CIPP-US Exam Dumps - Certified Information Privacy Professional/United States (CIPP/US)

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include the violation of collecting information from a childunder the age of thirteen without obtaining verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The COPPA Rule also applies to websites or online services that are directed to children under 13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child’s personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child’s personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data. References:

• Children’s Privacy | Federal Trade Commission
• Kids’ Privacy (COPPA) | Federal Trade Commission
• FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy
• FTC to Crack Down on Companies that Illegally Surveil Children Learning Online
• FTC Takes Action Against Company for Collecting Children’s Personal Information Without Parental Permission
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 165-168.

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees’ privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms. References:

• [IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.
• IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.
• IAPP CIPP/US Practice Questions, Question 134.

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

• Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.
• 17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).
• IAPP CIPP/US Study Guide, page 65.

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.

 The law that ACME violated by designing the service to prevent access to the information by a law enforcement agency is the Communications Assistance for Law Enforcement Act (CALEA)1. CALEA is a federal law that requires telecommunications carriers and manufacturers of telecommunications equipment to design their equipment, facilities, and services to ensure that they have the necessarysurveillance capabilities to comply with legal requests for interception of communications2. CALEA applies to all commercial messages, including text messages, and gives law enforcement agencies the authority to subpoena the records of such communications from the service providers3. By encrypting its text message records so that only the suspect could access this data, ACME violated CALEA’s duty to cooperate in the interception of communications for law enforcement purposes. References: 1: Communications Assistance for Law Enforcement Act - Wikipedia2: Home | CALEA® | The Commission on Accreditation for Law Enforcement Agencies, Inc.3: Communications Assistance for Law Enforcement Act : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Law Enforcement and National Security Access, p. 177

The HIPAA Privacy Rule requires covered entities to obtain an individual’s written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. However, there are some exceptions to the authorization requirement for certain public interest-related activities, such as disclosing health information for public health activities, reporting child abuse, or treating a medical emergency. These exceptions are intended to balance the privacy interests of individuals with the public interest in protecting health and safety, promoting quality health care, and ensuring compliance with the law. Disclosing health information needed to pay a third party billing administrator is not one of the exceptions to the authorization requirement, as it is considered a payment activity that falls under the general rule of requiring authorization. Therefore, it is the correct answer to the question. References: Summary of the HIPAA Privacy Rule, HIPAA Exceptions, Exceptions to HIPAA Privacy Rule, Waiver of Authorization, IAPP CIPP/US Study Guide, Chapter 5.

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.

One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.

References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

• The Privacy Act of 1974 is a federal law that regulates the collection, use, and disclosure of personal information by federal agencies.
• The Privacy Act of 1974 applies to records that are maintained in a system of records, which is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.
• The Privacy Act of 1974 grants individuals the right to access and amend their records, and requires agencies to provide notice of their systems of records, establish safeguards for the protection of the records, and limit the disclosure of the records to certain authorized purposes.
• The Privacy Act of 1974 also establishes civil and criminal penalties for violations of the law, such as unauthorized disclosure, failure to publish a notice, or refusal to grant access or amendment.
• The Privacy Act of 1974 does NOT require agencies to obtain the consent of the individual before collecting their personal information. However, the Privacy Act of 1974 does require agencies to inform the individual of the authority for the collection, the purpose and use of the collection, and the effects of not providing the information.

References: : [Overview of the Privacy Act of 1974]

 According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:

• Registered Data Brokers in the United States: 2021 | Privacy Rights …
• Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft

• The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.
• The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.
• The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:
• The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.

References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

• Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12
• Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12
• Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

• Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

The GLBA prohibits financial institutions from disclosing a consumer’s account number or similar form of access number or access code to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. This restriction is intended to prevent unauthorized access to a person’s bank account by third parties who may use the account number to initiate fraudulent transactions or identity theft. The GLBA also requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and to notify customers and regulators in the event of a security breach involving such information. References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Financial Privacy, p. 49-50
• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 14
• IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financialinstitutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 5

The HIPAA Security Rule requires covered entities and their business associates to implement three types of safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI): administrative, physical, and technical1. Security safeguards is not a separate category of safeguards, but rather a general term that encompasses all three types. Therefore, it is not a correct answer to the question.

• Administrative safeguards are the policies and procedures that govern the conduct of the workforce and the security measures put in place to protect ePHI. They include risk analysis and management, training, contingency planning, incident response, and evaluation12.
• Physical safeguards are the locks, doors, cameras, and other physical measures that prevent unauthorized access to ePHI. They include workstation and device security, locks and keys, and disposal of media12.
• Technical safeguards are the software and hardware tools that protect ePHI from unauthorized access, alteration, or destruction. They include access control, encryption, audit controls, integrity controls, and transmission security12.

In the scenario, HealthCo’s actions have potentially violated all three types of safeguards. For example:

• HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth’s security measures. This could be a breach of the administrative safeguard of risk analysis and management12.
• HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. This could be a breach of the technical safeguard of encryption12.
• HealthCo provides its investigative report of the breach and a copy of the PHI of the individuals affected to law enforcement. This could be a breach of the physical safeguard of disposal of media, if HealthCo did not ensure that the media was properly erased or destroyed after the transfer12.

References: 1: Summary of the HIPAA Security Rule, HHS.gov. 2: What is the HIPAA Security Rule? Safeguards … - Secureframe, Secureframe.com.

The “Discover” phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

• Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.
• Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.
• Understanding the laws that regulate a company’s collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).
• Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the “Discover” phase, but rather in the “Implement” phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant. The tasks in this phase include:

• Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.
• Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.
• Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency.
• Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.

References:

• IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective, Section A: Building a Privacy Program
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information Management from a U.S. Perspective, Section 1.1: Building a Privacy Program
• Practice Exam - International Association of Privacy Professionals

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

• Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

The lawsuit, filed in 2014, claimed that Google violated the federal and state wiretap and privacy laws by scanning and indexing the emails of millions of students who used its Apps for Education suite, which included Gmail as a key feature12. The plaintiffs alleged that Google used the information from the scans to build profiles of students that could be used for targeted advertising or other commercial purposes, without their consent or knowledge12. The lawsuit also challenged Google’s argument that the students consented to the scans when they first logged in to their accounts, saying that such consent was not valid under FERPA, which requires written consent for any disclosure of education records12. Google denied the allegations and argued that the scans were necessary for providing security, spam protection, and other functionality to the users12. The case was settled in 2016, with Google agreeing to change some of its practices and policies regarding the scanning of student emails3. References: 1: Lawsuit Alleges That Google Has Crossed A ‘Creepy Line’ With Student Data, Huffington Post, 1. 2: Google faces lawsuit over email scanning and student data, The Guardian, 2. 3: Google data case to be heard in Supreme Court, BBC, 3.

A consent decree is a settlement agreement between the FTC and a company that has engaged in unfair or deceptive privacy practices. A consent decreetypically requires the company to stop the unlawful conduct, implement remedial measures, pay a civil penalty, and submit to ongoing monitoring and reporting. A consent decree benefits both parties involved because it spares the expense of going to trial, which can be costly, time-consuming, and uncertain. A consent decree also allows the parties to negotiate the terms of the settlement, rather than having a court impose a judgment. A consent decree does not admit liability or wrongdoing by the company, but it has the force of law and can be enforced by the FTC or the courts if the company violates its terms. References:

• IAPP CIPP/US Body of Knowledge, Section I.A.1.a
• IAPP CIPP/US Textbook, Chapter 1, pp. 10-11
• FTC Consent Decrees

 A data ethics framework is a set of principles and guidelines that help organizations ensure that their data practices are ethical, responsible, and trustworthy. According to the IAPP CIPP/US Study Guide, some of the key components of a data ethics framework are1:

• Data governance: the policies, processes, and standards that govern how data is collected, used, stored, and shared within an organization.
• Preferability testing: the process of assessing the potential impacts and risks of data-driven solutions on stakeholders, such as customers, employees, and society.
• Auditing: the process of monitoring, reviewing, and verifying the compliance and performance of data practices against the established ethical standards and legal requirements. Automated decision-making, on the other hand, is not a key component of a data ethics framework, but rather a data practice that may raise ethical issues and challenges. Automated decision-making refers to the use of algorithms, artificial intelligence, or machine learning to make decisions or recommendations without human intervention2. While automated decision-making can offer benefits such as efficiency, accuracy, and consistency, it can also pose risks such as bias, discrimination, lack of transparency, and accountability3. Therefore, automated decision-making should be subject to ethical evaluation and oversight, but it is not itself a part of a data ethics framework. References:
• [IAPP CIPP/US Study Guide], Chapter 10, Section 10.4, page 287
• [IAPP Glossary], Automated Decision-Making
• IAPP Resources, Ethical Data Use and Automated Decision-Making: A Practical Guide

 The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1. A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2. A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service. References:

• 1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule
• 2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business, https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business
• 3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks, https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/

 The Federal Trade Commission (FTC) is the primary federal agency that enforces consumer privacy and data security laws in the United States. The FTC has the authority to bring enforcement actions against businesses that engage in unfair or deceptive acts or practices that affect commerce, under Section 5 of the FTC Act. Unfair acts or practices are those that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or competition. Deceptive acts or practices are those that involve a material representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances.

The FTC’s action against B.J.'s Wholesale Club in 2005 was unique because it was based on matters of fairness rather than deception. The FTC alleged that B.J.'s Wholesale Club, a retailer that operates warehouse stores and gas stations, failed to provide reasonable security for the sensitive information of its customers, such as name, card number, and expiration date, that it collected from the magnetic stripes of credit and debit cards. The FTC claimed that this information was used by unauthorized persons to make millions of dollars of fraudulent purchases. The FTC did not allege that B.J.'s Wholesale Club made any false or misleading statements or omissions about its data security practices, but rather that its failure to take appropriate security measures was an unfair practice that violated Section 5 of the FTC Act. The FTC argued that B.J.'s Wholesale Club’s lax security caused or was likely to cause substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by any benefits to consumers or competition.

The FTC’s action against B.J.'s Wholesale Club was one of the first cases in which the FTC used its unfairness authority to address data security issues,and it set a precedent for future enforcement actions against businesses that fail to protect consumer data. The settlement required B.J.'s Wholesale Club to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. References:

• FTC Complaint, Paragraphs 1-23
• FTC Agreement Containing Consent Order, Paragraphs 1-9
• FTC Analysis of Proposed Consent Order to Aid Public Comment, Pages 1-3
• [IAPP CIPP/US Study Guide], Pages 69-70

The scenario suggests that the company lacked adequate rules about access to customer information, which increased the risk of unauthorized access and data breach. Implementing a comprehensive policy for accessing customer information would have helped the company to limit the access to only those who need it for legitimate purposes, and to protect the confidentiality, integrity, and availability of the data. This is also one of the recommendations that Roberta made in her report. References:

• CIPP/US Practice Questions (Sample Questions), Question 116, Answer A, Explanation A.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5, Section 5.2, p. 143.

The Federal Trade Commission (FTC) is the primary federal agency that regulates advertising and marketing practices in the United States, including those targeting children via the Internet. The FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The FTC also enforces the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, such as making false or misleading claims in advertising. The FTC has issued guidelines and reports on various aspects of digital advertising to children, such as sponsored content, influencers, data collection, persuasive design, and behavioral marketing. The FTC also hosts workshops and events to examine the impact of digital advertising on children and their ability to distinguish ads from entertainment. References:

• FTC website
• Digital Advertising to Children
• IAPP CIPP/US Study Guide, Chapter 5: Marketing and Privacy, pp. 169-170

 Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed. References: IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1, IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

The Cable Communications Policy Act of 1984 (CCPA) is a federal law that regulates the cable television industry and protects the privacy of cable subscribers. One of the provisions of the CCPA is that cable operators must providetheir subscribers with an annual notice that clearly and conspicuously informs them of the following information12:

• The nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information
• The nature, frequency, and purpose of any disclosure of such information, including an identification of the types of persons to whom the disclosure may be made
• The period during which such information will be maintained by the cable operator
• The times and place at which the subscriber may have access to such information
• The limitations provided by the CCPA with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under the CCPA to enforce such limitations

The annual notice must also state that the subscriber has the right to prevent disclosure of personally identifiable information to third parties, except as required by law or court order, and that the subscriber may sue for damages, attorney’s fees, and other relief for violations of the CCPA12.

References: 1: Cable Communications Policy Act of 1984, Section 631 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.2

The FTC’s privacy report, titled “Protecting Consumer Privacy in an Era of Rapid Change”, proposed a framework for companies that collect and use consumer data. The framework consisted of three core principles: privacy by design, simplified consumer choice, and greater transparency. Privacy by design means that companies should incorporate privacy protections into their everyday business practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Simplified consumer choice means that companies should provide consumers with clear and easy-to-understand choices about the collection and use of their data, and respect their preferences. Greater transparency means that companies should increase the visibility and accessibility of their data practices, such as providing clear and concise privacy notices, educating consumers about the commercial datapractices, and providing consumers with access to their data. Enhancing security measures is not one of the core principles of the FTC’s privacy framework, although it is a component of the privacy by design principle. References:

• IAPP CIPP/US Body of Knowledge, Section I.A.1.a
• IAPP CIPP/US Textbook, Chapter 1, pp. 13-15
• FTC Privacy Report, Executive Summary, pp. i-vii

 The U.S. Constitution plays a limited role in the area of workplace privacy, because it mainly applies to the actions of the government, not private employers. The Fourth Amendment protects the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures1. The Supreme Court has interpreted this right to include a reasonable expectation of privacy in certain situations, such as in one’s home, car, or personal belongings2. However, this right does not extend to private-sector employees, who are not protected by the Constitution from the actions of their employers, unless the employer is acting as an agent of the government3. Private-sector employees may have some privacy rights under state laws, common law, or contractual agreements, but these vary depending on the jurisdiction and the circumstances4.

Public-sector employees, on the other hand, are protected by the Constitution from unreasonable searches and seizures by their employers, who are considered part of the government. Public-sector employees have a reasonable expectation of privacy in their workplace, unless there is a legitimate work-related reason for the search or seizure, such as to ensure safety, security, or efficiency. Public-sector employers must also comply with the due process and equal protection clauses of the Fifth and Fourteenth Amendments, which prohibit the government from depriving any person of life, liberty, or property without due process of law, or from denying any person the equal protection of the laws. These clauses protect public-sector employees from arbitrary or discriminatory actions by their employers that affect their employment status or benefits.

Therefore, the U.S. Constitution plays a significant role in the area of workplace privacy for federal and state governments, but not for private-sector employment, because it only regulates the actions of the government, not private actors. References:

• 1: Cornell Law School, Fourth Amendment, https://www.law.cornell.edu/constitution/fourth_amendment
• 2: FindLaw, What Is a Reasonable Expectation of Privacy?, https://www.findlaw.com/criminal/criminal-rights/what-is-a-reasonable-expectation-of-privacy.html
• 3: FindLaw, Workplace Privacy, https://www.findlaw.com/smallbusiness/employment-law-and-human-resources/workplace-privacy.html
• 4: Nolo, Privacy Rights of Employees, https://www.nolo.com/legal-encyclopedia/privacy-rights-employees-29849.html
• : OPM, Employee Relations, https://www.opm.gov/policy-data-oversight/employee-relations/reference-materials/employee-privacy/
• : Cornell Law School, Fifth Amendment, https://www.law.cornell.edu/constitution/fifth_amendment
• : FindLaw, Public Employees and the Constitution, https://www.findlaw.com/employment/employment-rights/public-employees-and-the-constitution.html

According to the Privacy Shield Principles, an organization that self-certifies under the Privacy Shield Framework must provide individuals with the choice to opt out of the disclosure of their personal information to a third party or the use of their personal information for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. To facilitate this choice, the organization must inform the individual of the type or identity of the third parties to which it discloses personal information and the purposes for which it does so. The organization must also provide a readily available and affordable independent recourse mechanism to investigate and resolve complaints and disputes regarding its compliance with the Privacy Shield Principles. If the organization transfers personal information to a third party acting as an agent, it must ensure that the agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and that it takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Privacy Shield Principles. References:

• Privacy Shield Principles, section II. Choice Principle and section III. Accountability for Onward Transfer Principle
• [IAPP CIPP/US Study Guide], p. 67-68, section 3.2.1 and p. 69-70, section 3.2.2
• [IAPP CIPP/US Body of Knowledge], p. 15-16, section C.1.b and p. 16-17, section C.1.c

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices. References: CCPA (Section 1798.150), IAPP CIPP/US Study Guide (p. 63-64)

The marketer could be prosecuted for violating the Unfair and Deceptive Acts and Practices (UDAP) laws, which are enforced by the Federal Trade Commission (FTC) and state attorneys general. UDAP laws prohibit businesses from engaging in unfair or deceptive practices that harm consumers, such as false advertising, misleading claims, or hidden fees. In this scenario, the marketer could be accused of deceiving children into providing personal information and preferences under the guise of a survey and a contest, without obtaining verifiable parental consent or disclosing how the information will be used or shared. This could also violate the Children’s Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection and use of personal information from children under 13 years of age. References:

• [IAPP CIPP/US Study Guide], Chapter 5: Enforcement of Privacy and Security, pp. 177-178.
• IAPP CIPP/US Body of Knowledge, Section II: Limits on Private-sector Collection and Use of Data, Subsection A: Government and Court Access to Private-sector Information, Topic 2: Unfair and Deceptive Trade Practices.
• IAPP CIPP/US Practice Questions, Question 27.

The Dodd-Frank Act was established to prevent the risky financial practices that led to the 2007–2008 financial crisis, which included issues similar to Noah’s experience with buying stocks without understanding the risks. The act includes provisions forconsumer protection in financial services and aims to prevent abusive practices in the financial industry

 E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter1. The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology2. For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e-discovery, as well as the sanctions for failing to comply withe-discovery obligations3. The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively4. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.

The other options are not the main purpose of the rules for e-discovery, although they may be related or affected by them. The rules for e-discovery do not directly prevent the loss of information due to poor data retention practices, although they do impose a duty to preserve relevant ESI when litigation is reasonably anticipated5. The rules for e-discovery do not directly prevent the practice of employees using personal devices for work, although they do require parties to identify and disclose the sources of ESI that may be subject to discovery, including personal devices6. The rules for e-discovery do not directly prevent a breach of an organization’s data retention program, although they do require parties to produce ESI in a reasonably usable form and to protect privileged or confidential information7.

References: 1: Everything You Need to Know About E-Discovery, The National Law Review. 2: E-Discovery: The Basics of E-Discovery Guide - Exterro, Exterro.com. 3: Federal Court and Government Agency E-Discovery Rules and Guidelines, Crowell & Moring LLP. 4: FRCP Rule 1, Cornell Law School. 5: FRCP Rule 37, Cornell Law School. 6: FRCP Rule 26, Cornell Law School. 7: FRCP Rule 34, Cornell Law School.

Mega Corp. is a U.S.-based business with employees in California, Virginia, and Colorado. Therefore, it must comply with the privacy laws of these three states in regard to its human resources data, unless it qualifies for an exemption under each law.

The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA) that was approved by voters in November 2020 and will take effect on January 1, 2023. The CPRA expands the rights and protections of California residents with respect to their personal information and creates a new category of sensitive personal information that includes certain employment-related data, such as Social Security numbers, driver’s license numbers, passport numbers, financial account information, biometric information, and geolocation data. The CPRA also establishes a new enforcement agency, the California Privacy Protection Agency, to oversee and enforce the law.

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law that was enacted in March 2021 and will take effect on January 1, 2023. The VCDPA grants Virginia residents several rights with respect to their personal data, such as the right to access, correct, delete, port, and opt out of certain processing activities. The VCDPA also imposes various obligations on businesses that control or process personal data of Virginiaresidents, such as conducting data protection assessments, entering into contracts with processors, and providing privacy notices.

The Colorado Privacy Act (CPA) is another comprehensive privacy law that was enacted in July 2021 and will take effect on July 1, 2023. The CPA grants Colorado residents similar rights as the VCDPA, with some variations, such as the right to appeal a business’s response to a request and the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities. The CPA also imposes similar obligations as the VCDPA, with some differences, such as requiring opt-in consent for the processing of sensitive data and allowing businesses to join a universal opt-out mechanism.

All three laws apply to businesses that conduct business in or target consumers in the respective states and meet certain thresholds of revenue or data processing volume. However, all three laws also provide exemptions for certain types of data or entities that are subject to other federal or state laws, such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA).

One of the exemptions that may be relevant for Mega Corp. is the employee data exemption, which excludes personal data that is collected and used by an employer within the context of an employment relationship or for emergency contact or benefits administration purposes. However, this exemption is not permanent or uniform across the three laws. The CPRA’s employee data exemption is set to expire on January 1, 2023, unless extended by the legislature. The VCDPA’s employee data exemption is set to expire on January 1, 2023, unless repealed by the legislature. The CPA’s employee data exemption does not have an expiration date, but it does not apply to the right to opt out of the sale of personal data or the right to appeal a business’s response to a request.

Therefore, depending on the type and scope of the human resources data that Mega Corp. collects and processes, it may have to comply with the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act, unless it qualifies for another exemption under each law.

References:

• [IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 227-229.
• CIPP/US Practice Questions (Sample Questions), Question 32.

 The most likely reason that states have adopted their own data breach notification laws is that many types of organizations are not currently subject to federal laws regarding breaches. As explained in the Data Breach Response: A Guide for Business from the Federal Trade Commission (FTC), certain federal laws govern obligations to report data breaches in particular industries, such as health care, financial services, or telecommunications. However, these laws do not cover all types of businesses or all types of personal information that may be compromised in a data breach. Therefore, states have enacted their own data breach notification laws to fill the gaps and protect the privacy andsecurity of their residents. According to the National Conference of State Legislatures, as of January 2022, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These state laws vary in terms of the definitions of personal information, the triggers for notification, the methods and timing of notification, the exemptions and exceptions, and the penalties and enforcement mechanisms.

References: 1: Data Breach Response: A Guide for Business, Section 2 2: 2022 Security Breach Legislation

Celeste has a misconception regarding the consent requirements for conducting credit checks of potential employees in California. She thinks that verbal consent from the applicants is sufficient, and that they only need to be offeredaccess to the results. However, under the California Consumer Credit Reporting Agencies Act (CCRAA), employers who want to obtain a consumer credit report for employment purposes must comply with the following consent and disclosure requirements12:

• Before requesting a consumer credit report, the employer must provide the applicant with a clear and conspicuous written disclosure that informs them of the following:
• The employer must also obtain the applicant’s written authorization to obtain the report.
• If the employer intends to take an adverse action based on the report, such as denying employment, the employer must provide the applicant with a copy of the report and a summary of their rights under the CCRAA before taking the action.
• After taking the adverse action, the employer must provide the applicant with a notice that includes the following:

Therefore, Celeste is wrong to assume that verbal consent and optional access to the results are enough to comply with the CCRAA. She should follow the written consent and disclosure requirements to avoid violating the law and potentially facing civil penalties or lawsuits. References:

• California Consumer Credit Reporting Agencies Act
• Employment Credit Checks: What You Need to Know | Nolo

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged intelemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19
• IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role inprivacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7
• IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

Under the GDPR, the complainant’s request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort. References:

• Everything you need to know about the “Right to be forgotten”
• Right to erasure | ICO
• Art. 17 GDPR – Right to erasure (‘right to be forgotten’) - General …
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient’s opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.

References:

• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing
• Practice Exam - International Association of Privacy Professionals

The correct answer is C because the California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents the right to request the deletion of their personal information that a business has collected from them. The CCPA applies to any business that collects personal information from California residents, regardless of where the business is located, as long as the business meets certain thresholds of revenue, data volume, or data sharing. Therefore, the social media platform that Sarah uses is subject to the CCPA and must honor Sarah’s deletion request, unless an exception applies. The CCPA also requires businesses to provide notice and choice to consumersabout their data collection and use practices, and to respond to consumer requests within 45 days.

The other answers are incorrect because:

• A is incorrect because the General Data Protection Regulation (GDPR) is a European Union privacy law that applies to the processing of personal data of individuals who are in the EU, regardless of where the data controller or processor is located. However, the GDPR does not apply to the processing of personal data of individuals who are outside the EU, unless the processing relates to the offering of goods or services to such individuals or the monitoring of their behavior within the EU. Therefore, the GDPR does not apply to Sarah’s personal data, since she is not in the EU and the social media platform is not targeting or tracking her in the EU.
• B is incorrect because Section 5 of the FTC Act is a federal law that prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC has used its Section 5 authority to enforce privacy and data security standards against businesses that violate their own privacy policies, misrepresent their data practices, or fail to protect consumer data from unauthorized access or disclosure. However, the FTC has not held that refusing to delete an individual’s personal information upon request constitutes an unfair practice per se, unless the refusal is inconsistent with the business’s privacy policy or representations, or causes substantial injury to consumers that is not reasonably avoidable or outweighed by countervailing benefits.
• D is incorrect because the New York SHIELD Act is a state law that imposes data breach notification and data security requirements on any person or business that owns or licenses computerized data that includes the private information of a New York resident. The SHIELD Act does not grant New York residents the right to request the deletion of their personal information, nor does it apply to businesses that do not collect or hold the private information of New York residents. Therefore, the SHIELD Act does not apply to Sarah’s personal data, since she is not a New York resident and the social media platform may not have her private information as defined by the SHIELD Act. References:
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 7, Section 7.2.1, pp. 183-186.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 7, Section 7.2, pp. 217-219.

The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates the privacy and security of consumer financial information collected, used, and disclosed by financial institutions, such as banks, credit unions, securities firms, insurance companies, and others12. Under the GLBA, financial institutions must comply with two main rules: the Privacy Rule and the Safeguards Rule12. The Privacy Rule requires financial institutions to provide notice to their customers about their information-sharing practices and to obtain verifiable parental consent before collecting, using, or disclosing personal information from children12. The Privacy Rule also gives customers the right to opt out of having their personal information shared with certain nonaffiliated third parties, unless an exception applies12. The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the confidentiality, security, and integrity of customer information12.

Therefore, banks and other financial institutions are required to offer an opt-out before transferring personal information (PI) to an unaffiliated third party for the latter’s own use, unless an exception applies, such as when the disclosure is necessary to complete a transaction requested or authorized by the customer, or when the disclosure is to a service provider or joint marketer that agrees to protect the information and use it only for the purposes for which it was disclosed12. This requirement is intended to give customers more controlover how their personal information is used and shared by financial institutions and to protect their privacy rights12.

References: 1: Gramm-Leach-Bliley Act | Federal Trade Commission, 1. 2: How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act | Federal Trade Commission, 2.

 According to the IAPP CIPP/US study guide, the first priority after a breach has been confirmed is to notify the affected individuals, regulators, and other stakeholders as required by law or contract. This is to allow them to take steps to protect themselves from potential harm, such as identity theft, fraud, or reputational damage. Providing timely and accurate notice also helps to mitigate legal liability, preserve customer trust, and comply with applicable laws and regulations. The other tasks are also important, but they are not the immediate priority after a breach has been established. References: IAPP CIPP/US study guide, Chapter 6, Section 6.4.2, page 211.

When developing a company privacy program, a privacy professional needs to understand the business objectives, processes, and risks of the organization, as well as the legal and regulatory requirements and best practices for privacy. To achieve this, a privacy professional should establish and maintain relationships with individuals across company departments and at different levels in the organization’s hierarchy, such as IT, marketing, human resources, legal, compliance, security, and senior management. These relationships will help the privacy professional to gather relevant information, identify privacy issues and gaps, communicate privacy policies and procedures, provide training and awareness, monitor compliance, and resolve conflicts. The other relationshipslisted are also important, but not as essential as the internal relationships for developing a company privacy program. References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Developing a Privacy Program, Section 5.1: Privacy Program Framework, p. 145-146
• IAPP CIPP/US Body of Knowledge, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 23
• IAPP CIPP/US Exam Blueprint, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 7

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:

• The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
• The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
• The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
• The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
• The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
• The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
• The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
• The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
• IAPP CIPP/US Body of Knowledge, Section III.C.2
• IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
• FTC Mobile Device Security

An injunction is a court order that requires a party to stop or refrain from doing something. In a case of civil litigation, a defendant who is being sued for distributing an employee’s private information might face an injunction that prohibits them from further disclosing or using the employee’s private information. An injunction is a form of equitable relief that aims to prevent or remedy harm that cannot be adequately compensated by monetary damages. Probation, criminal fines, and jail sentences are forms of criminal sanctions that are not applicable in civil litigation, unless the defendant is also charged with a criminal offense related to the distribution of the employee’s private information. References: Standing issues in U.S. privacy class actions, US Private-Sector Privacy (CIPP/US Exam Prep), IAPP CIPP/US

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, hemay still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

• Summary of the HIPAA Privacy Rule
• Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcingprivacy rights. Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC’s enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation. References:

• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 2, Section 2.3.3, pp. 35-36.
• How to end the deadlock on the private right of action by Paula Bruening, IAPP Privacy Perspectives, Jan 20, 2022.
• Private Right of Action (Legal Definition & Examples) by Lawrina, accessed on Jan 25, 2022.