When selecting a vendor to manage personal information, the company should consider various criteria, such as the vendor’s reputation, financial health, employee training program, privacy policies, security practices, compliance record, contractual terms, and service quality. However, the vendor’s employee retention rates may not be as important as the other factors, as they do not directly affect the vendor’s ability to protect and process the personal information entrusted to them. While high employee turnover may indicate some issues with the vendor’s management or culture, it may not necessarily impact the vendor’s performance or reliability, as long as the vendor has adequate measures to ensure continuity, accountability, and confidentiality of the personal information they handle. References:

Vendor Selection Process: a Step-by-Step Guide, section “Step 2: Define the vendor selection criteria”

[IAPP CIPP/US Study Guide], p. 81-82, section 3.4.1

[IAPP CIPP/US Body of Knowledge], p. 18-19, section C.2.a

According to the Privacy Shield Principles, an organization that self-certifies under the Privacy Shield Framework must provide individuals with the choice to opt out of the disclosure of their personal information to a third party or the use of their personal information for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. To facilitate this choice, the organization must inform the individual of the type or identity of the third parties to which it discloses personal information and the purposes for which it does so. The organization must also provide a readily available and affordable independent recourse mechanism to investigate and resolve complaints and disputes regarding its compliance with the Privacy Shield Principles. If the organization transfers personal information to a third party acting as an agent, it must ensure that the agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and that it takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Privacy Shield Principles. References:

Privacy Shield Principles, section II. Choice Principle and section III. Accountability for Onward Transfer Principle

[IAPP CIPP/US Study Guide], p. 67-68, section 3.2.1 and p. 69-70, section 3.2.2

[IAPP CIPP/US Body of Knowledge], p. 15-16, section C.1.b and p. 16-17, section C.1.c

HIPAA requires covered entities, such as hospitals, to enter into contracts with their business associates, such as billing companies, that access, use, or disclose protected health information (PHI). These contracts, known as business associate agreements (BAAs), must specify the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards, reporting, and termination procedures that the business associate must follow to protect the privacy and security of PHI. By having these contracts in place, the hospital can ensure that the billing company is complying with HIPAA and observing the minimum security standards required by law. References:

HIPAA Rules for Medical Billing - Compliancy Group

HIPAA Compliance for Billing Companies: Easy Guide - iFax

 An intrusion upon seclusion tort occurs when someone intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, if the intrusion would be highly offensive to a reasonable person12. The intrusion does not need to involve a physical trespass, but can also be an electronic or optical intrusion, such as using a webcam to record a person who has a reasonable expectation of privacy2. The intrusion must also cause mental anguish or suffering to the plaintiff2.

In this case, option A would best support an employee claim for an intrusion upon seclusion tort, because the webcam is enabled to record video any time the computer is turned on, regardless of whether the employee is working or not, or whether the employee is in a private or public place. This would be an intentional and highly offensive intrusion into the employee’s seclusion or private affairs, and would likely cause the employee distress or anxiety.

Option B would not support an intrusion upon seclusion tort, because the creation and saving of a biometric template based on keystroke dynamics is not an intrusion into the employee’s seclusion or private affairs, but rather a data collection and processing activity that may implicate other privacy laws or principles, such as notice, consent, and security3.

Option C would not support an intrusion upon seclusion tort, because the software sending a notification to a supervisor when the employee’s mouse is dormant for more than five minutes is not an intrusion into the employee’s seclusion or private affairs, but rather a performance monitoring activity that may be justified by the employer’s legitimate business interests4.

Option D would not support an intrusion upon seclusion tort, because the webcam recording video of an employee using a company laptop to perform personal business while at a coffee shop during work hours is not an intrusion into the employee’s seclusion or private affairs, but rather a misuse of company property and time that may be subject to the employer’s policies and disciplinary actions5. Moreover, the employee may not have a reasonable expectation of privacy in a public place like a coffee shop. References: 1: Intrusion on seclusion - Wikipedia 2: Elements of an Intrusion Claim | Digital Media Law Project 3: Biometrics - IAPP 4: Employee Monitoring - IAPP 5: Employee Privacy - IAPP : Privacy in Public Places - IAPP

 The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1. A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2. A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service. References:

1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule

2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business, https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business

3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks, https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/

The biggest potential privacy concern related to Chanel’s use of this new software is scanning a client’s social media accounts to use in a client profile without notice to the client. This could violate the client’s reasonable expectation of privacy and consent, as well as the privacy policies of the social media platforms. The client may not be aware that their social media posts are being used for this purpose, and may not have given their permission or opt-in consent for such data collection and processing. This could also expose the client to potential discrimination or harm based on their social media activity, such as losing their appointment or being charged a cancellation fee. Furthermore, this practice could conflict with the Fair Information Practice Principles (FIPPs), such as transparency, purpose specification, and data minimization12. References:

CIPP/US Practice Questions (Sample Questions), Question 149, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1, Section 1.1, p. 9-10.

The FTC’s privacy report, titled “Protecting Consumer Privacy in an Era of Rapid Change”, proposed a framework for companies that collect and use consumer data. The framework consisted of three core principles: privacy by design, simplified consumer choice, and greater transparency. Privacy by design means that companies should incorporate privacy protections into their everyday business practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Simplified consumer choice means that companies should provide consumers with clear and easy-to-understand choices about the collection and use of their data, and respect their preferences. Greater transparency means that companies should increase the visibility and accessibility of their data practices, such as providing clear and concise privacy notices, educating consumers about the commercial datapractices, and providing consumers with access to their data. Enhancing security measures is not one of the core principles of the FTC’s privacy framework, although it is a component of the privacy by design principle. References:

IAPP CIPP/US Body of Knowledge, Section I.A.1.a

IAPP CIPP/US Textbook, Chapter 1, pp. 13-15

FTC Privacy Report, Executive Summary, pp. i-vii

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that regulates the privacy of wire, oral, and electronic communications. The ECPA prohibits the intentional interception, use, or disclosure of such communications, unless authorized by law or by the consent of one of the parties to the communication12. The ECPA also provides exceptions for certain types of communications, such as those made in the normal course of business, those made for law enforcement purposes, or those made for foreign intelligence purposes12.

One of the exceptions to the ECPA ban on interception is where one of the parties has given consent. This means that if a person who is a party to a communication agrees to have it intercepted, the interception is lawful under the ECPA. Consent can be express or implied, depending on the circumstances and the expectations of the parties3. For example, if a person calls a customer service line and hears a recorded message that the call may be monitored or recorded, the person has impliedly consented to the interception of the call. However, if a person calls a friend and does not know that the friend has a third party listening in on the call, the person has not consented to the interception of the call.

References: 1: Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.2.1. 3: [Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations], pp. 77-78.

 The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions. Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student’s personally identifiable information (PII) from the education records without consent. A student’s signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12 A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12 Therefore, the school must obtain the student’s (or the parent’s, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA. Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12 Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12 However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records. FERPA only applies to education records that are directly related to a student and maintained by theschool or a party acting for the school12 A newspaper’s publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper’s own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent. FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123 If the university police provide an arrest report to the student’s hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.

References: 1: Family Educational Rights and Privacy Act - Wikipedia 2: Family Educational Rights and Privacy Act (FERPA) | CDC 3: What is FERPA? | Protecting Student Privacy - ed

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

Uses the transferred data only for limited and specified purposes;

Provides the same level of privacy protection as is required by the Privacy Shield Principles;

Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

 Discrimination is the unfair or prejudicial treatment of people based on certain characteristics, such as race, gender, age, religion, or political affiliation. Discrimination can occur in various contexts, such as employment, education, housing, or public accommodations. Discrimination can violate federal, state, or local laws that prohibit discrimination on the basis of protected categories. In the scenario, Evan is susceptible to a lawsuit based on discrimination because he uses social media to favor employees who share his political views and deny promotions to those who do not. This could constitute political discrimination, which is prohibited by some state and local laws, such as the District of Columbia Human Rights Act and the New York City Human Rights Law. Additionally, Evan’s use of social media could reveal other protected characteristics of his employees, such as their race, gender, age, religion, or sexual orientation, and expose him to claims of discrimination based on those grounds as well. For example, if Evan posts derogatory comments about a certain race or religion, and then denies a promotion to an employee of that race or religion, that employee could sue Evan for discrimination under federal laws, such as Title VII of the Civil Rights Act of 1964 or the Civil Rights Act of 1991. References:

Political Discrimination in the Workplace | Nolo

Social Media and Employment Law Summary of Key Cases and Legal Issues

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.1: State Anti-Discrimination Laws.

The CAN-SPAM Act is a federal law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations1. The main purpose of the act is to protect consumers from unwanted and deceptive email messages and to give them more control over their online privacy2. The act applies to all commercial messages, which are defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"1. The act does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship1. The act also does not apply to non-commercial messages, such as political or charitable solicitations3. References: 1: CAN-SPAM Act: A Compliance Guide for Business2: What is the CAN-SPAM Act? | Proton3: What is the CAN-SPAM Act? | Cloudflare

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees’ privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.

IAPP CIPP/US Practice Questions, Question 134.

Data flow diagrams are graphical representations of how data moves within an organization or between different entities. They can help identify the sources, destinations, and processing of personal data, as well as the legal basis, retention periods, and security measures for each data flow. Reviewing the available data flow diagrams can help the data privacy leader to quickly and accurately respond to the urgent request from the EU-based retail partner, as well as to assess the potential risks and compliance gaps in the data transfer process. Data flow diagrams are also a key component of data protection impact assessments (DPIAs), which are required by the GDPR for high-risk processing activities. References:

IAPP CIPP/US Body of Knowledge, Section II, A, 2

[IAPP CIPP/US Study Guide, Chapter 2, Section 2.3]

[GDPR, Article 35]

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

 The design technique that would most effectively inform users of their data privacy rights and privileges when using the app is to offer information about data collection and uses at key data entry points. This technique is also known as “just-in-time” or “layered” notice, and it is recommended by the U.S. Federal Trade Commission (FTC) as a best practice for mobile app developers12

The idea behind this technique is to provide users with relevant and timely information about how their data is collected and used by the app, and what choices they have to control their data, at the moment when they are asked to provide or access their data. For example, if the app collects location data from the user’s device, it should display a pop-up notice explaining why it needs the location data, how it will use it, and how the user can opt-out or change the settings. This way, the user can make an informed decision about whether to allow or deny the app’s access to their data, and understand the consequences of their choice12

The advantage of this technique is that it avoids overwhelming the user with too much information at once, and instead provides concise and contextual information that is easy to understand and act upon. It also increases the user’s trust and confidence in the app, as they feel more in control of their data and privacy12

The other design techniques are less effective because they do not provide the user with sufficient or timely information about their data privacy rights and privileges when using the app. Publishing a privacy policy written in clear, concise, and understandable language is a good practice, but it is not enough to inform the user of their data privacy rights and privileges, as many users may not read or understand the policy, or may not be aware of where to find it. Presenting a privacy policy to users during the wellness program registration process is also a good practice, but it may not capture all the data collection and uses that the app may perform, and it may not give the user enough opportunity to review and consent to the policy. Providing a link to the wellness program privacy policy at the bottom of each screen is also a good practice, but it may not be noticeable or accessible to the user, and it may not provide the user with the specific information they need at the point of data entry or access12

References:

Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report (February 2013)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Privacy Program Management, Section 6.4: Privacy by Design

The lawsuit, filed in 2014, claimed that Google violated the federal and state wiretap and privacy laws by scanning and indexing the emails of millions of students who used its Apps for Education suite, which included Gmail as a key feature12. The plaintiffs alleged that Google used the information from the scans to build profiles of students that could be used for targeted advertising or other commercial purposes, without their consent or knowledge12. The lawsuit also challenged Google’s argument that the students consented to the scans when they first logged in to their accounts, saying that such consent was not valid under FERPA, which requires written consent for any disclosure of education records12. Google denied the allegations and argued that the scans were necessary for providing security, spam protection, and other functionality to the users12. The case was settled in 2016, with Google agreeing to change some of its practices and policies regarding the scanning of student emails3. References: 1: Lawsuit Alleges That Google Has Crossed A ‘Creepy Line’ With Student Data, Huffington Post, 1. 2: Google faces lawsuit over email scanning and student data, The Guardian, 2. 3: Google data case to be heard in Supreme Court, BBC, 3.

 Under state breach notification laws, personal information is typically defined as an individual’s first name or first initial and last name plus one or more other data elements, such as Social Security number, state identification number, account number, medical information, etc. However, first and last name alone are not usually considered personal information, unless they are combined with other data elements that could identify the individual or compromise their security or privacy. Therefore, option B is the correct answer, as it is not typically included in the definition of personal information under state breach notification laws. References: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws https://iapp.org/resources/article/state-data-breach-notification-chart/

 According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A non-affiliated third party is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the financial institution’s affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.

The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer’s opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.

The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.

The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.

References:

Guide to the Gramm–Leach–Bliley Act

GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates

Existing Privacy Laws Already Regulate Information Sharing

Why Do Banks Share Your Financial Information and Are They Allowed To?

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information. One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located12. The regulation defines personal information as a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or © financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account1. The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly1. References:

Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents

Massachusetts Law Raises the Bar for Data Security

A consent decree is a legal document that resolves a dispute between a governmental agency and an adverse party without admission of guilt or liability by either side. It is approved by a judge and has the force of a court order. A consent decree may include terms such as compliance, monitoring, reporting, or remediation. A consent decree is often used to settle civil enforcement actions brought by federal agencies such as the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), or the Department of Justice (DOJ). References:

IAPP Glossary, entry for “consent decree”

[IAPP CIPP/US Study Guide], p. 39, section 2.1.3

[IAPP CIPP/US Body of Knowledge], p. 9, section B.1.a

According to HIPAA, a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. A business associate agreement (BAA) is a written contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards that the business associate must implement to protect the PHI. In this scenario, MedApps is a business associate of Miraculous, since it provides a telehealth app that involves the use or disclosure of PHI on behalf of Miraculous. Therefore, HIPAA would require Miraculous and MedApps to enter into a BAA before using the telehealth app. The other options are incorrect because HIPAA does not prohibit the use of cloud hosting services or the hosting of in-person appointment data in the cloud, as long as the appropriate safeguards and agreements are in place. HIPAA also does not require patient consent for the sharing of PHI with third parties for treatment, payment, or health care operations purposes, which would include the use of the telehealth app. References:

HIPAA and Telehealth - Office for Civil Rights

HIPAA Rules for telehealth technology - Telehealth.HHS.gov

Notification of Enforcement Discretion for Telehealth - Office for Civil Rights

Guidance: How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Provide Audio-Only Telehealth - Office for Civil Rights

HIPAA Compliant App - Telehealth.org

IAPP CIPP/US Certified Information Privacy Professional Study Guide - Chapter 3: HIPAA and HITECH, pages 75-76, 81-82, 86-87.

The CCPA provides consumers with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. The CCPA defines personal information for this purpose as an individual’s name in combination with any of the following: social security number, driver’s license number, account number, credit or debit card number, medical information, or health insurance information. The CCPA allows consumers to seek damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. The CCPA also requires consumers to provide the business with 30 days’ written notice and an opportunity to cure the violation before initiating an action. Additionally, the CCPA requires consumers to notify the Attorney General within 30 days of filing the action and obtain the Attorney General’s approval or nonobjection before proceeding with the action. Therefore, John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm, as long as he meets the requirements of the CCPA. References:

CCPA Provides Private Right of Action for Data Security Breaches

CCPA Private Right of Action – Data Breach Security Requirement

CCPA Fines & Penalties for Data Protection Violations | MatrixPoint

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged intelemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19

IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role inprivacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7

IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

The ADA prohibits employers from discriminating against qualified individuals with disabilities in all aspects of employment, including hiring, firing, promotion, compensation, and training. The ADA also limits the types of medical inquiries and examinations that employers can make of applicants and employees. Under the ADA, a disability is defined as a physical or mental impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. The ADA covers current, past, and perceived drug addiction as a disability, unless the individual is currently engaging in the illegal use of drugs. Therefore, Felicia’s plan to ask applicants about drug addiction may violate the ADA, unless she can show that the inquiry is job-related and consistent with business necessity. The other laws are not directly relevant to Felicia’s plan, although they may have other implications for her business. References: ADA, IAPP CIPP/US Study Guide (p. 95-96)

The false statement regarding the provisions of the EPPA is C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits. The EPPA does not regulate psychological testing, only polygraph testing. Psychological testing is a broad term that covers various types of assessments that measure cognitive abilities, personality traits, interests, values, and skills. Employers may use psychological testing for various purposes, such as hiring, promotion, training, or development, as long as they comply with other laws and regulations, such as the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC) guidelines, and the Uniform Guidelines on Employee Selection Procedures. However, employers should be careful to ensure that thepsychological tests they use are valid, reliable, job-related, and nondiscriminatory, and that they respect the privacy and dignity of the test takers. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 115-116.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 2: Employee Polygraph Protection Act.

IAPP CIPP/US Practice Questions, Question 142.

The Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA) is a federal regulation that requires any person or entity that maintains or possesses consumer information derived from consumer reports to dispose of such information in a secure and proper manner1.

The Disposal Rule aims to protect consumers from identity theft and fraud by preventing unauthorized access to or use of their personal information1.

The Disposal Rule is enforced by several federal agencies, depending on the type and sector of the entity that is subject to the rule1. These agencies include:

The Federal Trade Commission (FTC), which has general authority over most entities that are not specifically regulated by other agencies2.

The Consumer Financial Protection Bureau (CFPB), which has authority over consumer financial products and services, such as banks, credit unions, lenders, debt collectors, and credit reporting agencies3.

The Office of the Comptroller of the Currency (OCC), which has authority over national banks and federal savings associations4.

The Federal Deposit Insurance Corporation (FDIC), which has authority over state-chartered banks that are not members of the Federal Reserve System and state-chartered savings associations5.

The Board of Governors of the Federal Reserve System (FRB), which has authority over state-chartered banks that are members of the Federal Reserve System, bank holding companies, and certain nonbank subsidiaries of bank holding companies.

The National Credit Union Administration (NCUA), which has authority over federally insured credit unions.

The Securities and Exchange Commission (SEC), which has authority over brokers, dealers, investment companies, and investment advisers.

The Commodity Futures Trading Commission (CFTC), which has authority over commodity futures and options markets and intermediaries.

The Department of Health and Human Services (HHS) is NOT one of the federal agencies that enforces the Disposal Rule under FACTA. HHS has authority over health information privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but not under FACTA.

References: 1: Disposing of Consumer Report Information? Rule Tells How 2: FTC Enforcement 3: CFPB Enforcement 4: OCC Enforcement 5: FDIC Enforcement : [FRB Enforcement] : [NCUA Enforcement] : [SEC Enforcement] : [CFTC Enforcement] : [HHS Enforcement]

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

 E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter1. The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology2. For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e-discovery, as well as the sanctions for failing to comply withe-discovery obligations3. The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively4. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.

The other options are not the main purpose of the rules for e-discovery, although they may be related or affected by them. The rules for e-discovery do not directly prevent the loss of information due to poor data retention practices, although they do impose a duty to preserve relevant ESI when litigation is reasonably anticipated5. The rules for e-discovery do not directly prevent the practice of employees using personal devices for work, although they do require parties to identify and disclose the sources of ESI that may be subject to discovery, including personal devices6. The rules for e-discovery do not directly prevent a breach of an organization’s data retention program, although they do require parties to produce ESI in a reasonably usable form and to protect privileged or confidential information7.

References: 1: Everything You Need to Know About E-Discovery, The National Law Review. 2: E-Discovery: The Basics of E-Discovery Guide - Exterro, Exterro.com. 3: Federal Court and Government Agency E-Discovery Rules and Guidelines, Crowell & Moring LLP. 4: FRCP Rule 1, Cornell Law School. 5: FRCP Rule 37, Cornell Law School. 6: FRCP Rule 26, Cornell Law School. 7: FRCP Rule 34, Cornell Law School.

The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and use of health information technology, especially electronic health records (EHRs), in the United States. The HITECH Act established the Medicare and Medicaid EHR Incentive Programs, which provide financial incentives to eligible health care providers who demonstrate meaningful use of certified EHR technology. Meaningful use is defined as using EHRs to improve quality, safety, efficiency, and coordination of care, as well as to engage patients and protect their privacy and security. To qualify for the incentive payments, health care providers must meet certain objectives and measures that demonstrate meaningful use of EHRs as part of their regular care. Some of these objectives and measures include:

Protect electronic protected health information (ePHI)

Generate prescriptions electronically

Implement clinical decision support (CDS)

Use computerized provider order entry (CPOE) for medication, laboratory, and diagnostic imaging orders

Timely patient access to electronic files

Exchange health information with other providers and public health agencies

Report clinical quality measures and public health data

Therefore, the correct answer is A. Making EHRs part of regular care is an important action that a health care provider must take if she wants to qualify for funds under the HITECH Act. References:

What is the HITECH Act? 2024 Update, section “The Meaningful Use Program”

The HITECH Act explained: Definition, compliance, and violations, section “HITECH Act definition and summary” and “Why was the HITECH Act created and why is it important?”

Proposed Rulemaking to Implement HITECH Act Modifications, section “The Health Information Technology for Economic and Clinical Health (HITECH) Act”

Health Information Technology for Economic and Clinical Health (HITECH) Audits, section “The American Recovery & Reinvestment Act of 2009 (ARRA, or Recovery Act)”

What is HITECH Compliance? Understanding and Meeting HITECH Requirements, section “HITECH Compliance Requirements”

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.

If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.

If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.

References:

[IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.

CIPP/US Practice Questions (Sample Questions), Question 29.

The marketer could be prosecuted for violating the Unfair and Deceptive Acts and Practices (UDAP) laws, which are enforced by the Federal Trade Commission (FTC) and state attorneys general. UDAP laws prohibit businesses from engaging in unfair or deceptive practices that harm consumers, such as false advertising, misleading claims, or hidden fees. In this scenario, the marketer could be accused of deceiving children into providing personal information and preferences under the guise of a survey and a contest, without obtaining verifiable parental consent or disclosing how the information will be used or shared. This could also violate the Children’s Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection and use of personal information from children under 13 years of age. References:

[IAPP CIPP/US Study Guide], Chapter 5: Enforcement of Privacy and Security, pp. 177-178.

IAPP CIPP/US Body of Knowledge, Section II: Limits on Private-sector Collection and Use of Data, Subsection A: Government and Court Access to Private-sector Information, Topic 2: Unfair and Deceptive Trade Practices.

IAPP CIPP/US Practice Questions, Question 27.

Title VII of the Civil Rights Act of 1964 is a federal law that prohibits employment discrimination based on race, color, religion, sex, and national origin1 It also prohibits retaliation against individuals who assert their rights under the law or participate in an EEOC investigation1 Title VII applies to employers with 15 or more employees, as well as to employment agencies, labor organizations, and joint labor-management committees1

Title VII prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on any of the protected characteristics, unless they are bona fide occupational qualifications (BFOQs)2 BFOQs are rare and narrowly construed exceptions that allow employers to consider a protected characteristic when it is reasonably necessary to the normal operation of the business2 For example, a religious organization may require its employees to share its faith, or a women’s shelter may hire only female counselors2

Option A is incorrect because questions about age are not prohibited by Title VII, but by the Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of age or older from employment discrimination based on age3 The ADEA generally prohibits employers from asking applicants about their age or date of birth, unless age is a BFOQ or the inquiry is part of a lawful affirmative action plan3

Option B is incorrect because questions about a disability are not prohibited by Title VII, but by the Americans with Disabilities Act of 1990 (ADA), which protects qualified individuals with disabilities from employment discrimination based on disability4 The ADA generally prohibits employers from asking applicants about whether they have a disability or the nature or severity of a disability, unless the inquiry is related to the ability to perform the essential functions of the job with or without reasonable accommodation4

Option C is incorrect because questions about a national origin are prohibited by Title VII, but not in all circumstances. Title VII prohibits employers from asking applicants about their national origin, ancestry, birthplace, native language, or accent, unless they are BFOQs or the inquiry is related to a legitimate business purpose, such as verifying eligibility to work in the United States or assessing language proficiency for a job that requires communication skills25

Option D is correct because questions about intended pregnancy are prohibited by Title VII, as amended by the Pregnancy Discrimination Act of 1978 (PDA), which protects women from employment discrimination based on pregnancy, childbirth, or related medical conditions. The PDA prohibits employers from asking applicants about whether they are pregnant or intend to become pregnant, unless they are related to the ability to perform the job. Such questions may indicate an intent to discriminate based on sex or pregnancy, or may deter women from applying for certain jobs.

References: 1: Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission 2: Questions and Answers about Race and Color Discrimination in Employment | U.S. Equal Employment Opportunity Commission 3: Age Discrimination | U.S. Equal Employment Opportunity Commission 4: Disability Discrimination | U.S. Equal Employment Opportunity Commission 5: National Origin Discrimination | U.S. Equal Employment Opportunity Commission : Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.

17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).

IAPP CIPP/US Study Guide, page 65.

Nevada’s privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of “covered information” under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.

Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:

If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.

If the sale is to a person who processes the covered information on behalf of the operator.

If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.

If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.

If the sale is to a person who is an affiliate of the operator.

If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator’s assets.

To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.

Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.

Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).

Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.

Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.

References:

[IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.

CIPP/US Practice Questions (Sample Questions), Question 33.

 The Virginia Consumer Data Protection Act (VCDPA) is a state law that provides comprehensive privacy rights and obligations for consumers and businesses in Virginia. The VCDPA applies to any entity that conducts business in Virginia or produces products or services that are targeted to residents of Virginia and that either: (a) controls or processes personal data of at least 100,000 consumers; or (b) controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. However, the VCDPA also provides several exemptions for certain types of entities and data, including an entity exemption for financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA). This means that organizations that are regulated by the GLBA are not subject to the VCDPA, regardless of the type or source of data they collect or process. The GLBA is a federal law that regulates the collection, use, and disclosure of personal financial information by financial institutions and their affiliates. The GLBA applies to any business that is significantly engaged in financial activities, such as banks, credit unions, securities firms, insurance companies, and certain fintech companies. The GLBA requires financial institutions to provide notice and choice to consumers about their privacy practices, to safeguard the security and confidentiality of consumer information, and to limit the sharing of consumer information with third parties. The GLBA also preempts state laws only to the extent that they are inconsistent with the GLBA, unless the state law provides greater protection to consumers.

The other state laws listed in the question do not have an entity exemption for organizations subject to the GLBA, but they may have partial or data exemptions for certain types of information that are regulated by the GLBA. For example, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are state laws that provide comprehensive privacy rights and obligations for consumers and businesses in California. The CCPA and the CPRA apply to any business that collects or sells the personal information of California residents and that meets one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or © derives 50% or more of its annual revenues from selling consumers’ personal information. However, the CCPA and the CPRA also provide several exemptions for certain types of entities and data, including a data exemption for personal information collected, processed, sold, or disclosed pursuant to the GLBA, if it is in conflict with the GLBA. This means that information that is subject to the GLBA is exempt from the privacy requirements of the CCPA and the CPRA, but not from the data breach liability provisions. The CCPA and the CPRA do not exempt financial institutions or other entities that are regulated by the GLBA from their scope, unless they only collect or process information that is subject to the GLBA.

The Nevada Privacy Law is a state law that provides privacy rights and obligations for consumers and operators of websites or online services in Nevada. The Nevada Privacy Law applies to any person who owns or operates an Internet website or online service for commercial purposes that collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service. Covered information includes any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: (a) a first and last name; (b) a home or other physical address which includes the name of a street and the name of a city or town; © an electronic mail address; (d) a telephone number; (e) a social security number; (f) an identifier that allows a specific person to be contacted either physically or online; or (g) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. However, the Nevada Privacy Law also provides several exemptions for certain types of entities and data, including a data exemption for any data that is subject to the GLBA. This means that information that is regulated by the GLBA is exempt from the Nevada Privacy Law, regardless of the type or source of data. The Nevada Privacy Law does not exempt financial institutions or other entities that are subject to the GLBA from its scope, unless they only collect or process information that is subject to the GLBA. References:

VCDPA, Section 59.1-572 (A) (1)

GLBA, 15 U.S.C. § 6801 et seq.

CCPA, Section 1798.145 (e)

CPRA, Section 1798.121 ©

Nevada Privacy Law, Section 603A.340 (1) (a)

The scenario suggests that the company lacked adequate rules about access to customer information, which increased the risk of unauthorized access and data breach. Implementing a comprehensive policy for accessing customer information would have helped the company to limit the access to only those who need it for legitimate purposes, and to protect the confidentiality, integrity, and availability of the data. This is also one of the recommendations that Roberta made in her report. References:

CIPP/US Practice Questions (Sample Questions), Question 116, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5, Section 5.2, p. 143.

The FCRA requires that an employer who takes an adverse action against an applicant or employee based on information in a consumer report must provide a notice of the adverse action to the individual. The notice must include the name, address, and phone number of the CRA that supplied the report; astatement that the CRA did not make the decision and cannot explain why the adverse action was taken; a notice of the individual’s right to dispute the accuracy or completeness of the information in the report; and a notice of the individual’s right to obtain a free copy of the report from the CRA within 60 days12. References:

CIPP/US Practice Questions (Sample Questions), Question 141, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.2, p. 101-102.

Fair Credit Reporting Act (FCRA), Section 615, Subsection (a).

Patrick should first ensure that inspecting GPS geolocation data from Jane’s corporate mobile phone is permitted under Jane’s employment contract or the company’s employee privacy policy. This is because Jane has a reasonable expectation of privacy in her location information, even if she uses a corporate-owned device for business purposes. The Fourth Amendment protects individuals from unreasonable searches and seizures by the government, and the Electronic Communications Privacy Act (ECPA) prohibits unauthorized interception or access to electronic communications by private parties. Therefore, Patrick cannot inspect Jane’s GPS data without a valid legal basis, such as consent, contract, or court order. Obtaining prior consent from Jane pursuant to the Telephone Consumer Protection Act (A) is not relevant, as this law regulates unsolicited calls and text messages, not location tracking. Revising emerging workplace privacy best practices with a reputable advocacy organization (B) is not sufficient, as Patrick still needs to comply with the existing legal obligations and contractual terms. Obtaining a subpoena from law enforcement, or a court order, directing Jones Labs to collect the GPS geolocation data © is not necessary, as Patrick is not acting on behalf of the government or in response to a legal request. However, if Patrick does obtain such a legal order, he should also comply with it and notify Jane of the disclosure, unless prohibited by law. References:

IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.2, p. 115-116

IAPP CIPP/US Study Guide, Chapter 4, Section 4.2.1, p. 118-119

IAPP CIPP/US Study Guide, Chapter 4, Section 4.2.2, p. 120-121

IAPP CIPP/US Study Guide, Chapter 4, Section 4.2.3, p. 122-123

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.1, p. 124-125

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.2, p. 126-127

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.3, p. 128-129

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.4, p. 130-131

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.5, p. 132-133

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.6, p. 134-135

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.7, p. 136-137

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.8, p. 138-139

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.9, p. 140-141

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.10, p. 142-143

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.11, p. 144-145

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.12, p. 146-147

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.13, p. 148-149

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.14, p. 150-151

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.15, p. 152-153

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.16, p. 154-155

IAPP CIPP/US Study Guide, Chapter 4, Section 4.3.17, p. 156-157

The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA’s notice and opt-out requirements, as well as the FCRA’s requirements for using consumer reports. References:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.

IAPP CIPP/US Practice Questions, Question 150.

The Cable Communications Policy Act of 1984 (CCPA) is a federal law that regulates the cable television industry and protects the privacy of cable subscribers. One of the provisions of the CCPA is that cable operators must providetheir subscribers with an annual notice that clearly and conspicuously informs them of the following information12:

The nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information

The nature, frequency, and purpose of any disclosure of such information, including an identification of the types of persons to whom the disclosure may be made

The period during which such information will be maintained by the cable operator

The times and place at which the subscriber may have access to such information

The limitations provided by the CCPA with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under the CCPA to enforce such limitations

The annual notice must also state that the subscriber has the right to prevent disclosure of personally identifiable information to third parties, except as required by law or court order, and that the subscriber may sue for damages, attorney’s fees, and other relief for violations of the CCPA12.

References: 1: Cable Communications Policy Act of 1984, Section 631 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.2

The Dodd-Frank Act was established to prevent the risky financial practices that led to the 2007–2008 financial crisis, which included issues similar to Noah’s experience with buying stocks without understanding the risks. The act includes provisions forconsumer protection in financial services and aims to prevent abusive practices in the financial industry

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12

Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12

Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime. The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion123. References:

1: IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2: DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3: Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155