CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Questions and Answers

Most state laws require that a person or business that conducts business in the state and owns or licenses personal information of residents of that state must notify those residents of any breach of the security of the system involving their personal information. This means that the entity does not have to be physically located in the state, have employees in the state, or be registered inthe state to be subject to the breach notification requirements, as long as it conducts business in the state and holds personal information of state residents. Conducting business in the state can be interpreted broadly to include any transaction or activity that involves the state or its residents, such as selling goods or services, collecting payments, or maintaining a website accessible by state residents. The other options (B, C, and D) are not commonly required by most state laws, although some states may have additional or specific requirements for certain types of entities, such as information brokers, health care providers, or financial institutions. References:

• Security Breach Notification Chart | Perkins Coie
• Security Breach Notification Laws - National Conference of State Legislatures
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.2: State Security Breach Notification Laws.

The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer’s informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:

• Video Privacy Protection Act - Wikipedia
• 18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)

The FTC’s privacy report, titled “Protecting Consumer Privacy in an Era of Rapid Change”, proposed a framework for companies that collect and use consumer data. The framework consisted of three core principles: privacy by design, simplified consumer choice, and greater transparency. Privacy by design means that companies should incorporate privacy protections into their everyday business practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Simplified consumer choice means that companies should provide consumers with clear and easy-to-understand choices about the collection and use of their data, and respect their preferences. Greater transparency means that companies should increase the visibility and accessibility of their data practices, such as providing clear and concise privacy notices, educating consumers about the commercial datapractices, and providing consumers with access to their data. Enhancing security measures is not one of the core principles of the FTC’s privacy framework, although it is a component of the privacy by design principle. References:

• IAPP CIPP/US Body of Knowledge, Section I.A.1.a
• IAPP CIPP/US Textbook, Chapter 1, pp. 13-15
• FTC Privacy Report, Executive Summary, pp. i-vii

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students’ educational records. FERPA generally requiresschools to obtain written consent from students before disclosing their records to third parties, such as parents. However, FERPA allows some exceptions to this rule, such as when the disclosure is for health or safety emergencies, or when the student is still a dependent for tax purposes. According to FERPA, a school may disclose educational records to the parents of a student who is claimed as a dependent on the parents’ most recent federal income tax return, without the student’s consent. This exception applies regardless of the student’s age or enrollment status at a postsecondary institution. References:

• IAPP CIPP/US Body of Knowledge, Section III, C, 2
• [IAPP CIPP/US Study Guide, Chapter 3, Section 3.5]
• [FERPA, 34 CFR § 99.31(a)(8)]

 The Driver’s Privacy Protection Act (DPPA) is a federal law that regulates the disclosure of personal information obtained by state departments of motor vehicles (DMVs). The DPPA prohibits DMVs and other entities that receive such information from DMVs from disclosing it to anyone without the express consent of the individual to whom the information pertains, unless the disclosure falls under one of the 14 exceptions listed in the statute.

Some of the exceptions that allow disclosure of personal information from DMV records without consent are:

• For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a government agency in carrying out its functions.
• For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
• For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
• For use in connection with any civil, criminal, administrative, or arbitral proceeding in any federal, state, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state, or local court.
• For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
• For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
• For use in providing notice to the owners of towed or impounded vehicles.
• For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
• For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver’s license that is required under chapter 313 of title 49.
• For use in connection with the operation of private toll transportation facilities.
• For any other use specifically authorized under the law of the state that holds the record, if such use is related to the operation of a motor vehicle or public safety.

None of the exceptions above apply to the use of personal information from DMV records by marketers wishing to distribute bulk materials. Therefore, such use would require the consent of the individual to whom the information pertains, according to the DPPA. Hence, option D is the correct answer.

Option A is incorrect, as law enforcement agencies performing investigations are exempt from the consent requirement under the first exception.

Option B is incorrect, as insurance companies needing to investigate claims are exempt from the consent requirement under the sixth exception.

Option C is incorrect, as attorneys gathering information related to lawsuits are exempt from the consent requirement under the fourth exception.

References:

• [IAPP CIPP/US Study Guide], Chapter 8: Federal Privacy Laws, pp. 181-182.
• CIPP/US Practice Questions (Sample Questions), Question 31.

 Data breach notification laws in the United States vary by state and territory, and there is no comprehensive federal law that applies to all types of personal information. Some federal laws, such as HIPAA, GLBA, and the FDIC rule, impose data breach notification requirements for specific industries or sectors, but they do not cover all types of personal information or all entities that collect, store, or process such information. Therefore, the only obligations to provide data breach notification for the breach of personal information are under state law, unless a specific federal law applies to the entity or the information involved. The other statements are incorrect because:

• A. You do not have to notify the FTC in addition to affected individuals if over 500 individuals are receiving notice, unless you are a health care entity subject to HIPAA, in which case you have to notify the Department of Health and Human Services (HHS) within 60 days of the breach.
• B. When providing an individual with required notice of a data breach, you do not have to identify what personal information was actually or likely compromised, unless the state law requires you to do so. Some states, such as California, require the notice to include the types of personal information that were or are reasonably believed to have been the subject of the breach, while others, such as Alabama, do not specify the content of the notice.
• C. When you are required to provide an individual with notice of a data breach under any state’s law, you do not have to provide the individual with an offer for free credit monitoring, unless the state law requires you to do so. Some states, such as Connecticut, require the offer of appropriate identity theft prevention and mitigation services for at least 12 months, while others, such as Arizona, do not impose such a requirement. References: Data Breach Notification in the United States and Territories, Data Breach Notification Laws in the United States: What is Required and How is that Determined?, US State Data Breach Notification Law Matrix, Breach Notification in United States, Data Breach Notification Laws: How to Manufacture a Confident Response

The Federal Trade Commission (FTC) is the primary federal agency that regulates advertising and marketing practices in the United States, including those targeting children via the Internet. The FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The FTC also enforces the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, such as making false or misleading claims in advertising. The FTC has issued guidelines and reports on various aspects of digital advertising to children, such as sponsored content, influencers, data collection, persuasive design, and behavioral marketing. The FTC also hosts workshops and events to examine the impact of digital advertising on children and their ability to distinguish ads from entertainment. References:

• FTC website
• Digital Advertising to Children
• IAPP CIPP/US Study Guide, Chapter 5: Marketing and Privacy, pp. 169-170

• The Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personal information by federal agencies.
• The Privacy Act of 1974 applies to records that are maintained in a system of records, which is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.
• The Privacy Act of 1974 grants individuals the right to access and amend their records, and requires agencies to provide notice of their systems of records, establish safeguards for the protection of the records, and limit the disclosure of the records to certain authorized purposes.
• The Privacy Act of 1974 also establishes civil and criminal penalties for violations of the law, such as unauthorized disclosure, failure to publish a notice, or refusal to grant access or amendment.
• The Privacy Act of 1974 does NOT require agencies to obtain the consent of the individual before collecting their personal information. However, the Privacy Act of 1974 does require agencies to inform the individual of the authority for the collection, the purpose and use of the collection, and the effects of not providing the information.

References: : [Overview of the Privacy Act of 1974]

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

• If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.
• If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.
• If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.

References:

• [IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.
• CIPP/US Practice Questions (Sample Questions), Question 29.

California’s SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver’s license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law. References:

• California Senate Bill 1386 (2002)
• California SB 1386: For the Love of Privacy
• What Is the California Security Breach Information Act?
• California Raises the Bar on Data Security and Privacy

• The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.
• The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.
• The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:
• The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.

References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]

The Dodd-Frank Act was established to prevent the risky financial practices that led to the 2007–2008 financial crisis, which included issues similar to Noah’s experience with buying stocks without understanding the risks. The act includes provisions forconsumer protection in financial services and aims to prevent abusive practices in the financial industry

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:

• The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
• The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
• The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
• The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
• The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
• The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
• The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
• The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
• IAPP CIPP/US Body of Knowledge, Section III.C.2
• IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
• FTC Mobile Device Security

 The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions. Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student’s personally identifiable information (PII) from the education records without consent. A student’s signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12 A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12 Therefore, the school must obtain the student’s (or the parent’s, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA. Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12 Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12 However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records. FERPA only applies to education records that are directly related to a student and maintained by theschool or a party acting for the school12 A newspaper’s publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper’s own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent. FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123 If the university police provide an arrest report to the student’s hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.

References: 1: Family Educational Rights and Privacy Act - Wikipedia 2: Family Educational Rights and Privacy Act (FERPA) | CDC 3: What is FERPA? | Protecting Student Privacy - ed

 Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed. References: IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1, IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

The Colorado Privacy Act (CPA) grants consumers the right to access, correct, or delete their personal data, including sensitive data, that is processed by a controller1. Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child2. The CPA also grants consumers the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or certain kinds of profiling3. However, the CPA does not grant consumers the right to limit the use of sensitive data for other purposes, such as providing a product or service requested by the consumer, complying with legal obligations, or protecting the vital interests of the consumer or another person. Therefore, option D is the correct answer, as it is not a privacy right available under the CPA. References: 1: Colorado Privacy Act (CPA) - Colorado Attorney General 2: Protect Personal Data Privacy | Colorado General Assembly 3: SENATE BILL 21-190 Woodward, Garcia; PRIVACY. COLORADO PRIVACY ACT … : Colorado Privacy Act: What You Need to Know | OneTrust DataGuidance

 E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter1. The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology2. For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e-discovery, as well as the sanctions for failing to comply withe-discovery obligations3. The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively4. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.

The other options are not the main purpose of the rules for e-discovery, although they may be related or affected by them. The rules for e-discovery do not directly prevent the loss of information due to poor data retention practices, although they do impose a duty to preserve relevant ESI when litigation is reasonably anticipated5. The rules for e-discovery do not directly prevent the practice of employees using personal devices for work, although they do require parties to identify and disclose the sources of ESI that may be subject to discovery, including personal devices6. The rules for e-discovery do not directly prevent a breach of an organization’s data retention program, although they do require parties to produce ESI in a reasonably usable form and to protect privileged or confidential information7.

References: 1: Everything You Need to Know About E-Discovery, The National Law Review. 2: E-Discovery: The Basics of E-Discovery Guide - Exterro, Exterro.com. 3: Federal Court and Government Agency E-Discovery Rules and Guidelines, Crowell & Moring LLP. 4: FRCP Rule 1, Cornell Law School. 5: FRCP Rule 37, Cornell Law School. 6: FRCP Rule 26, Cornell Law School. 7: FRCP Rule 34, Cornell Law School.

 The law that ACME violated by designing the service to prevent access to the information by a law enforcement agency is the Communications Assistance for Law Enforcement Act (CALEA)1. CALEA is a federal law that requires telecommunications carriers and manufacturers of telecommunications equipment to design their equipment, facilities, and services to ensure that they have the necessarysurveillance capabilities to comply with legal requests for interception of communications2. CALEA applies to all commercial messages, including text messages, and gives law enforcement agencies the authority to subpoena the records of such communications from the service providers3. By encrypting its text message records so that only the suspect could access this data, ACME violated CALEA’s duty to cooperate in the interception of communications for law enforcement purposes. References: 1: Communications Assistance for Law Enforcement Act - Wikipedia2: Home | CALEA® | The Commission on Accreditation for Law Enforcement Agencies, Inc.3: Communications Assistance for Law Enforcement Act : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Law Enforcement and National Security Access, p. 177

The U.S. Department of Commerce (DOC) is a federal agency that promotes economic growth, trade, and innovation, but does not have regulatory authority related to privacy. The DOC administers several voluntary privacy frameworks, such as the Privacy Shield, the APEC Cross-Border Privacy Rules, and the NIST Privacy Framework, but these are not legally binding or enforceable by the DOC12. The DOC also participates in international privacy negotiations and dialogues, but does not have the power to issue rules or regulations on privacy matters3.

The other three options are examples of federal agencies that do have regulatory authority related to privacy. The Consumer Financial Protection Bureau (CFPB) is an independent agency that enforces consumer protection laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Dodd-Frank Act, which contain privacy and data security provisions4. The U.S. Department of Transportation (DOT) is a federal agency that regulates transportation safety, security, and infrastructure, and has issued privacy rules for airlines, motor carriers, and railroads. The FederalReserve (FRB) is an independent agency that oversees the nation’s monetary policy, banking system, and financial stability, and has issued privacy rules for financial institutions under its jurisdiction. References: 1: Privacy Shield Program Overview | International Trade Administration 2: NIST Privacy Framework | NIST 3: Privacy and Data Security | U.S. Department of Commerce 4: Consumer Financial Protection Bureau - Wikipedia : [Privacy | US Department of Transportation] : [Privacy - Federal Reserve Board]

Phishing is a form of social engineering that involves sending fraudulent emails or other messages that appear to come from a legitimate source, but are designed to trick recipients into revealing sensitive information, such aspasswords, account numbers, or personal identifiers1. Phishing is one of the most common and effective methods of cyberattacks, and it can lead to data breaches, identity theft, ransomware infections, or other serious consequences2. Therefore, training on how to recognize and avoid phishing attempts is crucial for any organization that handles sensitive data, especially ePHI, which is subject to strict regulations under HIPAA3. Training on techniques for identifying phishing attempts can help employees to spot the signs of a phishing email, such as:

• Sender’s address or domain name that does not match the expected source or contains spelling errors4
• Generic salutations or impersonal tone that do not address the recipient by name or use proper grammar4
• Urgent or threatening language that creates a sense of pressure or fear and asks the recipient to take immediate action, such as clicking on a link, opening an attachment, or providing information4
• Suspicious links or attachments that may contain malware or lead to fake websites that mimic the appearance of a legitimate site, but have a different URL or request login credentials or other data4
• Requests for sensitive information that are unusual or out of context, such as asking for passwords, account numbers, or personal identifiers that the sender should already have or should not need4

Training on techniques for identifying phishing attempts can also help employees to learn how to respond to a phishing email, such as:

• Not clicking on any links or opening any attachments in the email4
• Not replying to the email or providing any information to the sender4
• Reporting the email to the IT department or security team and deleting it from the inbox4
• Verifying the legitimacy of the email by contacting the sender directly using a different channel, such as phone or another email address4
• Updating the antivirus software and scanning the device for any malware infection4

Training on techniques for identifying phishing attempts is the most effective kind of training that CloudHealth could have given its employees to help prevent this type of data breach, because it would have enabled them to recognize the phishing email that compromised the PHI of more than 10,000 HealthCo patients, and to avoid falling victim to it. Training on the terms of the contractual agreement with HealthCo, the difference between confidential and non-public information, or CloudHealth’s HR policy regarding the role of employees involved in data breaches, while important, would not have been as effective in preventing this specific type of data breach, because they would not have addressed the root cause of the breach, which was the phishing email.

References:

• 1: IAPP, Phishing, https://iapp.org/resources/glossary/phishing/
• 2: SpinOne, The Top 5 Phishing Awareness Training Providers 2023, https://spinbackup.com/blog/phishing-awareness-training-best-providers/
• 3: IAPP, HIPAA, https://iapp.org/resources/glossary/hipaa/
• 4: Expert Insights, The Top 11 Phishing Awareness Training and Simulation Solutions, https://expertinsights.com/insights/the-top-11-phishing-awareness-training-and-simulation-solutions/

The correct answer is C because the California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents the right to request the deletion of their personal information that a business has collected from them. The CCPA applies to any business that collects personal information from California residents, regardless of where the business is located, as long as the business meets certain thresholds of revenue, data volume, or data sharing. Therefore, the social media platform that Sarah uses is subject to the CCPA and must honor Sarah’s deletion request, unless an exception applies. The CCPA also requires businesses to provide notice and choice to consumersabout their data collection and use practices, and to respond to consumer requests within 45 days.

The other answers are incorrect because:

• A is incorrect because the General Data Protection Regulation (GDPR) is a European Union privacy law that applies to the processing of personal data of individuals who are in the EU, regardless of where the data controller or processor is located. However, the GDPR does not apply to the processing of personal data of individuals who are outside the EU, unless the processing relates to the offering of goods or services to such individuals or the monitoring of their behavior within the EU. Therefore, the GDPR does not apply to Sarah’s personal data, since she is not in the EU and the social media platform is not targeting or tracking her in the EU.
• B is incorrect because Section 5 of the FTC Act is a federal law that prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC has used its Section 5 authority to enforce privacy and data security standards against businesses that violate their own privacy policies, misrepresent their data practices, or fail to protect consumer data from unauthorized access or disclosure. However, the FTC has not held that refusing to delete an individual’s personal information upon request constitutes an unfair practice per se, unless the refusal is inconsistent with the business’s privacy policy or representations, or causes substantial injury to consumers that is not reasonably avoidable or outweighed by countervailing benefits.
• D is incorrect because the New York SHIELD Act is a state law that imposes data breach notification and data security requirements on any person or business that owns or licenses computerized data that includes the private information of a New York resident. The SHIELD Act does not grant New York residents the right to request the deletion of their personal information, nor does it apply to businesses that do not collect or hold the private information of New York residents. Therefore, the SHIELD Act does not apply to Sarah’s personal data, since she is not a New York resident and the social media platform may not have her private information as defined by the SHIELD Act. References:
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 7, Section 7.2.1, pp. 183-186.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 7, Section 7.2, pp. 217-219.

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:

• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws

The CCPA grants California residents the right to request that a business delete, disclose, or stop selling their personal information, but it does not grant them the right to request that a business correct their personal information. However, the CPRA, which will amend and expand the CCPA in 2023, will grant California residents the right to request that a business correct inaccurate personal information. References: CCPA, CPRA, IAPP CIPP/US Study Guide (p. 62)

According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient’s opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.

References:

• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing
• Practice Exam - International Association of Privacy Professionals

Redaction is the permanent removal of sensitive data—the digital equivalent of “blacking out” text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders. Redaction is often used to protect personal information, such as names, addresses, social security numbers, or financial data, on documents that are disclosed in litigation, such as pleadings, exhibits, or discovery responses. Redaction is required by courts to comply with privacy laws and rules, such as the Federal Rules of Civil Procedure (FRCP), which mandate that parties must redact certain types of personal information from documents filed with the court or produced to the other party. Redaction is also a best practice to minimize the risk of unauthorized access, identity theft, or reputational harm that may result from exposing personal information in litigation. References:

• When to redact, or not, disclosable documents in litigation - Stewarts
• The approach to redaction – High Court guidance - Lexology
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.2: Federal Rules of Civil Procedure (FRCP).

HIPAA requires covered entities, such as hospitals, to enter into contracts with their business associates, such as billing companies, that access, use, or disclose protected health information (PHI). These contracts, known as business associate agreements (BAAs), must specify the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards, reporting, and termination procedures that the business associate must follow to protect the privacy and security of PHI. By having these contracts in place, the hospital can ensure that the billing company is complying with HIPAA and observing the minimum security standards required by law. References:

• HIPAA Rules for Medical Billing - Compliancy Group
• HIPAA Compliance for Billing Companies: Easy Guide - iFax

A company that develops a privacy policy with standards that are much higher than its competitors may face the risk of being more closely scrutinized for any breaches of policy by regulators, customers, media, or other stakeholders. This is because the company sets a higher expectation for its privacy practices and may be held to a higher standard of accountability and transparency. If the company fails to comply with its own policy or experiences a data breach, it may face more severe consequences, such as reputational damage, loss of trust, legal liability, or regulatory sanctions. References:

• IAPP CIPP/US Body of Knowledge, Section I, B, 2
• [IAPP CIPP/US Study Guide, Chapter 1, Section 1.4]

The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program. The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of aperson, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12. This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3. References:

• CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p. 108-109.
• Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section. The APEC information privacy principles are:

• Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.
• Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.
• Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.
• Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.
• Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.
• Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.
• Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.
• Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the legitimate rights of persons other than the individual would be violated.
• Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.

The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information,such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond. References:

• APEC Privacy Framework (2015)
• APEC Cross-Border Privacy Rules (CBPR) System
• APEC Privacy Recognition for Processors (PRP) System
• APEC Privacy Framework: A New Model for Transborder Data Flows

 The HIPAA privacy rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (collectively defined as “covered entities”)1 The rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization1 The rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections1

The HIPAA privacy rule permits a covered entity to disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512 (e) for disclosures for judicial and administrative proceedings are met2 These requirements include:

• In response to a court order or administrative tribunal order, the covered entity may disclose only the protected health information expressly authorized by such order2
• In response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order or administrative tribunal order, the covered entity must receive satisfactory assurances that the party seeking the information has made reasonable efforts to ensure that the individual who is the subject of the information has been given notice of the request, or that the party seeking the information has made reasonable efforts to secure a qualified protective order2
• A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested andrequires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding2

Option A is incorrect because the HIPAA privacy rule does not only permit disclosure for payment, treatment or healthcare operations. The rule also allows disclosure for other purposes, such as public health, research, law enforcement, judicial and administrative proceedings, as long as the applicable conditions and limitations are met1

Option B is correct because it is consistent with the HIPAA privacy rule’s requirement for disclosures for judicial and administrative proceedings. By responding with a request for satisfactory assurances such as a qualified protective order, HealthCo is ensuring that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2

Option C is incorrect because it is not consistent with the HIPAA privacy rule’s requirement for disclosures for judicial and administrative proceedings. By turning over all of the compromised patient records to the plaintiff’s attorney, HealthCo is disclosing more information than necessary and may violate the privacy rights of other individuals who are not parties to the lawsuit2

Option D is incorrect because it is not consistent with the HIPAA privacy rule’s requirement for disclosures for judicial and administrative proceedings. By responding with a redacted document only relative to the plaintiff, HealthCo is not providing satisfactory assurances that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2

References: 1: Summary of the HIPAA Privacy Rule | HHS.gov 2: May a covered entity use or disclose protected health information for litigation? | HHS.gov

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.

One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.

References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19
• IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7
• IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

The HIPAA Security Rule requires covered entities and their business associates to implement three types of safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI): administrative, physical, and technical1. Security safeguards is not a separate category of safeguards, but rather a general term that encompasses all three types. Therefore, it is not a correct answer to the question.

• Administrative safeguards are the policies and procedures that govern the conduct of the workforce and the security measures put in place to protect ePHI. They include risk analysis and management, training, contingency planning, incident response, and evaluation12.
• Physical safeguards are the locks, doors, cameras, and other physical measures that prevent unauthorized access to ePHI. They include workstation and device security, locks and keys, and disposal of media12.
• Technical safeguards are the software and hardware tools that protect ePHI from unauthorized access, alteration, or destruction. They include access control, encryption, audit controls, integrity controls, and transmission security12.

In the scenario, HealthCo’s actions have potentially violated all three types of safeguards. For example:

• HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures. This could be a breach of the administrative safeguard of risk analysis and management12.
• HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. This could be a breach of the technical safeguard of encryption12.
• HealthCo provides its investigative report of the breach and a copy of the PHI of the individuals affected to law enforcement. This could be a breach of the physical safeguard of disposal of media, if HealthCo did not ensure that the media was properly erased or destroyed after the transfer12.

References: 1: Summary of the HIPAA Security Rule, HHS.gov. 2: What is the HIPAA Security Rule? Safeguards … - Secureframe, Secureframe.com.

The Fair Credit Reporting Act (FCRA) is considered part of U.S. federal privacy law because it regulates the collection, use, and disclosure of personal information by consumer reporting agencies, such as credit bureaus, background check companies, and tenant screening services. The FCRA aims to protect the privacy, accuracy, and fairness of consumer credit information, and to ensure that consumers have access to and control over their own credit reports. The FCRA also imposes obligations on users and furnishers of consumer reports, such as creditors, employers, insurers, and landlords, to obtain consent, provide notice, and correct errors when using consumer reports for various purposes. The FCRA is enforced by the Federal Trade Commission (FTC) and other federal agencies, as well as by private lawsuits and state attorneys general. The FCRA was enacted in 1970 and has been amended several times, most notably by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which added provisions on identity theft prevention, fraud alerts, free credit reports, and disposal of consumer information. References:

• Fair Credit Reporting Act - Wikipedia
• Fair Credit Reporting Act | Federal Trade Commission
• Fair Credit Reporting Act (FCRA) - Consumer Information
• Fair Credit Reporting Act (FCRA) | Privacy Rights Clearinghouse

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:

• CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.
• California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).
• CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).

Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person. However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.

Some of the privacy measures that should be considered when designing contact tracing apps are:

• Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.
• Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits.
• User confidentiality: Contact tracing apps should protect the confidentiality of users’ personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.

Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose. Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app’s coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.

References:

• [IAPP CIPP/US Study Guide], Chapter 2: Privacy by Design and Default, pp. 35-36.
• [IAPP CIPP/US Body of Knowledge], Section II: Limits on Private-sector Collection and Use of Data, Subsection B: Privacy by Design, pp. 9-10.
• [IAPP Glossary], Terms: Contact Tracing, Privacy by Design, Privacy by Default.

 The Privacy Act allows agencies to exempt certain records from some of its provisions, including the right to disclosure, if the records fall within one of the categories specified in subsections (j) or (k) of the Act. One of these categories is records maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of (A) informationcompiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status; (B) information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or © reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision. 5 U.S.C. § 552a (j) (2). Therefore, material reporting investigative efforts pertaining to the enforcement of criminal law falls within this category and can be exempted from the right to disclosure under the Privacy Act. References:

• Overview of the Privacy Act: 2020 Edition, Ten Exemptions, subsection (j) (2).
• Privacy Act Exemptions, subsection (j) (2).
• IAPP CIPP/US Study Guide, page 66.

 The European approach to privacy is based on the recognition of privacy as a fundamental human right that requires strong legal protection and oversight. The EU has adopted comprehensive and binding privacy laws, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, that apply to all sectors and activities involving personal data. The EU also has independent data protection authorities (DPAs) that monitor and enforce compliance with the privacy laws, and a European Data Protection Board (EDPB)that issues guidance and opinions on privacy matters. The EU also requires adequate levels of privacy protection for personal data transferred to third countries or international organizations.

In contrast, the U.S. approach to privacy is based on a sectoral and self-regulatory model that relies on a combination of federal and state laws, industry codes of conduct, consumer education, and market forces. The U.S. does not have a single, comprehensive, and enforceable federal privacy law that covers all sectors and activities involving personal data. Instead, the U.S. has a patchwork of federal and state laws that address specific issues or sectors, such as health, financial, children’s, and electronic communications privacy. The U.S. also has various federal and state agencies that share jurisdiction over privacy matters, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS). The U.S. also relies on self-regulation by industries that develop and adhere to voluntary codes of conduct, standards, and best practices for privacy. The U.S. also allows personal data to be transferred to third countries or international organizations without requiring adequate levels of privacy protection, as long as the data subjects have given their consent or the transfer is covered by a mechanism such as the Privacy Shield or the Standard Contractual Clauses.

Some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices because they believe that self-regulation is not effective, consistent, or accountable enough to protect the rights and interests of data subjects. They argue that self-regulation may not provide sufficient incentives or sanctions for industries to comply with privacy rules, or to adopt privacy-enhancing technologies and practices. They also contend that self-regulation may not reflect the views and expectations of data subjects, or address the emerging and complex privacy challenges posed by new technologies and business models. They also question the transparency and legitimacy of self-regulation, and the ability of data subjects to exercise their rights and seek redress for privacy violations. References:

• IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 9-10, 16-17
• IAPP website, CIPP/US Certification
• NICCS website, Certified Information Privacy Professional/United States (CIPP/US) Training

• The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994. The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.
• The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.
• The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.
• A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.
• The TSR requires an entity to share a do-not-call request across its organization when the operational structures of its divisions are not transparent to consumers3. This means that the entity must treat the do-not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.
• The TSR does not require an entity to share a do-not-call request across its organization in the following situations:

References: 1: Telemarketing Sales Rule 2: Q&A for Telemarketers & Sellers About DNC Provisions in TSR 3: Federal Register :: Telemarketing Sales Rule

The Fair Credit Reporting Act (FCRA) was originally intended to provide consumers with the ability to correct inaccurate credit information that could affect their access to credit, employment, insurance, and other benefits. The FCRA gives consumers the right to access their credit reports from the three major credit reporting agencies (Equifax, Experian, and TransUnion) for free once every 12 months, and to dispute any errors or inaccuracies with the credit reporting agencies or the information furnishers (such as lenders, creditors, or debt collectors). The FCRA also requires the credit reporting agencies and the information furnishers to investigate and resolve the disputes within 30 days, and to delete or correct any information that is found to be inaccurate, incomplete, or outdated. The FCRA also provides consumers with the right to place fraud alerts or security freezes on their credit reports if they are victims or potential victims of identity theft, and to receive notifications from users of their credit reports (such as employers or insurers) if any adverse action is taken based on their credit information. References:

• Fair Credit Reporting Act - Wikipedia
• What is the Fair Credit Reporting Act (FCRA)? | Money
• The Fair Credit Reporting Act of 1970 - The Balance
• How the Fair Credit Reporting Act (FCRA) Protects Consumer Rights

Federal anti-discrimination laws, such as Title VII of the Civil Rights Act of 1964, the Equal Pay Act of 1963, the Age Discrimination in Employment Act of 1967, and the Americans with Disabilities Act of 1990, prohibit employers from discriminating against employees or applicants based on certain protected characteristics, such as race, color, religion, sex, national origin, age, disability, and genetic information. These laws also limit the types of information that employers can collect, use, disclose, or retain about employees or applicants,in order to prevent discrimination or invasion of privacy. For example, employers cannot ask about an applicant’s medical history, disability status, genetic information, or religious beliefs, unless they are relevant to the job or a bona fide occupational qualification. Employers also cannot use such information to make adverse employment decisions, such as hiring, firing, promotion, or compensation, unless they are justified by a legitimate business necessity or a reasonable accommodation. Employers must also safeguard the confidentiality of such information and dispose of it properly when it is no longer needed. References:

• Federal Laws Prohibiting Job Discrimination Questions And Answers
• Laws Enforced by EEOC
• Employment and Anti-Discrimination Laws in the Workplace
• Protections Against Discrimination and Other Prohibited Practices
• 3. Who is protected from employment discrimination?

 An intrusion upon seclusion tort occurs when someone intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, if the intrusion would be highly offensive to a reasonable person12. The intrusion does not need to involve a physical trespass, but can also be an electronic or optical intrusion, such as using a webcam to record a person who has a reasonable expectation of privacy2. The intrusion must also cause mental anguish or suffering to the plaintiff2.

In this case, option A would best support an employee claim for an intrusion upon seclusion tort, because the webcam is enabled to record video any time the computer is turned on, regardless of whether the employee is working or not, or whether the employee is in a private or public place. This would be an intentional and highly offensive intrusion into the employee’s seclusion or private affairs, and would likely cause the employee distress or anxiety.

Option B would not support an intrusion upon seclusion tort, because the creation and saving of a biometric template based on keystroke dynamics is not an intrusion into the employee’s seclusion or private affairs, but rather a data collection and processing activity that may implicate other privacy laws or principles, such as notice, consent, and security3.

Option C would not support an intrusion upon seclusion tort, because the software sending a notification to a supervisor when the employee’s mouse is dormant for more than five minutes is not an intrusion into the employee’s seclusion or private affairs, but rather a performance monitoring activity that may be justified by the employer’s legitimate business interests4.

Option D would not support an intrusion upon seclusion tort, because the webcam recording video of an employee using a company laptop to perform personal business while at a coffee shop during work hours is not an intrusion into the employee’s seclusion or private affairs, but rather a misuse of company property and time that may be subject to the employer’s policies and disciplinary actions5. Moreover, the employee may not have a reasonable expectation of privacy in a public place like a coffee shop. References: 1: Intrusion on seclusion - Wikipedia 2: Elements of an Intrusion Claim | Digital Media Law Project 3: Biometrics - IAPP 4: Employee Monitoring - IAPP 5: Employee Privacy - IAPP : Privacy in Public Places - IAPP

HIPAA requires covered entities to provide a notice of privacy practices (NPP) to individuals who receive health care services from the covered entity. The NPP must describe how the covered entity may use and disclose protected health information (PHI), the individual’s rights with respect to their PHI, and the covered entity’s obligations to protect the privacy of PHI. The NPP must be provided to the individual no later than the date of the first service delivery, either in person or electronically. The covered entity must also make the NPP available on request and post it on its website if it has one. The covered entity must also make a good faith effort to obtain a written acknowledgment from the individual that they received the NPP. If the individual refuses to sign the acknowledgment, the covered entity must document the attempt and the reason for the refusal.

The other options are not sufficient to comply with HIPAA. Stating the privacy policy verbally (option A) does not provide the individual with a written or electronic copy of the NPP that they can keep for future reference. Posting the privacy notice in a prominent location (option B) does not ensure that the individual receives the NPP or has an opportunity to review it before receiving services. Directing patients to the correct area of the hospital website (option C) does not provide the individual with the NPP at the time of service delivery, unless the individual agrees to receive the NPP electronically and has access to the website at that time. References:

• Notice of Privacy Practices for Protected Health Information
• Model Notices of Privacy Practices
• Sample Notice: Availability of Notice of Privacy Practices
• Notice of Privacy Practices
• Notice of Privacy Practices (NPP) Distribution and Acknowledgement

 U.S. federal laws protect individuals from employment discrimination based on a number of protected characteristics, such as age, pregnancy, and genetic information. However, marital status is not one of them. There is no federal law that prohibits employment discrimination based on marital status, although some states and localities have enacted such laws. The other statements are incorrect because:

• A. Age is a protected characteristic under the Age Discrimination in Employment Act of 1967 (ADEA), which protects people who are 40 or older from discrimination because of age1.
• B. Pregnancy is a protected characteristic under the Pregnancy Discrimination Act, which amended Title VII of the Civil Rights Act of 1964 to make it illegal to discriminate against a woman because of pregnancy, childbirth, or a medical condition related to pregnancy or childbirth2.
• D. Genetic information is a protected characteristic under the Genetic Information Nondiscrimination Act of 2008 (GINA), which makes it illegal to discriminate against employees or applicants because of genetic information, such as family medical history, genetic tests, or participation in genetic research2. References: Prohibited Employment Policies/Practices, Employment discrimination law in the United States, Civil Rights Requirements- Federal Employment Discrimination Laws

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States. The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship. The law also does not apply to non-commercial messages, such as political or charitable solicitations12

The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers’ requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request. The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transferthe e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12

By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content. The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12

References:

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act

The Stored Communications Act (SCA) is a federal law that regulates the privacy of electronic communications that are stored by third-party service providers, such as email providers, cloud storage providers, or social media platforms. The SCA prohibits unauthorized access to or disclosure of such communications, unless authorized by law or by the consent of the user or the service provider . The SCA also provides exceptions for certain types of access or disclosure, such as those made for law enforcement purposes, for the protection of the service provider’s rights or property, or for the consent of the subscriber or customer .

One of the exceptions to the SCA is where the service provider gives consent to the access or disclosure of the stored communications. This means that if a third-party service provider agrees to cooperate with an investigation or a request for information, the access or disclosure is lawful under the SCA. Consent can be express or implied, depending on the circumstances and the terms of service of the provider. For example, if a service provider has a policy that allows it to disclose user information to third parties for legitimate purposes, the provider has impliedly consented to the access or disclosure of the stored communications. However, if a service provider has a policy that prohibits such disclosure, the provider has not consented to the access or disclosure of the stored communications.

In the scenario, Evan’s undercover investigation may have been authorized by the SCA if he obtained the consent of the third-party service provider that stored the electronic communications of the employee who was suspected of misconduct. For instance, if the employee used a company email account or a cloud storage service that had a policy that allowed the service provider to disclose user information to the employer or to law enforcement, Evan may have been able to access or disclose the stored communications with the consent of the service provider. However, if the employee used a personal email account or a cloud storage service that had a policy that protected user privacy and prohibited such disclosure, Evan may have violated the SCA by accessing or disclosing the stored communications without the consent of the service provider.

References: : [Stored Communications Act], 18 U.S.C. §§ 2701-2712 : [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.2. : [The Stored Communications Act: An Old Statute for Modern Problems], pp. 10-11.