IAPP CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Exam Practice Test

The Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act are all federal laws that prohibit employment discrimination based on certain protected characteristics, such as race, sex, disability, age, and pay1234 These laws also afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes. For example:

• The Civil Rights Act of 1964 prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on race, color, religion, sex, or national origin, unless they are bona fide occupational qualifications.
• The Pregnancy Discrimination Act of 1978, which amended the Civil Rights Act of 1964, prohibits employers from making pre-employment inquiries about whether an applicant is pregnant or intends to become pregnant, unless they are related to the ability to perform the job.
• The Americans with Disabilities Act of 1990 prohibits employers from making pre-employment inquiries about whether an applicant has a disability or the nature or severity of a disability, unless they are related to the ability to perform the essential functions of the job with or without reasonable accommodation.
• The Age Discrimination in Employment Act of 1967 prohibits employers from making pre-employment inquiries about an applicant’s age, unless they are related to a bona fide occupational qualification or a lawful affirmative action plan.
• The Equal Pay Act of 1963 prohibits employers from making pre-employment inquiries about an applicant’s salary history, unless they are made for a lawful purpose other than determining the applicant’s pay.

Option A is incorrect because these laws do not require employers not to discriminate against certain classes when employees use personal information. Rather, they require employers not to discriminate against certain classes in any aspect of employment, such as hiring, firing, pay, promotion, training, benefits, etc1234 The use of personal information by employees is not directly addressed by these laws, although it may be subject to other privacy laws or policies.

Option B is incorrect because these laws do not require that employers provide reasonable accommodations to certain classes of employees. Rather, only the Americans with Disabilities Act and the Pregnancy Discrimination Act require employers to provide reasonable accommodations to qualified individuals with disabilities and workers with limitations related to pregnancy, childbirth, or related medical conditions, respectively, unless doing so would cause an undue hardship to the employer. The other laws do not have a similar requirement, although they may prohibit employers from denying equal opportunities to certain classes of employees.

Option C is correct because these laws afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal informationthat may reveal their protected status or be used for discriminatory purposes, as explained above.

Option D is incorrect because these laws do not permit employers to use or disclose personal information specifically about employees who are members of certain classes. Rather, these laws generally prohibit employers from using or disclosing personal information that is protected by these laws for any unlawful or discriminatory purpose, unless an exception applies. For example, employers may use or disclose such information for legitimate business reasons, such as complying with reporting requirements, administering benefits, or conducting investigations.

References: 1: Facts About Equal Pay and Compensation Discrimination 2: Pregnancy Discrimination and Pregnancy-Related Disability Discrimination | U.S. Equal Employment Opportunity Commission 3: Regulations, Guidance and Policy | Equal Opportunity Guidance | OEEOWE 4: Age Discrimination | U.S. Equal Employment Opportunity Commission : Pre-Employment Inquiries and Medical Questions & Examinations | U.S. Equal Employment Opportunity Commission : Employee Medical Information | U.S. Equal Employment Opportunity Commission : Employee Privacy Rights | U.S. Department of Labor : Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission : Fact Sheet: Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission : The Americans with Disabilities Act: A Primer for Small Business : Age Discrimination in Employment Act of 1967 | U.S. Equal Employment Opportunity Commission : Equal Pay Act of 1963 | U.S. Equal Employment Opportunity Commission

A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcingprivacy rights. Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC’s enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation. References:

• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 2, Section 2.3.3, pp. 35-36.
• How to end the deadlock on the private right of action by Paula Bruening, IAPP Privacy Perspectives, Jan 20, 2022.
• Private Right of Action (Legal Definition & Examples) by Lawrina, accessed on Jan 25, 2022.

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged intelemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The USA FREEDOM Act is a law that was enacted in 2015 to reform the surveillance practices of the U.S. government. The law was a response to the revelations by Edward Snowden about the mass collection of phone records and internet data by the National Security Agency (NSA) under the authority of Section 215 of the USA PATRIOT Act. The USA FREEDOM Act ended the bulk collection of telephone data and internet metadata by the NSA, and instead required the government to obtain a specific order from the Foreign Intelligence Surveillance Court (FISC) to access such data from the telecommunication providers. The law also authorized the following practices:

• Emergency exceptions that allow the government to target roamers: The law allows the government to temporarily target a non-U.S. person who is using a phone number or identifier of a U.S. person, without a court order, if there is an emergency situation that involves a threat of death or serious bodily harm. The government must obtain a court order within seven days to continue the surveillance.
• An increase in the maximum penalty for material support to terrorism: The law increases the maximum prison term for providing material support or resources to a foreign terrorist organization from 15 years to 20 years.
• An extension of the expiration for roving wiretaps: The law extends the sunset date for the roving wiretap provision of the USA PATRIOT Act, which allows the government to obtain a single order from the FISC to conduct surveillance on a target who switches devices or locations, without specifying the device or location. The law extends the expiration date from June 1, 2015 to December 15, 2019. References:
• USA FREEDOM Act
• USA FREEDOM Act Summary
• USA FREEDOM Act FAQs

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39
• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13
• IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

Redaction is the permanent removal of sensitive data—the digital equivalent of “blacking out” text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders. Redaction is often used to protect personal information, such as names, addresses, social security numbers, or financial data, on documents that are disclosed in litigation, such as pleadings, exhibits, or discovery responses. Redaction is required by courts to comply with privacy laws and rules, such as the Federal Rules of Civil Procedure (FRCP), which mandate that parties must redact certain types of personal information from documents filed with the court or produced to the other party. Redaction is also a best practice to minimize the risk of unauthorized access, identity theft, or reputational harm that may result from exposing personal information in litigation. References:

• When to redact, or not, disclosable documents in litigation - Stewarts
• The approach to redaction – High Court guidance - Lexology
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.2: Federal Rules of Civil Procedure (FRCP).

The Colorado Privacy Act (CPA) grants consumers the right to access, correct, or delete their personal data, including sensitive data, that is processed by a controller1. Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child2. The CPA also grants consumers the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or certain kinds of profiling3. However, the CPA does not grant consumers the right to limit the use of sensitive data for other purposes, such as providing a product or service requested by the consumer, complying with legal obligations, or protecting the vital interests of the consumer or another person. Therefore, option D is the correct answer, as it is not a privacy right available under the CPA. References: 1: Colorado Privacy Act (CPA) - Colorado Attorney General 2: Protect Personal Data Privacy | Colorado General Assembly 3: SENATE BILL 21-190 Woodward, Garcia; PRIVACY. COLORADO PRIVACY ACT … : Colorado Privacy Act: What You Need to Know | OneTrust DataGuidance

When selecting a vendor to manage personal information, the company should consider various criteria, such as the vendor’s reputation, financial health, employee training program, privacy policies, security practices, compliance record, contractual terms, and service quality. However, the vendor’s employee retention rates may not be as important as the other factors, as they do not directly affect the vendor’s ability to protect and process the personal information entrusted to them. While high employee turnover may indicate some issues with the vendor’s management or culture, it may not necessarily impact the vendor’s performance or reliability, as long as the vendor has adequate measures to ensure continuity, accountability, and confidentiality of the personal information they handle. References:

• Vendor Selection Process: a Step-by-Step Guide, section “Step 2: Define the vendor selection criteria”
• [IAPP CIPP/US Study Guide], p. 81-82, section 3.4.1
• [IAPP CIPP/US Body of Knowledge], p. 18-19, section C.2.a

An injunction is a court order that requires a party to stop or refrain from doing something. In a case of civil litigation, a defendant who is being sued for distributing an employee’s private information might face an injunction that prohibits them from further disclosing or using the employee’s private information. An injunction is a form of equitable relief that aims to prevent or remedy harm that cannot be adequately compensated by monetary damages. Probation, criminal fines, and jail sentences are forms of criminal sanctions that are not applicable in civil litigation, unless the defendant is also charged with a criminal offense related to the distribution of the employee’s private information. References: Standing issues in U.S. privacy class actions, US Private-Sector Privacy (CIPP/US Exam Prep), IAPP CIPP/US

 Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed. References: IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1, IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

According to the HIPAA Security Rule, covered entities are responsible for ensuring that their business associates comply with the security standards and safeguards required by the rule. This includes conducting due diligence to assess the business associate’s security capabilities and practices, and monitoring their performance and compliance. Failure to do so may result in a violation of the rule and a penalty by the HHS. In this scenario, HealthCo did not perform due diligence on CloudHealth before entering the contract, and did not conduct audits of CloudHealth’s security measures. This is the most significant reason why HHS might impose a penalty on HealthCo, as it indicates a lack of oversight and accountability for the protection of ePHI. References:

• HIPAA Security Rule
• HIPAA Business Associate Contracts
• HIPAA Enforcement and Penalties

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

• A. Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that wasincompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google’s privacy policy stated that "When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."1
• B. Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network. Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user’s frequent email contacts, would be made public by default.1
• C. Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement. The FTC alleged that Google’s conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1 References: FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network, Google, Inc., In the Matter of, Google settles with FTC over Buzz; Privacy policies to be audited for two decades, Google Settles FTC Complaint over Google Buzz Privacy

The HIPAA Security Rule requires covered entities and their business associates to implement three types of safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI): administrative, physical, and technical1. Security safeguards is not a separate category of safeguards, but rather a general term that encompasses all three types. Therefore, it is not a correct answer to the question.

• Administrative safeguards are the policies and procedures that govern the conduct of the workforce and the security measures put in place to protect ePHI. They include risk analysis and management, training, contingency planning, incident response, and evaluation12.
• Physical safeguards are the locks, doors, cameras, and other physical measures that prevent unauthorized access to ePHI. They include workstation and device security, locks and keys, and disposal of media12.
• Technical safeguards are the software and hardware tools that protect ePHI from unauthorized access, alteration, or destruction. They include access control, encryption, audit controls, integrity controls, and transmission security12.

In the scenario, HealthCo’s actions have potentially violated all three types of safeguards. For example:

• HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures. This could be a breach of the administrative safeguard of risk analysis and management12.
• HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. This could be a breach of the technical safeguard of encryption12.
• HealthCo provides its investigative report of the breach and a copy of the PHI of the individuals affected to law enforcement. This could be a breach of the physical safeguard of disposal of media, if HealthCo did not ensure that the media was properly erased or destroyed after the transfer12.

References: 1: Summary of the HIPAA Security Rule, HHS.gov. 2: What is the HIPAA Security Rule? Safeguards … - Secureframe, Secureframe.com.

The ADA prohibits employers from discriminating against qualified individuals with disabilities in all aspects of employment, including hiring, firing, promotion, compensation, and training. The ADA also limits the types of medical inquiries and examinations that employers can make of applicants and employees. Under the ADA, a disability is defined as a physical or mental impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. The ADA covers current, past, and perceived drug addiction as a disability, unless the individual is currently engaging in the illegal use of drugs. Therefore, Felicia’s plan to ask applicants about drug addiction may violate the ADA, unless she can show that the inquiry is job-related and consistent with business necessity. The other laws are not directly relevant to Felicia’s plan, although they may have other implications for her business. References: ADA, IAPP CIPP/US Study Guide (p. 95-96)

Privacy by Design is a concept that the FTC endorsed in its 2012 report on protecting consumer privacy1. It seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice2. It asserts that data held by an organization ultimately belongs to the consumer and organizations should ensure that data subjects are properly informed about how their data is collected and used3. Privacy by Design requires companies to build in consumers’ privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy1. References: 1: FTC Report of 2012, p. 22-23; 2: Global Data Review3; 3: Termly4.

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

• Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12
• Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12
• Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

• Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

 In order for a court to hear a case, it must have both personal jurisdiction and subject matter jurisdiction. Personal jurisdiction refers to the authority of a court over the parties to a case, while subject matter jurisdiction refers to the authority of a court to hear a particular type of case. For example, a federal court may have subject matter jurisdiction over a case involving a federal law, but it may not have personal jurisdiction over a defendant who has no contacts with the state where the court is located. Similarly, a state court may have personal jurisdiction over a resident of the state, but it may not have subject matter jurisdiction over a case involving a foreign treaty. References: [IAPP CIPP/US Study Guide], Chapter 2: Introduction to U.S. Law, p. 25-26; Wex Legal Dictionary, Subject Matter Jurisdiction and Personal Jurisdiction.

The FTC is the primary federal agency responsible for enforcing privacy and data security laws in the United States. The FTC has broad jurisdiction over most commercial entities that collect, use, or share personal information from consumers. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, which includes unfair or deceptive privacy practices. The FTC can bring enforcement actions against companies that violate their own privacy policies, fail to provide adequate notice or choice to consumers, engage in unfair or harmful data practices, or breach consumers’ reasonable expectations of privacy. The FTC can also issue rules, guidelines, and reports on privacy and data security issues, as well as conduct investigations, workshops, and educational campaigns. References:

• IAPP CIPP/US Body of Knowledge, Section I.A.1.a
• IAPP CIPP/US Textbook, Chapter 1, pp. 9-12
• FTC Privacy and Security Enforcement

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:

• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records and gives parents or eligible students the right to access, amend, and control the disclosure of their records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education12

FERPA requires schools to do all of the following:

• Verify the identity of students who make requests for access to their records. Schools must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom they disclose education records12
• Provide students with access to their records within a specified amount of time. Schools must provide parents or eligible students with an opportunity to inspect and review the student’s education records within 45 days of receiving a request. Schoolsare not required to provide copies of records unless it is impossible for parents or eligible students to review the records at the school12
• Respond to all reasonable student requests regarding explanation of their records. Schools must provide parents or eligible students with an opportunity to request the amendment of the student’s education records that they believe are inaccurate, misleading, or otherwise in violation of the student’s privacy rights. Schools must consider the request and decide whether to amend the records within a reasonable time. If the school decides not to amend the records, it must inform the parent or eligible student of their right to a hearing on the matter12

FERPA does not require schools to do the following:

• Obtain student authorization before releasing directory information in their records. Directory information is information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Examples of directory information include the student’s name, address, phone number, e-mail address, date and place of birth, major field of study, participation in sports and activities, dates of attendance, degrees and awards received, and most recent school attended. Schools may disclose directory information without consent unless the parent or eligible student has opted out of such disclosure. Schools must notify parents and eligible students of the types of information they designate as directory information and of their right to opt out of directory information disclosure12

Therefore, the correct answer is D. Obtain student authorization before releasing directory information in their records.

References:

• Family Educational Rights and Privacy Act (FERPA)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.3: The Family Educational Rights and Privacy Act (FERPA)

Nevada’s privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of “covered information” under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.

Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:

• If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.
• If the sale is to a person who processes the covered information on behalf of the operator.
• If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
• If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.
• If the sale is to a person who is an affiliate of the operator.
• If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator’s assets.

To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.

Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.

Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).

Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.

Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.

References:

• [IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.
• CIPP/US Practice Questions (Sample Questions), Question 33.

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws

The Consumer Privacy Bill of Rights is a set of principles that the Obama administration proposed in 2012 to guide the development of privacy legislation and policies in the United States. The report that introduced the bill of rights stated that it was "generally based on the widely accepted Fair Information Practice Principles (FIPPs)"1, which are a set of standards that originated in the 1970s and have influenced many privacy laws and frameworks around the world. The FIPPs include concepts such as individual control, transparency, security, accountability, and data minimization2. The Consumer Privacy Bill of Rights adapted and expanded these principles to address the challenges and opportunities of the digital economy1. References: 1: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy2, page 92: IAPP CIPP/US Certified Information Privacy Professional Study Guide3, page 17.

According to the web search results from my predefined tool, Florida is the only state among the four options that currently imposes a definite limit for notification to affected individuals in case of a data breach. Florida’s law requires that notice be provided within 30 days after determination of the breach or reason to believe a breach occurred, unless delayed by law enforcement or measures to determine the scope of the breach and restore the integrity of the system1. The other states have more flexible or vague terms for the notification timeframe, such as “as soon as practicable” (Maine), “in the most expedient time possible and without unreasonable delay” (New York), or “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement” (California)2. References:

• Security Breach Notification Chart | Perkins Coie
• State Data Breach Notification Chart - International Association of …

The “Discover” phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

• Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.
• Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.
• Understanding the laws that regulate a company’s collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).
• Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the “Discover” phase, but rather in the “Implement” phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant. The tasks in this phase include:

• Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.
• Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.
• Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency.
• Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.

References:

• IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective, Section A: Building a Privacy Program
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information Management from a U.S. Perspective, Section 1.1: Building a Privacy Program
• Practice Exam - International Association of Privacy Professionals

The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA’s notice and opt-out requirements, as well as the FCRA’s requirements for using consumer reports. References:

• [IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.
• IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.
• IAPP CIPP/US Practice Questions, Question 150.

The U.S. Department of Commerce (DOC) is a federal agency that promotes economic growth, trade, and innovation, but does not have regulatory authority related to privacy. The DOC administers several voluntary privacy frameworks, such as the Privacy Shield, the APEC Cross-Border Privacy Rules, and the NIST Privacy Framework, but these are not legally binding or enforceable by the DOC12. The DOC also participates in international privacy negotiations and dialogues, but does not have the power to issue rules or regulations on privacy matters3.

The other three options are examples of federal agencies that do have regulatory authority related to privacy. The Consumer Financial Protection Bureau (CFPB) is an independent agency that enforces consumer protection laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Dodd-Frank Act, which contain privacy and data security provisions4. The U.S. Department of Transportation (DOT) is a federal agency that regulates transportation safety, security, and infrastructure, and has issued privacy rules for airlines, motor carriers, and railroads. The FederalReserve (FRB) is an independent agency that oversees the nation’s monetary policy, banking system, and financial stability, and has issued privacy rules for financial institutions under its jurisdiction. References: 1: Privacy Shield Program Overview | International Trade Administration 2: NIST Privacy Framework | NIST 3: Privacy and Data Security | U.S. Department of Commerce 4: Consumer Financial Protection Bureau - Wikipedia : [Privacy | US Department of Transportation] : [Privacy - Federal Reserve Board]

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:

• CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.
• California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).
• CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.

The APEC Privacy Framework is a set of non-binding principles adopted by the Asia-Pacific Economic Cooperation (APEC) that aim to promote electronic commerce and protect information privacy in the region. The Framework is consistent with the core values of the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and reaffirms the value of privacy to individuals and to the information society. The Framework consists of nine principles: Preventing Harm, Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability. Privacy by Design is not one of the principles in the APEC Privacy Framework, although it is a concept that is endorsed by the OECD Guidelines and other privacyframeworks. References: APEC Privacy Framework (2015), APEC Privacy Principles, IAPP CIPP/US Study Guide, Chapter 4.

The CCPA grants California residents the right to request that a business delete, disclose, or stop selling their personal information, but it does not grant them the right to request that a business correct their personal information. However, the CPRA, which will amend and expand the CCPA in 2023, will grant California residents the right to request that a business correct inaccurate personal information. References: CCPA, CPRA, IAPP CIPP/US Study Guide (p. 62)

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, hemay still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

• Summary of the HIPAA Privacy Rule
• Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person. However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.

Some of the privacy measures that should be considered when designing contact tracing apps are:

• Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.
• Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits.
• User confidentiality: Contact tracing apps should protect the confidentiality of users’ personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.

Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose. Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app’s coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.

References:

• [IAPP CIPP/US Study Guide], Chapter 2: Privacy by Design and Default, pp. 35-36.
• [IAPP CIPP/US Body of Knowledge], Section II: Limits on Private-sector Collection and Use of Data, Subsection B: Privacy by Design, pp. 9-10.
• [IAPP Glossary], Terms: Contact Tracing, Privacy by Design, Privacy by Default.

The best way for Otto to minimize the privacy risks involved in using a cloud provider for the HR data is to ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit. This would allow Otto to verify that the cloud provider has implemented adequate security measures, such as encryption, access controls, and backup systems, to protect the HR data from unauthorized access, use, or disclosure. It would also allow Otto to check that the cloud provider is complying with the applicable privacy laws and regulations, such as the CCPA, the APEC Privacy Framework, and the breach notification requirements. By conducting an on-site audit, Otto can identify any gaps or weaknesses in the cloud provider’s privacy practices and address them promptly. This would also demonstrate due diligence and accountability on the part of Filtration Station, which could mitigate the legal and reputational consequences of a data breach. References:

• [IAPP CIPP/US Study Guide], Chapter 3: Data Assessments, pp. 77-78.
• IAPP CIPP/US Body of Knowledge, Section III: Government and Court Access to Private-sector Information, Subsection B: Cross-Border Data Transfer, Topic 2: APEC Privacy Framework.
• IAPP CIPP/US Practice Questions, Question 125.

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:

• The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
• The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
• The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
• The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
• The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
• The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
• The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
• The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
• IAPP CIPP/US Body of Knowledge, Section III.C.2
• IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
• FTC Mobile Device Security

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

• Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

• Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.
• 17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).
• IAPP CIPP/US Study Guide, page 65.

The Children’s Online Privacy Protection Act (COPPA) is a federal law that protects the privacy of children under 13 who use online sites and services. COPPA requires operators of such sites and services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to provide notice of their information practices to parents and the public. COPPA also gives parents the right to access, review, and delete their children’s personal information, and to limit further collection or use of such information.1

One way for operators to comply with COPPA is to participate in an approved self-regulatory program, also known as a “safe harbor” program. These are programs that are run by industry groups or other organizations that set and enforce standards for privacy protection that meet or exceed the requirements of COPPA. Operators that join a safe harbor program and follow its guidelines are deemed to be in compliance with COPPA and are subject to the review and disciplinary procedures of the program instead of FTC enforcement actions. The FTC has approved several safe harbor programs, such as CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, and TRUSTe.2

By participating in an approved self-regulatory program, the marketer in the scenario could have best changed its privacy management program to meet COPPA “Safe Harbor” requirements. This would mean that the marketer would have to adhere to the guidelines of the program, which would likely include obtaining verifiable parental consent before collecting personal information from children, providing clear and prominent privacy notices on its website and emails, honoring parents’ choices and requests regarding their children’s data, and ensuring the security and confidentiality of the data collected. The marketer would also benefit from the oversight and assistance of the program in ensuring compliance and resolving any complaints or disputes.3 References: 1: Complying with COPPA: Frequently Asked Questions4, Section A2: COPPA Safe Harbor Program3: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 143.

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information. One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located12. The regulation defines personal information as a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or © financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account1. The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly1. References:

• Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents
• Massachusetts Law Raises the Bar for Data Security

 The correct answer is D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output. The Fair Credit Reporting Act (FCRA) protects consumers from unfair, inaccurate, and discriminatory treatment by creditors and other businesses that use credit reports. The FCRA prohibits creditors from using information about protected classes, such as race, color, religion, national origin, sex, marital status, age, or because they receive income from a public assistance program, to make decisions about credit. In the case of Acme Student Loan Company, the algorithm is using information about protected classes to make automated decisions about whether to send payment reminder calls. This could have a disparateimpact on protected classes, such as people of color or people with low incomes. For example, people of color may be more likely to be identified as being at risk of default, even if they are just as likely to repay their loans as people of other races. Acme Student Loan Company must ensure that the algorithm does not have a disparate impact on protected classes. This could be done by using a variety of methods, such as:

• Testing the algorithm for accuracy, fairness, and bias before and after deployment
• Providing consumers with notice and consent options for the use of their data
• Allowing consumers to access, correct, or delete their data
• Implementing accountability and oversight mechanisms for the algorithm
• Ensuring compliance with applicable laws and regulations

References: https://economictimes.indiatimes.com/news/how-to/ai-and-privacy-the-privacy-concerns-surrounding-ai-its-potential-impact-on-personal-data/articleshow/99738234.cms

https://pupuweb.com/iapp-cipp-us-qa-privacy-concerns-acme-student-loan-company-artificial-intelligence/

The Federal Trade Commission (FTC) issued its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC’s privacy enforcement and policy efforts, which were:

• Data brokers
• Large platform providers
• Mobile
• Promoting enforceable self-regulatory codes
• International data transfers

Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.

Data flow diagrams are graphical representations of how data moves within an organization or between different entities. They can help identify the sources, destinations, and processing of personal data, as well as the legal basis, retention periods, and security measures for each data flow. Reviewing the available data flow diagrams can help the data privacy leader to quickly and accurately respond to the urgent request from the EU-based retail partner, as well as to assess the potential risks and compliance gaps in the data transfer process. Data flow diagrams are also a key component of data protection impact assessments (DPIAs), which are required by the GDPR for high-risk processing activities. References:

• IAPP CIPP/US Body of Knowledge, Section II, A, 2
• [IAPP CIPP/US Study Guide, Chapter 2, Section 2.3]
• [GDPR, Article 35]

 The European approach to privacy is based on the recognition of privacy as a fundamental human right that requires strong legal protection and oversight. The EU has adopted comprehensive and binding privacy laws, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, that apply to all sectors and activities involving personal data. The EU also has independent data protection authorities (DPAs) that monitor and enforce compliance with the privacy laws, and a European Data Protection Board (EDPB)that issues guidance and opinions on privacy matters. The EU also requires adequate levels of privacy protection for personal data transferred to third countries or international organizations.

In contrast, the U.S. approach to privacy is based on a sectoral and self-regulatory model that relies on a combination of federal and state laws, industry codes of conduct, consumer education, and market forces. The U.S. does not have a single, comprehensive, and enforceable federal privacy law that covers all sectors and activities involving personal data. Instead, the U.S. has a patchwork of federal and state laws that address specific issues or sectors, such as health, financial, children’s, and electronic communications privacy. The U.S. also has various federal and state agencies that share jurisdiction over privacy matters, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS). The U.S. also relies on self-regulation by industries that develop and adhere to voluntary codes of conduct, standards, and best practices for privacy. The U.S. also allows personal data to be transferred to third countries or international organizations without requiring adequate levels of privacy protection, as long as the data subjects have given their consent or the transfer is covered by a mechanism such as the Privacy Shield or the Standard Contractual Clauses.

Some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices because they believe that self-regulation is not effective, consistent, or accountable enough to protect the rights and interests of data subjects. They argue that self-regulation may not provide sufficient incentives or sanctions for industries to comply with privacy rules, or to adopt privacy-enhancing technologies and practices. They also contend that self-regulation may not reflect the views and expectations of data subjects, or address the emerging and complex privacy challenges posed by new technologies and business models. They also question the transparency and legitimacy of self-regulation, and the ability of data subjects to exercise their rights and seek redress for privacy violations. References:

• IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 9-10, 16-17
• IAPP website, CIPP/US Certification
• NICCS website, Certified Information Privacy Professional/United States (CIPP/US) Training

The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation. References: [IAPP CIPP/US Study Guide], Chapter 5: Data Management, p. 97-98; IAPP Privacy Tech Vendor Report, Data Mapping and Inventory, p. 9-10.

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce.”1 This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2 Therefore, among the four options, only an online merchant’s free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity thatcould potentially mislead or harm consumers. For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3 References: 1: Section 5 | Federal Trade Commission 2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.

The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer’s informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:

• Video Privacy Protection Act - Wikipedia
• 18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services. The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123 References: 1: Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011. 2: Consumer Financial Protection Bureau, Wikipedia. 3: Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

Federal anti-discrimination laws, such as Title VII of the Civil Rights Act of 1964, the Equal Pay Act of 1963, the Age Discrimination in Employment Act of 1967, and the Americans with Disabilities Act of 1990, prohibit employers from discriminating against employees or applicants based on certain protected characteristics, such as race, color, religion, sex, national origin, age, disability, and genetic information. These laws also limit the types of information that employers can collect, use, disclose, or retain about employees or applicants,in order to prevent discrimination or invasion of privacy. For example, employers cannot ask about an applicant’s medical history, disability status, genetic information, or religious beliefs, unless they are relevant to the job or a bona fide occupational qualification. Employers also cannot use such information to make adverse employment decisions, such as hiring, firing, promotion, or compensation, unless they are justified by a legitimate business necessity or a reasonable accommodation. Employers must also safeguard the confidentiality of such information and dispose of it properly when it is no longer needed. References:

• Federal Laws Prohibiting Job Discrimination Questions And Answers
• Laws Enforced by EEOC
• Employment and Anti-Discrimination Laws in the Workplace
• Protections Against Discrimination and Other Prohibited Practices
• 3. Who is protected from employment discrimination?