CIPP/US Practice Questions and Answers 2024, Exams of Nursing

Download CIPP/US Practice Questions and Answers 2024 and more Exams Nursing in PDF only on Docsity! CIPP/US Practice Questions and answers 2024 The U.S. Constitution establishes what three branches of government? - Legislative, Executive, Judicial What establishes the three branches of the U.S. Government? - The U.S. Consitution What is the purpose of the three-branch government design? - To provide a separation of powers with a system of check and balances among the branches. What similarities are found between state and federal government? - The three branches are also often found at the state and often the local levels. What is the legislative branch's make-up? - The legislative branch is made up of elected representatives who write and pass laws. It includes the Congress (House and Senate). What does the legislative branch do? - Congress confirms presidential appointees, and can override vetoes. CIPP/US Practice Questions and answers 2024 What are the duties of the executive branch? - The executive branch's duties are to enforce and administer the law. Who makes up the executive branch? - The President, Vice President, cabinet, and federal agencies (such as the FTC). What can the executive branch do? - President appoints federal judges. It can veto laws passed by Congress. What can the judicial branch do? - The Judicial branch determines whether the laws are constitutional. It also interprets laws, the meaning of a law, and how it is applied. It can also examine the intent behind a law's creation. What is the judicial branch? - The Federal Courts. What two parts make up the U.S. Congress? - The Senate and the House of Representatives (legislative branch) What can Congress do when enacting legislation? - Congress can delegate the power to promulgate regulations to federal agencies (such as the FTC). CIPP/US Practice Questions and answers 2024 What are the sources of law in the U.S.? - Federal and state constitutions, legislation, case law (contracts and torts), and agency-issued regulations. What is the supreme law in the U.S.? - The Constitution. Who drafted the Constitution and when? - The Constitutional Convention drafted the Constitution in 1787. True/False: The U.S. Constitution does not contain the word "Privacy". - True. Which parts of the Constitution directly affect privacy? - The Fourth Amendment limits on government searches. Which Supreme Court decisions affect privacy? - The S.C. has held that a person has a right to privacy over personal issues such as contraception and abortion, arising from more general protections of due process of law. What are other sources of law affecting privacy? - State constitutions may create stronger rights than are provided in the U.S. Constitution. CIPP/US Practice Questions and answers 2024 Which state expressly recognizes a right to privacy in its constitution? - California. What areas are regulated by laws enacted by federal Congress and state legislatures? - applications of information (use of information for marketing or pre-employment screening), certain industries (such as financial institutions or healthcare providers), certain data elements (SSNs or driver's license info), or specific harms (identity theft or children's online privacy) How is law-making power distributed in the U.S.? - Law-making power is shared between the national and state governments. What does the U.S. Constitution say about laws under the Constitution? - It states that the Constitution and the laws passed pursuant to it, is "the supreme law of the land." When do states have the power to make laws? - Where federal law does not prevent it, states have the power to make law. Which Amendment to the Constitution states "the powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved CIPP/US Practice Questions and answers 2024 to the States respectively, or to the people."? - The Tenth Amendment to the Constitution. What is one area of law where states may pass privacy/other laws with stricter requirements than federal law? - HIPAA medical privacy rule. In which areas do federal laws pre-empt state laws, preventing states from passing stricter provisions? - Limits on commercial e-mails in the CAN-SPAM Act. What is the CAN-SPAM Act? - Controlling the Assault of Non-Solicited Pornography and Marketing Act. Aside from the ability to make and enforce laws and regs, what does the U.S. legal system rely on? - "1. Legal precedent based on court decisions 2. Doctrines implicit in legal precedent - 3. Customs and uses of legal precedent" - CIPP/US Practice Questions and answers 2024 How do precedents handle the passing of time? - As time passes, precedents often change to reflect technological and societal changes in values and laws. What are common law's rules in regards to privacy? - Common law upholds special privilege rules, even in the absence of statutes protecting that confidentiality. Name two special privilege rules. - "1. Doctor-patient privilege 2. attorney-client confidentiality." - What is a judgment entered by consent of the parties whereby the defendant agrees to stop alleged illegal activity? - Consent Decree. Does a consent decree typically admit guilt or wrongdoing? - No. How are the courts involved in a consent decree? - The document is approved by a judge. CIPP/US Practice Questions and answers 2024 What does a consent decree accomplish? - It formalizes an agreement reached between a federal or state agency and an adverse party. What are the contents of the consent decree? - It describes the actions that the defendant will take and the decree may be subject to a public comment period. How much power does a consent decree hold? - Once approved, the consent decree has the effect of a court decision. In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws. - COPPA has allowed for several consent decrees, which require violators to pay money to the government and agree not to violate the relevant law in the future. What services do federal agencies provide? - "1. promulgate rules and enforce them; 2. provide guidance in the form of opinions." - CIPP/US Practice Questions and answers 2024 How are agency opinions interpreted and used? - They do not carry the weight of law, but do give specific guidance to interested parties trying to interpret agency rules and regulations. What is a legally binding agreement enforceable in a court of law? - Contract What provisions might a privacy contract contain? - data useage, data security, breach notification, jurisdiction, and damages. (A contract b/w an EU company and a US data processor might include provision requiring US co to be safe harbor certified/abide by framework) True/false: Every agreement is a legally binding contract. - False. There are three fundamental requirements for forming a binding contract. What are the three factors required to form a contract? - Offer, Acceptance, Consideration. What is the proposed language to enter into a bargain? - Offer CIPP/US Practice Questions and answers 2024 What is an Intentional tort? - These are wrongs that the defendant knew / should have known would occur through their actions or inactions. Give an example of an intentional tort. - Intentionally hitting a person or stealing personal information. What is a negligent tort? - These occur when the defendant's actions were unreasonably unsafe. Give an example of a negligent tort. - Causing a car accident by not obeying traffic rules or not having appropriate security controls. What is a strict liability tort? - These are wrongs that don't depend on the degree of carelessness by the defendant, but are established when a particular action causes damage. What are some examples of strict liability torts? - Product liability torts (concern potential liability for making and selling defective products without the need for the plaintiff to show negligence by the defendant). CIPP/US Practice Questions and answers 2024 When did the concept of a personal privacy tort enter U.S. jurisprudence? - The late 1890s. What are some current privacy torts? - "a. intrusion on seclusion; b. public revelation of private facts; - c. interfering with a person's right to publicity; - d. casting a person in a false light." - What is a defense to some of the traditional privacy torts? - The speaker is exercising free speech rights under the First Amendment. What are some other, more recent, privacy-related torts considered by courts? - Allegations that a company was negligent for failing to provide adequate safeguards for PI, thus causing harm due to disclosure of the data. Lack of adequate safeguards therefore may expose a company to damages under tort law. CIPP/US Practice Questions and answers 2024 Define "person". - An entity with legal rights, including an individual ("natural person") or a corporation ("legal person") Define "jurisdiction" - authority of a court to hear a particular case What two areas of the case must the court have jurisdiction over? - "1. subject matter jurisdiction 2. personal jurisdiction" - What is subject matter jurisdiction? - Jurisdiction over the type of dispute / cause of action. What is personal jurisdiction? - Jurisdiction over the parties (often based on their location) True/false: Government agencies do not have jurisdictional limits. - FALSE CIPP/US Practice Questions and answers 2024 Define Choice. - The ability to specify whether personal information will be collected and/or how it will be used or disclosed. In what two forms is choice recognized? - express or implied. Define "opt-in" - an affirmative indication of choice based on an express act of the person giving the consent. Give an example of "opt-in" behavior. - A person opts in if he says yes when asked, "May we share your information?" Failure to answer would result in the information not being shared. Define "opt-out" - a choice can be implied by the failure of the person to object to the use or disclosure. Given an example of "opt-out" behavior - A company says "Unless you tell us not to, we may share your information." The person then has the ability to opt out of the sharing by saying no. Failure to answer would result in the information being shared. CIPP/US Practice Questions and answers 2024 What defines "meaningful" choice? - Where choice is offered, it should be meaningful, which is that it should be based on a real understanding of the implication of the decision. Define "access." - Access is the ability to view personal information held by an organization. What can be used to supplement access? - Updates or corrections to the information may be allowed. What do U.S. laws often require around access? - They often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports. At the federal level, which agencies engage in regulatory activities concerning the private sector? - FTC, federal banking regulatory agencies (Consumer Financial Protection Bureau, Federal Reserve, Office of the Comptroller of the Currency), the FCC, DOT, Dept. of Health and Human Services through its Office for Civil Rights. CIPP/US Practice Questions and answers 2024 What role does the Department of Commerce play in privacy? - The DOC doesn't have regulatory authority for privacy, but often plays a role in privacy policy for the executive branch. What authority does the FTC have re: privacy in the private sector? - General authority to enforce against "unfair and deceptive trade practices." In which areas does the FTC have specific regulatory authority? - "1. marketing communications; 2. children's privacy" - Who brings privacy-related enforcement actions at the state level? - State Attorneys General On what basis are state privacy enforcement actions brought? - pursuant to state laws prohibiting unfair and deceptive practices. What role does the State Attorney General serve? - Serves as the chief legal advisor to the state government and as the state's chief law enforcement officer CIPP/US Practice Questions and answers 2024 In which state was the first security breach notification law enacted? - California. What does the CA law regulate? - The CA Data Breach Notification Law regulates entities that do business in CA and that own or license computerized data, including PI. To whom does the CA law apply? - It applies to natural persons, legal persons, and government agencies. True/false: if you do business only in Montana or NY, you are still subject to this CA law. - FALSE Even if you do business in this CA, what is required for this law to apply to you? - You must have computerized data. What does the CA data breach law cover? - It regulates computerized PI of CA residents. CIPP/US Practice Questions and answers 2024 What is PI? - Personal information - an individual's name in combination with any one or more of (1) SSN, (2) CA identification card number, (3) Driver's License number, (4) financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account, when either the name or the data elements are not encrypted. True/False: If your databases contain only names and addresses, you are not subject to the CA law. - True. True/False: If your database contains only encrypted information, you are not subject to the CA law. - True. What does the CA Data Breach Notification law require or prohibit? - It requires you to disclose any breach of system security to any resident of CA whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Define "breach of the security of the system". - Unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person. CIPP/US Practice Questions and answers 2024 How must disclosure be carried out? - The disclosure must be made "in as expedient a manner as possible." What is the exception to the CA law? - There is an exception for the good faith acquisition of PI by an employee or agent of the business, provided the PI is not used or subject to further unauthorized disclosure. When is a delay in providing notice permissible? - When a delay is requested by law enforcement. Who enforces the CA law? - The CA Attorney General enforces the law. True/false: the law provides for a private cause of action. - True. What happens if one doesn't comply with the CA law? - The CA attorney general or any citizen can file a civil lawsuit against you, seeking damages and forcing you to comply. CIPP/US Practice Questions and answers 2024 Do privacy rights ever create private rights of action? - Yes, and this allows an individual plaintiff to sue based on violations of the statute. What does the Fair Credit Reporting Act allow? - It has a private right of action, which allows a person to sue a company if his consumer reports have been used inappropriately. What is criminal litigation? - Criminal lit involves lawsuits brought by the government for violations of criminal laws. How is criminal litigation different from civil litigation? - Civil lit involves an effort by a private party to correct specific harms. Criminal prosecution, brought by gov, can lead to imprisonment and criminal fines. Who prosecutes criminal laws? - Department of Justice in the federal government. For states, the state attorney general and local officials (district attorney) usually have criminal prosecutorial power. What are administrative enforcement actions? - These are carried out pursuant to the statutes that create and empower an agency, such as the FTC. CIPP/US Practice Questions and answers 2024 Where are the rules found for agency enforcement actions in the federal government? - the Administrative Procedure Act (APA). What does the APA contain? - The APA sets forth basic rules for adjudication within an agency, where court-like hearings may take place before an administrative law judge. What is the appeals process for agency enforcement actions? - Federal agency adjudications can generally be appealed to federal court. True/false: A federal agency may sue a party in federal court, with the agency as the plaintiff in a civil action. - True. Which agencies are responsible for medical privacy? - Office for Civil Rights in the Department of Health and Human Services (HHS), for the Health Insurance Portability and Accountability Act (HIPAA) Which agencies oversee financial privacy? - Consumer Financial Protection Bureau for financial consumer protection issues generally; federal financial regulators CIPP/US Practice Questions and answers 2024 such as the Federal Reserve and the Office of Comptroller of the Currency, for institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA) Which agencies are responsible for educational privacy? - Department of Education for the Family Educational Rights and Privacy Act. Which agencies oversee telemarketing and marketing privacy? - Federal Communications Commission (along with the FTC) under the Telephone Consumer Protection Act and other statutes. Which agencies are responsible for workplace privacy? - Equal Employment Opportunity Commission for the Americans with Disabilities Act and other anti- discrimination statutes. Which agency plays a leading role in federal privacy policy development and administers the Safe Harbor agreement between the US and EU? - Department of Commerce. Which federal department has been increasingly active in privacy, negotiating internationally on privacy issues with other countries/multinational groups such as the UN and OECD? - State Department. CIPP/US Practice Questions and answers 2024 What is the sole federal agency to bring criminal enforcement actions which can results in imprisonment or criminal fines? - Department of Justice. Name one statue that provides for both civil and criminal enforcement - HIPAA. Where a statute provides for both civil and criminal enforcement, how is jurisdiction apportioned? - Procedures exist for the roles of both HHS and the Department of Justice (in HIPAAs case)' When was the FTC founded? - 1914 For what purpose was the FTC founded? - FTC was founded to enforce antitrust laws. What changes to the FTC mission were affected in 1938? - a statutory change caused the FTC mission to shift to a consumer protection focus. True/False: today, the FTC focuses on both antitrust law enforcement, and consumer protection - True. CIPP/US Practice Questions and answers 2024 True/false: Today's FTC does not include privacy and computer security issues as an important part of its work. - FALSE What does it mean that the FTC is an "independent" agency? - It is governed by the decisions of its chairman and four other commissioners, instead of falling under the direct control of the president. What is the single most important piece of US privacy law? - Section 5 of the FTC Act. What does Section 5 of the FTC Act state: - "Unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful." Does FTC Act Section 5 say anything specifically about privacy or information security? - No. True/false: The application of Section 5 to privacy and information security is clearly established today - True. CIPP/US Practice Questions and answers 2024 What marks the beginning of the FTC's enforcement of privacy violations? - The Fair Credit Reporting Act of 1970. When did the FTC begin bringing privacy enforcement cases under its powers to address unfair and deceptive practices? - During the 1990s. Name the ways in which Congress added privacy-related responsibilities to the FTC over time. - The Children's Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Portnography and Marketing (CAN- SPAM) Act of 2003. What does Section 6 of the FTC Act do? - It vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath. To what does the FTC Act Section 5 apply and not apply? - It applies to "unfair and deceptive practices in commerce" and does not apply to nonprofit organizations. It's powers also do not extend to certain industries, such as banks and other federally regulated financial institutions, as well as common carriers such as transportation and communications industries. CIPP/US Practice Questions and answers 2024 What begins the typical FTC enforcement action? - A claim that a company has committed an unfair or deceptive practice OR has violated a specific consumer protection law. In what ways can the enforcement action be brought to the FTC's attention? - "1. press reports covering the questionable practices 2. complaints from consumer groups of competitors" - What options might the FTC exercise if the complaint is minor? - FTC may work with the company to resolve the problem without launching a formal investigation. In what situations will the FTC proceed to full enforcement? - Where the violation is significant or there is a pattern of noncompliance. What are some actions allowed under the FTC's broad investigative authority? - "1. subpoenas of witnesses CIPP/US Practice Questions and answers 2024 2. civil investigative demands - 3. requirements for businesses to submit written reports under oath" - What may the commission do after an investigation? - The commission may initiate an enforcement action if it has reason to believe a law is being or has been violated. It issues a complaint. What happens after the commission issues a complaint? - An administrative trial can proceed before an administrative law judge (ALJ). Can the Administrative Law Judge's opinion be appealed? - Yes, it can be appealed to the five commissioners. Can the decision of the five commissioners on appeal be appealed? - Yes, it can be appealed to the federal district court. When does an order by the commission become final? - 60 days after it is served on the company. CIPP/US Practice Questions and answers 2024 True/False: The FTC can assess civil penalties. - False, the FTC lacks authority to assess civil penalties. What can the FTC do if its ruling is ignored? - It can seek civil penalties in federal court of up to $16,000 per violation and can seek compensation for those harmed by the unfair or deceptive practices. True/False: Each violation of such an order is treated as a separate offense. - True. True/False: Each day the violator fails to comply with the order is considered a separate offense. - True. What can the court do if consumers are harmed by the act or practice? - The court can order "redress" or mandate an injunction against a violator. Can additional penalties be assessed if a company does not respond to a complaint or order? - Yes. How have FTC privacy enforcement actions been settled in practice? - Through consent decrees and accompanying consent orders. CIPP/US Practice Questions and answers 2024 What are companies increasingly subjected to or required to do re: privacy cases? - Companies are subject to periodic outside audits or reviews of their practices, or they may be required to adopt and implement a comprehensive privacy program. True/False: Over time, consent decrees have become more specific in nature. - True. What do the company and FTC have incentive to do? - Both have incentives to negotiate a consent decree rather than proceed with a full adjudication process. Why would the company have incentives to negotiate? - The company avoids a prolonged trial, as well as negative, ongoing publicity; it also avoids the details of its business practices being exposed to the public. Why would the FTC have incentives to negotiate? - It (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial, and (3) gains an enforcement advantage, due to the fact that monetary fines are much easier to assess in federal court if a company violates a consent decree. CIPP/US Practice Questions and answers 2024 What methods were used before the FTC began to use consent decrees in privacy cases? - the FTC's Bureau of Consumer Protection negotiated such decrees for other consumer protection issues under Section 5 of the FTC Act. True/false: Review of nonprivacy decrees can be instructive for lawyers or others who seek to understand the FTC's approach to and priorities for consumer protection consent decrees. - True. What motivated the FTC and Commerce Department to begin convening public workshops and conduction other activities to highlight the importance of privacy protection on websites? - An increase in commercial activity on the Internet that became significant in the mid-1990s. When did organizations begin to post public privacy notices on their websites? - Mid-1990s. What purpose do privacy notices serve? - Help inform customers about how their PI was being collected and used, as well as helping with enforcement purposes. How do privacy notices help with enforcement? - If a company promised a certain level of privacy or security on a company website or elsewhere, and the company CIPP/US Practice Questions and answers 2024 did not fulfill its promise, then the FTC considered that breach of promise a "deceptive" practice under Section 5 of the FTC Act. Is there an omnibus federal law requiring companies to have public privacy notices? - No, Sector-specific statutes such as HIPAA, GLBA, and COPPA impose notice requirements What does California require of companies and organizations doing in-state business? - To post privacy policies on their websites. Where there is no legal requirement to do so, do the vast majority of commercial websites post privacy websites? - Yes, according to an FTC survey conducted in 2000. What does the FTC investigate when a company posts a privacy notice? - Whether they adhere to their own policies; if not, the FTC will bring an enforcement action for deceptive trade practices. What was the first FTC Internet privacy enforcement action? - In the Matter of GeoCities, Inc. CIPP/US Practice Questions and answers 2024 What was the basis of the FTC action against Microsoft? - The action concerned MS's security representations about info collected through its "passport" website service. FTC alleged that representations of high level online security were misleading because the security of the PI was within the control, not of MS. but of MS's vendors and biz partners. FTC also asserted that the Passport service collected and shared more info than disclosed in its privvacy notice and claimed that the access controls for the children's website were inadequate. What are the facts of the Microsoft action? - MS Passport was an online service that allowed customers to use single sing-in to access multiple web services. MS made claims about the high level of security used to protect users' personal and financial information, as well as Passport's parental controls for its children's services. How did the Microsoft action resolve? - MS settled the action with the FTC. MS was prohibited from making future misrepresentations about the security and privacy of its products and was required to adopt and implement a comprehensive info sec program. MS was required to undergo a biannual third- party audit to ensure compliance with its program terms. What is the focus of early privacy and security enforcement actions? - Deceptive practices CIPP/US Practice Questions and answers 2024 What did the FTC add to its enforcement scope in 2004? - Unfair practices, as well as the previously-enforced deceptive practices. Where is the scope of the term "unfairness" clarified? - In a 1980 policy statement and in 1994 amendments to the FTC Act. What three things are required for an injury to be considered "unfair"? - The injury caused must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid. What was the first instance of the FTC basing an enforcement action on a company's material change to its PI-handling practices, as well as the first privacy case based on unfairness? - In the matter of Gateway Learning Corp, in 2004. What are the facts of Gateway? - Gatewya Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this practice changed. Gateway then began renting personal customer info to third- CIPP/US Practice Questions and answers 2024 party marketers and advertisers without providing the opt-out. It later revised its website privacy notice to allow for disclosing to third-party advertisers and continued to rent consumer information without providing notice to customers about the change in policy. What was the outcome of the Gateway case? - The consent decree stated that thte retroactive application of material changes to the company's data sharing policy was an unfair trade practice. The settlement prohibited Gateway from sharing any PI collected from users under its initial privacy notice unless it obtained an affirmative opt-in from users. It also required Gateway to relinquish the money earned from renting consumer info. In what 2005 enforcement action did the FTC allege that a company did not engage in reasonable security practices to protect the personal and financial information of its consumers? - In the Matter of BJ's Wholesale Club, Inc. What security flaws caused the enforcement action against BJ's? - The complaint stated that BJ's failed to encrypt the information and failed to secure wireless networks to prevent unauthorized access, among other security lapses. CIPP/US Practice Questions and answers 2024 the FTC believes privacy should be thoroughly integrated with product development and implementation. To enforce, Google agreed to undergo independent third-party privacy audits on a biannual basis. Name a second reason the Google settlement was noteworthy. - The Google consent decree was the first substantial US-EU Safe Harbor enforcement by the FTC. Complaint stated that Google had represented it would use PI only for the purposes for which it was initially collected or consented to by users. The complaint stated that Google violated Section 5 and failed to live up to its promise to comply with the notice and choice principles of Safe Harbor. When did the FTC settle an enforcement action for deceptive practices with Facebook? - 2011 What did the FTC's 8-count complaint allege, among other things, against Facebook? - FB deceived consumers by repeatedly making changes to services so that information designated as private was made public. This violated promises FB made in its privacy notice. What did the FB settlement require? - Required FB to provide users with clear notice and obtain user consent before making retroactive changes to material CIPP/US Practice Questions and answers 2024 privacy terms, and barred FB from making any further deceptive privacy claims. FB was also required to establish and maintain a comprehensive privacy program. FB must obtain biannual independent third-party audits of its privacy program for the next 20 years. What does the FB case indicate? - Broader government efforts to hold companies accountable for information handling practices. In what year did the Obama administration issue a report titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy" - Early 2012. What report did the FTC issue that, together with the Obama framework, illustrates the evolution from earlier methods of privacy enforcement to current approaches? - "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy makers." What was the FTC's primary method of enforcement used in the late 1990s? - "notice and choice approach" - emphasis was placed on having companies provide privacy notices on their websites and offering choice to consumers about whether info would be shared with third parties. Enforcement actions were based on CIPP/US Practice Questions and answers 2024 deception and the failure to comply with a privacy promise rather than specific, tangible harm to consumers. What enforcement method was adopted by Chairmen Muris and Majoris in the mid-2000s? - "harm-based model" - used in the Gateway and BJ's cases; placed new emphasis on addressing substantial injury, as required under the FTC's unfiarness authority. When did the FTC begin to include the requirement of a comprehensive privacy program in consent decrees? - Under Chairman Leibowitz in 2009, as referenced in the Obama and FTC reports of 2012. The Obama report defines the "Consumer Privacy Bill of Rights for commercial uses of Personal Data as encompassing what 7 rights? - "1. individual control; 2. transparency; - 3. respect for context; - 4. security; - CIPP/US Practice Questions and answers 2024 2. Simplified consumer choice; - 3. Transparency." - Privacy by Design is what? - Companies should promote consumer privacy throughout their org and at every stage in the development of their products and services. Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy. What is Simplified Consumer Choice? - Companies should simplify consumer choices; they don't need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company's relationship with the consumer, or are required or specifically authorized by law. Where appropriate, companies should offer the choice at a time and in a context in which the consumer is making a decision about his/her data. When should companies obtain affirmative express consent? - Before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes. CIPP/US Practice Questions and answers 2024 What is Transparency? - Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use. What are the FTC's five priority areas for attention? - "1. Do No Track; 2. Mobile; - 3. Data Brokers; - 4. Large platform providers; - 5. Promoting enforceable self-regulatory codes." - What does "do not track" encompass? - The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes. CIPP/US Practice Questions and answers 2024 True/false: the FTC encourages greater self-regulation around location and other mobile-related services. - True. What is the FTC's priority around Data brokers? - The FTC supports targeted legislation to provide consumers with access to info held about them by data brokers who are not already covered by the Fair Credit Reporting Act. Explain the FTC's prioritization of large platform providers. - The FTC is examining special issues raised by very large online companies that may do what the FTC calls "comprehensive" tracking. What provisions do most states have in place? - Each state has a law roughly similar to Section 5 of the FTC Act, commonly known as Unfair and Deceptive Acts and Practices (or UDAP) statutes. In addition to covering unfair and deceptive practices, what do some state statutes allow? - Enforcement against "unconscionable" practices, a contract law term for a range of harsh seller practices. CIPP/US Practice Questions and answers 2024 What are three ways that self-regulation can occur? - It can occur through the 3 traditional separation of powers components: legislation, enforcement and adjudication. To what does legislation in self-regulation refer? - Legislation refers to the question of who should define appropriate rules for protecting privacy. To what does enforcement in self-regulation refer? - Enforcement refers to the question of who should initiate enforcement actions. To what does adjudication in self-regulation refer? - Adjudication refers to the question of who should decide whether a company has violated the privacy rules and with what penalties. True/False: For enforcement under Section 5 of the FTC Act or state UDAP laws, self-regulation only occurs at the legislation stage. - True. Describe how self-regulation occurs under Section 5 of the FTC Act. - A company writes its own privacy policy or an industry group drafts a code of conduct that companies agree to follow. Under Sec 5, the FTC can then decide whether to bring an enforcement action, and adjudication can occur in front of an administrative CIPP/US Practice Questions and answers 2024 law judge, with appeal to federal court. Although it's called "self-regulation", a government agency is involved at the enforcement and adjudication stage. Give an example of a self-regulatory system that goes through all 3 stages without government agency involvement. - The PCI DSS provides an enforceable security standard for PCI; the rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit ard companies. Compliance with the standard requires hiring a third party to conduct security assessments and detect violations; failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties of $5,000 to $100,000 per month. Give examples of third-party privacy seal and certification programs that provide assurances that companies are complying with self-regulatory programs. - TRUSTe, Better Business Bureau. True/false: The US - EU Safe Harbor Framework requires participating companies to name a compliance third party. - TRUE COPPA authorizes the FTC to confirm what? - That certification programs are in compliance with the law. CIPP/US Practice Questions and answers 2024 What is the DAA and how does it's icon program serve as a self-regulatory effort? - Digital Advertising Alliance is a coalition of media and advertising organizations; it developed an icon program to inform consumers about how they can exercise choice with respect to online behavioral advertising. True/false: The future of the DAA's self-regulatory program is closely linked to ongoing policy debates about whether and how a Do Not Track program will be instituted. - True. Is the US moving closer to the EU model of external regulation or closer to the self-regulatory model? - self-regulatory model, which allows the industry with greater expertise about their systems to create, establish and enforce the rules. The White House emphasizes a multistakeholder approach, including the consumer groups and other stakeholders outside the industry. Name one trend and one example of cross-border enforcement. - "Trend: enforcement agencies in different countries must engage in closer cooperation. Example: In 2007, the OECD adopted the Recommendation on Cross Border Co- operation in the Enforcement of Laws Protecting Privacy." - CIPP/US Practice Questions and answers 2024 contrast, the EU Data Protection Directive and laws of EU member states may prohibit disclosure of the same records. What did the International Chamber of Commerce release in early 2012? - A policy statement entitled "Cross-border Law Enforcement access to Company Data - Current Issues Under Data Protection and Privacy Law." It highlights problems that may arise when law enforcement compliance requirements conflict with data protection and privacy commitments, provides analysis of these issues, and recommendations for law enforcement bodies facing these challenges. True/false: there is uncertainty about the extent to which the EU and other jurisdictions will bring enforcement actions against companies that operate only in the US. - True. Which companies are subject to the EU data laws? - Companies with assets and employees in the EU, who also operate in the EU, are subject to the EU data protection laws. What does the 1998 Data Protection Directive say about whether a non-EU company is subject to enforcement there. - It is ambiguous. Companies wishing to transfer data from the EU to the US have various lawful options. They - and other CIPP/US Practice Questions and answers 2024 multinational corporate entities with a presence in Europe - may draft binding corporate rules (BCR), subject to review and authorization by member states. What are other options for multinational corporations with an EU presence? - Participation in the US - EU Safe Harbor program; using contracts for data export that have been approved by a data protection authority. Where are the limits on trans-border data flows found? - In Articles 25 and 26 of the Data Protection Directive. What did the EU Council introduce in early 2012? - A draft Data Protection Regulation with provisions that would replace the Data Protection Directive. What does Article 3 of the draft Data Protection Regulation suggest? - It has language suggesting that EU law applies to online sellers who operate only in the US: "The Regulation applies where processing activities are related to (a) the offering of goods or services to such data subjects in the Union, or (b) the monitoring of their behavior; this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law."