCP Rule 1, Cornell Law School. 5: FRCP Rule 37, Cornell Law School. 6: FRCP Rule 26, Cornell Law School. 7: FRCP Rule 34, Cornell Law School.

A cookie is a small piece of data that a website sends to a user’s browser and stores on the user’s device, usually for the purpose of remembering the user’s preferences, settings, or actions1.

A cookie notice is a message that informs the user about the website’s use of cookies and the user’s choices regarding the acceptance or rejection of cookies2.

A legal choice is the mechanism that the website provides to the user to express their consent or dissent to the use of cookies2.

There are different types of legal choices for cookie notices, depending on the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States34.

The four types of legal choices mentioned in the question are:

Mandatory: The website does not allow the user to access the site unless they accept the use of cookies. This type of choice is generally considered unlawful and non-compliant with the GDPR and the CCPA34.

Implied consent: The website assumes that the user consents to the use of cookies by continuing to browse the site or by dismissing the cookie notice. This type of choice is often used by websites that operate in the U.S. or other jurisdictions that do not have strict cookie laws, but it may not be sufficient for the GDPR or the CCPA34.

Opt-in: The website requires the user to explicitly agree to the use of cookies by clicking a button or checking a box. This type of choice is usually compliant with the GDPR and the CCPA, as it ensures that the user gives informed and affirmative consent34.

Opt-out: The website allows the user to reject the use of cookies by clicking a link or changing their browser settings. This type of choice is also compliant with the GDPR and the CCPA, as it gives the user the right to withdraw their consent at any time34.

Based on the description of the cookie notice in the question, the type of legal choice that the notice provides is implied consent, as the website does not explicitly ask for the user’s agreement, but rather assumes that the user accepts the use of cookies by using the site. The notice also provides a link for the user to opt out of cookies by setting their browser to refuse them.

References: 1: Cookie 2: Cookie Notice 3: INSIGHT: Website Cookies and Privacy—GDPR, CCPA, and Evolving Standards for Online Consent 4: Do You Need A Cookie Notice

The GLBA prohibits financial institutions from disclosing a consumer’s account number or similar form of access number or access code to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. This restriction is intended to prevent unauthorized access to a person’s bank account by third parties who may use the account number to initiate fraudulent transactions or identity theft. The GLBA also requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and to notify customers and regulators in the event of a security breach involving such information. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Financial Privacy, p. 49-50

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 14

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financialinstitutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 5

The HIPAA Privacy Rule generally prohibits covered entities and business associates from disclosing protected health information (PHI) to law enforcement without the individual’s authorization, unless one of the exceptions in 45 CFR § 164.512 applies. These exceptions include disclosures required by law, disclosures for law enforcement purposes, disclosures about victims of abuse, neglect or domestic violence, disclosures for health oversight activities, disclosures for judicial and administrative proceedings, disclosures for research purposes, disclosures to avert a serious threat to health or safety, disclosures for specialized government functions, disclosures for workers’ compensation, and disclosures to coroners and medical examiners. None of these exceptions apply to the type of information in option D, which is personal health information that is not related to any of the above purposes. Therefore, an organization would generally not be required to disclose such information to law enforcement under the HIPAA Privacy Rule. References: https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition/disclosures-third-parties

https://bing.com/search?q=information+disclosure+to+law+enforcement

https://hipaatrek.com/law-enforcement-hipaa-disclosing-phi/

 According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:

Registered Data Brokers in the United States: 2021 | Privacy Rights …

Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft

 The U.S. Supreme Court has recognized an individual’s right to privacy over personal issues, such as contraception, by acknowledging a “penumbra” of unenumerated constitutional rights as well as more general protections of due process of law. This means that the right to privacy is not explicitly stated in the Constitution, but it is implied from other rights that are explicitly stated, such as the First Amendment rights of speech and assembly, the Third Amendment right to be free from quartering of soldiers, the Fourth Amendment right to be secure from unreasonable searches and seizures, the Fifth Amendment right to be free from self-incrimination, and the Ninth Amendment right to retain other rights not enumerated in the Constitution. These rights create a “zone of privacy” that protects individuals from undue government interference in their personal affairs. The Supreme Court first articulated this concept of privacy in Griswold v. Connecticut (1965), where it struck down a state law that prohibited the use of contraceptives by married couples. The Court also relied on the due process clause of the Fourteenth Amendment, which prohibits states from depriving any person of life, liberty, or property without due process of law. The Court interpreted this clause to include a substantive component that protects certain fundamental rights from state regulation, unless there is a compelling state interest and the regulation is narrowly tailored to achieve that interest. The Court has applied this due process analysis to other privacy issues, such as abortion, marriage, and sexual orientation. References:

Privacy | Wex | US Law | LII / Legal Information Institute

Privacy isn’t in the Constitution – but it’s everywhere in constitutional law

Privacy Rights and Personal Autonomy Legally Protected by the … - Justia

Right to privacy | Wex | US Law | LII / Legal Information Institute

The Children’s Online Privacy Protection Act (COPPA) is a federal law that protects the privacy of children under 13 who use online sites and services. COPPA requires operators of such sites and services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to provide notice of their information practices to parents and the public. COPPA also gives parents the right to access, review, and delete their children’s personal information, and to limit further collection or use of such information.1

One way for operators to comply with COPPA is to participate in an approved self-regulatory program, also known as a “safe harbor” program. These are programs that are run by industry groups or other organizations that set and enforce standards for privacy protection that meet or exceed the requirements of COPPA. Operators that join a safe harbor program and follow its guidelines are deemed to be in compliance with COPPA and are subject to the review and disciplinary procedures of the program instead of FTC enforcement actions. The FTC has approved several safe harbor programs, such as CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, and TRUSTe.2

By participating in an approved self-regulatory program, the marketer in the scenario could have best changed its privacy management program to meet COPPA “Safe Harbor” requirements. This would mean that the marketer would have to adhere to the guidelines of the program, which would likely include obtaining verifiable parental consent before collecting personal information from children, providing clear and prominent privacy notices on its website and emails, honoring parents’ choices and requests regarding their children’s data, and ensuring the security and confidentiality of the data collected. The marketer would also benefit from the oversight and assistance of the program in ensuring compliance and resolving any complaints or disputes.3 References: 1: Complying with COPPA: Frequently Asked Questions4, Section A2: COPPA Safe Harbor Program3: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 143.

The false statement regarding the provisions of the EPPA is C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits. The EPPA does not regulate psychological testing, only polygraph testing. Psychological testing is a broad term that covers various types of assessments that measure cognitive abilities, personality traits, interests, values, and skills. Employers may use psychological testing for various purposes, such as hiring, promotion, training, or development, as long as they comply with other laws and regulations, such as the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) guidelines, and the Uniform Guidelines on Employee Selection Procedures. However, employers should be careful to ensure that thepsychological tests they use are valid, reliable, job-related, and nondiscriminatory, and that they respect the privacy and dignity of the test takers. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 115-116.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 2: Employee Polygraph Protection Act.

IAPP CIPP/US Practice Questions, Question 142.

The UK company can ensure an adequate level of data protection for the restricted data transfer to the US parent company by using the EU Standard Contractual Clauses (SCCs), which are contractual terms that provide safeguards for personal data transferred from the UK to third countries. The UK GDPR recognizes the validity of the EU SCCs adopted before the end of the Brexit transition period, and allows the UK Information Commissioner’s Office (ICO) to issue new SCCs in the future. The other options are not correct because:

A. Signing up to an approved code of conduct under the UK GDPR is not sufficient to ensure an adequate level of data protection for restricted transfers, as it is not a transfer mechanism on its own. The UK company would still need to use another appropriate safeguard, such as SCCs or Binding Corporate Rules (BCRs), to transfer personal data to the US parent company.

C. Submitting a new application for the UK BCRs is not necessary, as the UK GDPR recognizes the existing authorized EU BCRs as valid for restricted transfers from the UK. The UK company can continue to rely on its EU BCRs, as long as they are updated to reflect the UK GDPR requirements and the role of the ICO as the competent supervisory authority.

D. Allowing each employee the option to opt-out to the restricted transfer is not a valid transfer mechanism under the UK GDPR, as it does not provide adequate safeguards for the personal data of the employees. The UK company would need to obtain the explicit consent of each employee for the restricted transfer, which must be freely given, specific, informed, and unambiguous. References:

UK GDPR, Chapter V, Article 46

UK GDPR, Chapter V, Article 47

UK GDPR, Chapter V, Article 49

ICO guidance on international transfers

IAPP CIPP/US Study Guide, Chapter 10, Section 10.3.2

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12

Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12

Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

HIPAA requires covered entities, such as hospitals, to enter into contracts with their business associates, such as billing companies, that access, use, or disclose protected health information (PHI). These contracts, known as business associate agreements (BAAs), must specify the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards, reporting, and termination procedures that the business associate must follow to protect the privacy and security of PHI. By having these contracts in place, the hospital can ensure that the billing company is complying with HIPAA and observing the minimum security standards required by law. References:

HIPAA Rules for Medical Billing - Compliancy Group

HIPAA Compliance for Billing Companies: Easy Guide - iFax

The Disposal Rule is a provision of the Fair and Accurate Credit Transactions Act (FACTA) that requires businesses and individuals to take appropriate measures to dispose of sensitive information about consumers, such as credit reports, that are derived from consumer reports. The Disposal Rule is intended to reduce the risk of identity theft and fraud by preventing unauthorized access to or use of the information. According to the Disposal Rule, reasonable steps for disposal include burning, pulverizing, or shredding papers that contain consumer report information so that they cannot be read or reconstructed.

In this scenario, the most appropriate action for a car dealer holding a paper folder of customer credit reports is to follow the Disposal Rule by having the reports shredded. This would ensure that the car dealer complies with the FACTA and protects the privacy and security of the customers’ personal data. The other options are not correct, because:

The Red Flags Rule is another provision of the FACTA that requires financial institutions and creditors to implement a written identity theft prevention program that identifies and responds to the warning signs or red flags of identity theft in their operations. The Red Flags Rule does not apply to the disposal of consumer report information, nor does it require mailing the reports to customers, which could expose the information to interception or theft.

The Privacy Rule is a provision of the Gramm-Leach-Bliley Act (GLBA) that requires financial institutions to provide notice to customers about their privacy policies and practices, and to allow customers to opt out of sharing their personal information with certain third parties. The Privacy Rule does not apply to the disposal of consumer report information, nor does it require notifying customers that the reports are being stored, which could alert potential identity thieves to the existence of the information.

The Safeguards Rule is another provision of the GLBA that requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of customer information. The Safeguards Rule does not apply to the disposal of consumer report information, nor does it require transferring the reports to a secure electronic file, which could still be vulnerable to hacking or unauthorized access.

References:

FTC website, FACTA Disposal Rule Goes into Effect June 1

Shred Nations website, What Is the FACTA Disposal Rule?

Seam Services website, The FACTA Disposal Rule: What Does It Mean for Your Business?

IAPP CIPP/US Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, pp. 49-50

IAPP website, Red Flags Rule

IAPP website, Fair and Accurate Credit Transactions Act (FACTA)

 An intrusion upon seclusion tort occurs when someone intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, if the intrusion would be highly offensive to a reasonable person12. The intrusion does not need to involve a physical trespass, but can also be an electronic or optical intrusion, such as using a webcam to record a person who has a reasonable expectation of privacy2. The intrusion must also cause mental anguish or suffering to the plaintiff2.

In this case, option A would best support an employee claim for an intrusion upon seclusion tort, because the webcam is enabled to record video any time the computer is turned on, regardless of whether the employee is working or not, or whether the employee is in a private or public place. This would be an intentional and highly offensive intrusion into the employee’s seclusion or private affairs, and would likely cause the employee distress or anxiety.

Option B would not support an intrusion upon seclusion tort, because the creation and saving of a biometric template based on keystroke dynamics is not an intrusion into the employee’s seclusion or private affairs, but rather a data collection and processing activity that may implicate other privacy laws or principles, such as notice, consent, and security3.

Option C would not support an intrusion upon seclusion tort, because the software sending a notification to a supervisor when the employee’s mouse is dormant for more than five minutes is not an intrusion into the employee’s seclusion or private affairs, but rather a performance monitoring activity that may be justified by the employer’s legitimate business interests4.

Option D would not support an intrusion upon seclusion tort, because the webcam recording video of an employee using a company laptop to perform personal business while at a coffee shop during work hours is not an intrusion into the employee’s seclusion or private affairs, but rather a misuse of company property and time that may be subject to the employer’s policies and disciplinary actions5. Moreover, the employee may not have a reasonable expectation of privacy in a public place like a coffee shop. References: 1: Intrusion on seclusion - Wikipedia 2: Elements of an Intrusion Claim | Digital Media Law Project 3: Biometrics - IAPP 4: Employee Monitoring - IAPP 5: Employee Privacy - IAPP : Privacy in Public Places - IAPP

California’s SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver’s license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law. References:

California Senate Bill 1386 (2002)

California SB 1386: For the Love of Privacy

What Is the California Security Breach Information Act?

California Raises the Bar on Data Security and Privacy

Financial institutions (FIs) collect and process a large amount of personal data from their customers, such as name, address, account number, transaction history, credit score, etc. Customers may have different preferences regarding how their data is used, shared, or protected by the FIs. For example, some customers may want to receive marketing offers from the FIs or their affiliates, while others may opt out of such communications. Some customers may prefer to access their accounts online, while others may use mobile apps, phone calls, or physical branches. Some customers may want to enable biometric authentication, while others may rely on passwords or PINs.

Managing these diverse and dynamic user preferences is a challenge for FIs, as they need to ensure that they respect and honor the choices of their customers across all the channels and platforms they use. This requires FIs to have arobust and integrated system that can capture, store, update, and apply user preferences consistently and accurately. Failing to do so may result in customer dissatisfaction, loss of trust, regulatory fines, or legal disputes.12

References: 1: The Top Three Digital Challenges Faced By Financial Institutions And How To Overcome Them3, paragraph 42: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 127.

The best way for Otto to minimize the privacy risks involved in using a cloud provider for the HR data is to ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit. This would allow Otto to verify that the cloud provider has implemented adequate security measures, such as encryption, access controls, and backup systems, to protect the HR data from unauthorized access, use, or disclosure. It would also allow Otto to check that the cloud provider is complying with the applicable privacy laws and regulations, such as the CCPA, the APEC Privacy Framework, and the breach notification requirements. By conducting an on-site audit, Otto can identify any gaps or weaknesses in the cloud provider’s privacy practices and address them promptly. This would also demonstrate due diligence and accountability on the part of Filtration Station, which could mitigate the legal and reputational consequences of a data breach. References:

[IAPP CIPP/US Study Guide], Chapter 3: Data Assessments, pp. 77-78.

IAPP CIPP/US Body of Knowledge, Section III: Government and Court Access to Private-sector Information, Subsection B: Cross-Border Data Transfer, Topic 2: APEC Privacy Framework.

IAPP CIPP/US Practice Questions, Question 125.

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:

The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.

The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.

The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.

A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.

References:

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information

Practice Exam - International Association of Privacy Professionals