CIPP-US Sample Questions Answers

 Matt’s decision to report the marketer’s activities is based on his suspicion that the marketer violated the Children’s Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection, use, and disclosure of personal information from children under 13 years of age1. According to COPPA, operators of websites or online services that are directed to children or knowingly collect personal information from children must:

• Provide notice to parents about their information practices and obtain verifiable parental consent before collecting, using, or disclosing personal information from children12.
• Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)12.
• Provide parents access to their child’s personal information to review and/or have the information deleted and give parents the opportunity to prevent further use or online collection of a child’s personal information12.
• Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security12.
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use12.
• Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children12.

In Matt’s case, he did not receive any notice from the marketer about the survey or the contest, nor did he give his consent for the collection or disclosure of his son’s personal information. He also did not have any access or control over his son’s information or the ability to prevent further use or collection. Moreover, he noticed that his son’s information seemed to have been shared with other marketers, as evidenced by the commercial emails in his son’s inbox. These actions indicate that the marketer did not comply with COPPA’s requirements and may have exposed his son’s information to unauthorized or inappropriate parties. Therefore, Matt decided to report the marketer’s activities to the proper authorities, such as the Federal Trade Commission (FTC), which enforces COPPA and can impose civil penalties for violations13. References: 1: Children’s Online Privacy Protection Act | Federal Trade Commission, 1. 2: 16 CFR Part 312 – Children’s Online Privacy Protection Rule, 3. 3: Children’s Online Privacy Protection Act - Wikipedia, 2.

Data classification is the process of categorizing data based on its sensitivity and importance to determine its level of confidentiality and protection. Data classification helps organizations apply appropriate security and compliance measures to ensure each category receives proper protection1. Data classification also helps organizations identify which data is subject to specific privacylaws and regulations, such as the GDPR, HIPAA, or CCPA, and how to handle data subject requests, data breaches, or legal discovery2. If an organization maintains data classified as high sensitivity, such as personal information, financial information, or health information, in the same system as data classified as low sensitivity, such as public information or internal information, it increases the risk of exposing the high sensitivity data in the event of a data breach. A data breach can result in legal consequences, reputational damage, and loss of trust from customers and stakeholders. Therefore, it is advisable to segregate data based on its classification and apply different levels of encryption, access control, and monitoring to each category3. This way, the organization can minimize the impact of a data breach and protect the privacy and security of its data assets. References:

• Why Is Data Classification Important?
• Data Classification for GDPR Explained
• Data classification and privacy considerations

The California Consumer Privacy Act (CCPA) defines a ‘sale’ of personal information as any transfer or disclosure of personal information to another business or third party for monetary or other valuable consideration. However, the CCPA also provides some exceptions to this definition, such as:

• If the consumer has directed the business to intentionally disclose the personal information or use the personal information to interact with a third party, provided the third party does not also sell the personal information.
• If the business transfers the personal information to a service provider that is contractually prohibited from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract with the business.
• If the business transfers the personal information to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided the information is used or shared consistently with the CCPA.

The use of cookies on a website by a service provider is generally not deemed a sale of personal information by the CCPA, as long as the information collected by the service provider is necessary to perform the services specified in the contract with the business,and the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. One of the examples of a valid business purpose is to perform debugging to identify and repair errors that impair existing intended functionality.

Therefore, option D is the correct answer, as it describes a scenario where the use of cookies by a service provider is not a sale of personal information under the CCPA, assuming the service provider complies with the contractual obligations and does not further use or disclose the information.

Option A is incorrect, as it does not describe a valid exception to the definition of a sale. The third party that stores personal information to trigger a response to a consumer’s request to opt in is not acting as a service provider, but as a separate entity that may have its own interest in the personal information. The consumer’s request to opt in does not necessarily imply that the consumer has directed the business to disclose the personal information to the third party.

Option B is incorrect, as it does not describe a valid exception to the definition of a sale. The analytics cookies placed by the service provider may still constitute a sale of personal information, even if they cannot be linked to a particular consumer of that business. The CCPA defines personal information broadly to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Therefore, the analytics cookies may still fall within the scope of personal information, and their use by the service provider may still be a sale, unless one of the exceptions applies.

Option C is incorrect, as it does not describe a valid exception to the definition of a sale. The service provider that retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors is not acting as a service provider to the business, but as a separate entity that may have its own interest in the personal information. The agreement with the subcontractors does not necessarily imply that the business has authorized the service provider to retain, use, or disclose the personal information for any purpose other than performing the services specified in the contract with the business.

References:

• [IAPP CIPP/US Study Guide], Chapter 10: California Consumer Privacy Act, pp. 223-226.
• CIPP/US Practice Questions (Sample Questions), Question 30.

The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and use of health information technology, especially electronic health records (EHRs), in the United States. The HITECH Act established the Medicare and Medicaid EHR Incentive Programs, which provide financial incentives to eligible health care providers who demonstrate meaningful use of certified EHR technology. Meaningful use is defined as using EHRs to improve quality, safety, efficiency, and coordination of care, as well as to engage patients and protect their privacy and security. To qualify for the incentive payments, health care providers must meet certain objectives and measures that demonstrate meaningful use of EHRs as part of their regular care. Some of these objectives and measures include:

• Protect electronic protected health information (ePHI)
• Generate prescriptions electronically
• Implement clinical decision support (CDS)
• Use computerized provider order entry (CPOE) for medication, laboratory, and diagnostic imaging orders
• Timely patient access to electronic files
• Exchange health information with other providers and public health agencies
• Report clinical quality measures and public health data

Therefore, the correct answer is A. Making EHRs part of regular care is an important action that a health care provider must take if she wants to qualify for funds under the HITECH Act. References:

• What is the HITECH Act? 2024 Update, section “The Meaningful Use Program”
• The HITECH Act explained: Definition, compliance, and violations, section “HITECH Act definition and summary” and “Why was the HITECH Act created and why is it important?”
• Proposed Rulemaking to Implement HITECH Act Modifications, section “The Health Information Technology for Economic and Clinical Health (HITECH) Act”
• Health Information Technology for Economic and Clinical Health (HITECH) Audits, section “The American Recovery & Reinvestment Act of 2009 (ARRA, or Recovery Act)”
• What is HITECH Compliance? Understanding and Meeting HITECH Requirements, section “HITECH Compliance Requirements”

When developing a company privacy program, a privacy professional needs to understand the business objectives, processes, and risks of the organization, as well as the legal and regulatory requirements and best practices for privacy. To achieve this, a privacy professional should establish and maintain relationships with individuals across company departments and at different levels in the organization’s hierarchy, such as IT, marketing, human resources, legal, compliance, security, and senior management. These relationships will help the privacy professional to gather relevant information, identify privacy issues and gaps, communicate privacy policies and procedures, provide training and awareness, monitor compliance, and resolve conflicts. The other relationshipslisted are also important, but not as essential as the internal relationships for developing a company privacy program. References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Developing a Privacy Program, Section 5.1: Privacy Program Framework, p. 145-146
• IAPP CIPP/US Body of Knowledge, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 23
• IAPP CIPP/US Exam Blueprint, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 7

The “Discover” phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

• Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.
• Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.
• Understanding the laws that regulate a company’s collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).
• Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the “Discover” phase, but rather in the “Implement” phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant. The tasks in this phase include:

• Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.
• Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.
• Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency.
• Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.

References:

• IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective, Section A: Building a Privacy Program
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information Management from a U.S. Perspective, Section 1.1: Building a Privacy Program
• Practice Exam - International Association of Privacy Professionals

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:

• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.
• U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

According to the HIPAA Security Rule, covered entities are responsible for ensuring that their business associates comply with the security standards and safeguards required by the rule. This includes conducting due diligence to assess the business associate’s security capabilities and practices, and monitoring their performance and compliance. Failure to do so may result in a violation of the rule and a penalty by the HHS. In this scenario, HealthCo did not perform due diligence on CloudHealth before entering the contract, and did not conduct audits of CloudHealth’s security measures. This is the most significant reason why HHS might impose a penalty on HealthCo, as it indicates a lack of oversight and accountability for the protection of ePHI. References:

• HIPAA Security Rule
• HIPAA Business Associate Contracts
• HIPAA Enforcement and Penalties

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39
• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13
• IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

 The U.S. Constitution plays a limited role in the area of workplace privacy, because it mainly applies to the actions of the government, not private employers. The Fourth Amendment protects the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures1. The Supreme Court has interpreted this right to include a reasonable expectation of privacy in certain situations, such as in one’s home, car, or personal belongings2. However, this right does not extend to private-sector employees, who are not protected by the Constitution from the actions of their employers, unless the employer is acting as an agent of the government3. Private-sector employees may have some privacy rights under state laws, common law, or contractual agreements, but these vary depending on the jurisdiction and the circumstances4.

Public-sector employees, on the other hand, are protected by the Constitution from unreasonable searches and seizures by their employers, who are considered part of the government. Public-sector employees have a reasonable expectation of privacy in their workplace, unless there is a legitimate work-related reason for the search or seizure, such as to ensure safety, security, or efficiency. Public-sector employers must also comply with the due process and equal protection clauses of the Fifth and Fourteenth Amendments, which prohibit the government from depriving any person of life, liberty, or property without due process of law, or from denying any person the equal protection of the laws. These clauses protect public-sector employees from arbitrary or discriminatory actions by their employers that affect their employment status or benefits.

Therefore, the U.S. Constitution plays a significant role in the area of workplace privacy for federal and state governments, but not for private-sector employment, because it only regulates the actions of the government, not private actors. References:

• 1: Cornell Law School, Fourth Amendment, https://www.law.cornell.edu/constitution/fourth_amendment
• 2: FindLaw, What Is a Reasonable Expectation of Privacy?, https://www.findlaw.com/criminal/criminal-rights/what-is-a-reasonable-expectation-of-privacy.html
• 3: FindLaw, Workplace Privacy, https://www.findlaw.com/smallbusiness/employment-law-and-human-resources/workplace-privacy.html
• 4: Nolo, Privacy Rights of Employees, https://www.nolo.com/legal-encyclopedia/privacy-rights-employees-29849.html
• : OPM, Employee Relations, https://www.opm.gov/policy-data-oversight/employee-relations/reference-materials/employee-privacy/
• : Cornell Law School, Fifth Amendment, https://www.law.cornell.edu/constitution/fifth_amendment
• : FindLaw, Public Employees and the Constitution, https://www.findlaw.com/employment/employment-rights/public-employees-and-the-constitution.html

The Federal Trade Commission (FTC) is the primary federal agency that regulates advertising and marketing practices in the United States, including those targeting children via the Internet. The FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The FTC also enforces the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, such as making false or misleading claims in advertising. The FTC has issued guidelines and reports on various aspects of digital advertising to children, such as sponsored content, influencers, data collection, persuasive design, and behavioral marketing. The FTC also hosts workshops and events to examine the impact of digital advertising on children and their ability to distinguish ads from entertainment. References:

• FTC website
• Digital Advertising to Children
• IAPP CIPP/US Study Guide, Chapter 5: Marketing and Privacy, pp. 169-170

In 2012, the White House released a report titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)

California’s SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver’s license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law. References:

• California Senate Bill 1386 (2002)
• California SB 1386: For the Love of Privacy
• What Is the California Security Breach Information Act?
• California Raises the Bar on Data Security and Privacy

 The Office for Civil Rights (OCR) within the HHS is the primary enforcer of the HIPAA Privacy Rule, which establishes national standards for the protection of individually identifiable health information by covered entities and business associates. The OCR investigates complaints, conducts compliance reviews, and provides technical assistance and guidance to ensure compliance with the Privacy Rule. The OCR can also impose civil monetary penalties for violations of the Privacy Rule, ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for the same violation. References: HIPAA Enforcement, IAPP CIPP/US Study Guide, Chapter 3, Section 3.1.1

The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) that was enacted in 2003. FACTA aims to enhance consumer protection against identity theft and fraud by requiring various measures, such as free annual credit reports, fraud alerts, and identity theft prevention programs. One of the consumer protections that FACTA requires is the truncation of account numbers on credit card receipts. This means that only the last four or five digits of the account number can be printed on the receipt, while the rest must be masked or deleted. This reduces the risk of unauthorized access or use of the account number by third parties who may obtain the receipt. References:

• IAPP CIPP/US Body of Knowledge, Section III, B, 1
• [IAPP CIPP/US Study Guide, Chapter 3, Section 3.2]
• [FACTA, Section 113]

 FACTA added a new section to the FCRA that requires any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, to properly dispose of any such information or compilation. The purpose of this provision is to reduce the risk of identity theft and other consumer harm resulting from improper disposal of consumer information. The FTC and other federal agencies have issued rules implementing this provision, which specify the reasonable measures that covered entities must take to ensure secure disposal of consumer information, such as burning, pulverizing, shredding, erasing, or otherwise modifying the information to make it unreadable or indecipherable (16 CFR § 682.3). References: 1, 2, 3

According to the web search results from my predefined tool, Florida is the only state among the four options that currently imposes a definite limit for notification to affected individuals in case of a data breach. Florida’s law requires that notice be provided within 30 days after determination of the breach or reason to believe a breach occurred, unless delayed by law enforcement or measures to determine the scope of the breach and restore the integrity of the system1. The other states have more flexible or vague terms for the notification timeframe, such as “as soon as practicable” (Maine), “in the most expedient time possible and without unreasonable delay” (New York), or “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement” (California)2. References:

• Security Breach Notification Chart | Perkins Coie
• State Data Breach Notification Chart - International Association of …

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce.”1 This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2 Therefore, among the four options, only an online merchant’s free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity thatcould potentially mislead or harm consumers. For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3 References: 1: Section 5 | Federal Trade Commission 2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.

According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient’s opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.

References:

• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing
• Practice Exam - International Association of Privacy Professionals

According to the Wiley study guide, one of the steps in developing a privacy policy is to conduct a privacy assessment, which involves identifying the organization’s information goals and needs, as well as the legal and regulatory requirements that apply to its data collection and use practices3. By spending more time understanding the company’s information goals, Janice would have been able to tailor the privacy policy to fit the company’s business model and customer expectations, while still complying with the relevant privacy laws and standards. This would have also helped Janice to address Cheryl’s concerns about the impact of the policy on the company’s operations and customer relationships, and to propose solutions that balance privacy protection and service delivery.

References:

1: https://iapp.org/certify/cippus/

2: https://iapp.org/certify/get-certified/cippus/

3: https://www.wiley.com/en-be/IAPP+CIPP+US+Certified+Information+Privacy+Professional+Study+Guide-p-9781119755517

4: https://www.techtarget.com/searchsecurity/quiz/10-CIPP-US-practice-questions-to-test-your-privacy-knowledge

5: https://www.study4exam.com/iapp/free-cipp-us-questions

https://www.passitcertify.com/iapp/cipp-us-questions.html

The Disposal Rule is a provision of the Fair and Accurate Credit Transactions Act (FACTA) that requires businesses and individuals to take appropriate measures to dispose of sensitive information about consumers, such as credit reports, that are derived from consumer reports. The Disposal Rule is intended to reduce the risk of identity theft and fraud by preventing unauthorized access to or use of the information. According to the Disposal Rule, reasonable steps for disposal include burning, pulverizing, or shredding papers that contain consumer report information so that they cannot be read or reconstructed.

In this scenario, the most appropriate action for a car dealer holding a paper folder of customer credit reports is to follow the Disposal Rule by having the reports shredded. This would ensure that the car dealer complies with the FACTA and protects the privacy and security of the customers’ personal data. The other options are not correct, because:

• The Red Flags Rule is another provision of the FACTA that requires financial institutions and creditors to implement a written identity theft prevention program that identifies and responds to the warning signs or red flags of identity theft in their operations. The Red Flags Rule does not apply to the disposal of consumer report information, nor does it require mailing the reports to customers, which could expose the information to interception or theft.
• The Privacy Rule is a provision of the Gramm-Leach-Bliley Act (GLBA) that requires financial institutions to provide notice to customers about their privacy policies and practices, and to allow customers to opt out of sharing their personal information with certain third parties. The Privacy Rule does not apply to the disposal of consumer report information, nor does it require notifying customers that the reports are being stored, which could alert potential identity thieves to the existence of the information.
• The Safeguards Rule is another provision of the GLBA that requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of customer information. The Safeguards Rule does not apply to the disposal of consumer report information, nor does it require transferring the reports to a secure electronic file, which could still be vulnerable to hacking or unauthorized access.

References:

• FTC website, FACTA Disposal Rule Goes into Effect June 1
• Shred Nations website, What Is the FACTA Disposal Rule?
• Seam Services website, The FACTA Disposal Rule: What Does It Mean for Your Business?
• IAPP CIPP/US Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, pp. 49-50
• IAPP website, Red Flags Rule
• IAPP website, Fair and Accurate Credit Transactions Act (FACTA)

Redaction is the permanent removal of sensitive data—the digital equivalent of “blacking out” text in printed material. Redaction can be accomplished by simply deleting characters from a file or database record, or by replacing characters with asterisks or other placeholders. Redaction is often used to protect personal information, such as names, addresses, social security numbers, or financial data, on documents that are disclosed in litigation, such as pleadings, exhibits, or discovery responses. Redaction is required by courts to comply with privacy laws and rules, such as the Federal Rules of Civil Procedure (FRCP), which mandate that parties must redact certain types of personal information from documents filed with the court or produced to the other party. Redaction is also a best practice to minimize the risk of unauthorized access, identity theft, or reputational harm that may result from exposing personal information in litigation. References:

• When to redact, or not, disclosable documents in litigation - Stewarts
• The approach to redaction – High Court guidance - Lexology
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.2: Federal Rules of Civil Procedure (FRCP).

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:

• The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
• The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
• The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.

A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.

References:

• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
• Practice Exam - International Association of Privacy Professionals

The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program. The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of aperson, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12. This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3. References:

• CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p. 108-109.
• Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. TheTSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

 According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A non-affiliated third party is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the financial institution’s affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.

The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer’s opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.

The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.

The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.

References:

• Guide to the Gramm–Leach–Bliley Act
• GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates
• Existing Privacy Laws Already Regulate Information Sharing
• Why Do Banks Share Your Financial Information and Are They Allowed To?
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.

The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon. It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power1 The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation23 FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of U.S. persons4 References: https://www.intelligence.gov/foreign-intelligence-surveillance-act

https://www.intelligence.gov/foreign-intelligence-surveillance-act/1234-categories-of-fisa

The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to adhere to its industry’s code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition. The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self-regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs. References:

• Federal Trade Commission Act, Section 5 of
• Self-Regulation | Federal Trade Commission
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 3, page 79

 The U.S. Supreme Court has recognized an individual’s right to privacy over personal issues, such as contraception, by acknowledging a “penumbra” of unenumerated constitutional rights as well as more general protections of due process of law. This means that the right to privacy is not explicitly stated in the Constitution, but it is implied from other rights that are explicitly stated, such as the First Amendment rights of speech and assembly, the Third Amendment right to be free from quartering of soldiers, the Fourth Amendment right to be secure from unreasonable searches and seizures, the Fifth Amendment right to be free from self-incrimination, and the Ninth Amendment right to retain other rights not enumerated in the Constitution. These rights create a “zone of privacy” that protects individuals from undue government interference in their personal affairs. The Supreme Court first articulated this concept of privacy in Griswold v. Connecticut (1965), where it struck down a state law that prohibited the use of contraceptives by married couples. The Court also relied on the due process clause of the Fourteenth Amendment, which prohibits states from depriving any person of life, liberty, or property without due process of law. The Court interpreted this clause to include a substantive component that protects certain fundamental rights from state regulation, unless there is a compelling state interest and the regulation is narrowly tailored to achieve that interest. The Court has applied this due process analysis to other privacy issues, such as abortion, marriage, and sexual orientation. References:

• Privacy | Wex | US Law | LII / Legal Information Institute
• Privacy isn’t in the Constitution – but it’s everywhere in constitutional law
• Privacy Rights and Personal Autonomy Legally Protected by the … - Justia
• Right to privacy | Wex | US Law | LII / Legal Information Institute

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

• Uses the transferred data only for limited and specified purposes;
• Provides the same level of privacy protection as is required by the Privacy Shield Principles;
• Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
• Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
• Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
• Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

 According to the IAPP CIPP/US study guide, the first priority after a breach has been confirmed is to notify the affected individuals, regulators, and other stakeholders as required by law or contract. This is to allow them to take steps to protect themselves from potential harm, such as identity theft, fraud, or reputational damage. Providing timely and accurate notice also helps to mitigate legal liability, preserve customer trust, and comply with applicable laws and regulations. The other tasks are also important, but they are not the immediate priority after a breach has been established. References: IAPP CIPP/US study guide, Chapter 6, Section 6.4.2, page 211.

The CCPA provides consumers with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. The CCPA defines personal information for this purpose as an individual’s name in combination with any of the following: social security number, driver’s license number, account number, credit or debit card number, medical information, or health insurance information. The CCPA allows consumers to seek damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. The CCPA also requires consumers to provide the business with 30 days’ written notice and an opportunity to cure the violation before initiating an action. Additionally, the CCPA requires consumers to notify the Attorney General within 30 days of filing the action and obtain the Attorney General’s approval or nonobjection before proceeding with the action. Therefore, John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm, as long as he meets the requirements of the CCPA. References:

• CCPA Provides Private Right of Action for Data Security Breaches
• CCPA Private Right of Action – Data Breach Security Requirement
• CCPA Fines & Penalties for Data Protection Violations | MatrixPoint

Data classification systematically categorizes information based on sensitivity and importance to determine its level of confidentiality. This process helps apply appropriate security and compliance measures to ensure each category receives proper protection1. This process also helps to identify which personal data is subject to specific GDPR requirements, such as obtaining explicit consent from data subjects, or notifying data subjects in the event of a data breach2. By classifying data, Cheryl can also make more informed decisions about where to store the information on her computer system and the nature of controls that are required based on classification3. This way, she can protect her customers’ privacy while maintaining the highest level of service. References:

• Data Classification for GDPR Explained
• A guide to data classification: confidential data vs. sensitive data vs. public information
• Why Is Data Classification Important?

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:

• Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I. Background, paragraph 2.
• 17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).
• IAPP CIPP/US Study Guide, page 65.

A consent decree is a legal document that resolves a dispute between a governmental agency and an adverse party without admission of guilt or liability by either side. It is approved by a judge and has the force of a court order. A consent decree may include terms such as compliance, monitoring, reporting, or remediation. A consent decree is often used to settle civil enforcement actions brought by federal agencies such as the Federal Trade Commission (FTC), the Environmental Protection Agency (EPA), or the Department of Justice (DOJ). References:

• IAPP Glossary, entry for “consent decree”
• [IAPP CIPP/US Study Guide], p. 39, section 2.1.3
• [IAPP CIPP/US Body of Knowledge], p. 9, section B.1.a

Privacy by Design is a concept that the FTC endorsed in its 2012 report on protecting consumer privacy1. It seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice2. It asserts that data held by an organization ultimately belongs to the consumer and organizations should ensure that data subjects are properly informed about how their data is collected and used3. Privacy by Design requires companies to build in consumers’ privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy1. References: 1: FTC Report of 2012, p. 22-23; 2: Global Data Review3; 3: Termly4.

 The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions. Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student’s personally identifiable information (PII) from the education records without consent. A student’s signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12 A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12 Therefore, the school must obtain the student’s (or the parent’s, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA. Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12 Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12 However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records. FERPA only applies to education records that are directly related to a student and maintained by theschool or a party acting for the school12 A newspaper’s publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper’s own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent. FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123 If the university police provide an arrest report to the student’s hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.

References: 1: Family Educational Rights and Privacy Act - Wikipedia 2: Family Educational Rights and Privacy Act (FERPA) | CDC 3: What is FERPA? | Protecting Student Privacy - ed

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver’s license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH’s data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

References: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and-Notifying-Data-Breaches-under-the-PDPA-15-Mar-2021.pdf?la=en

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

The Fair Credit Reporting Act (FCRA) was originally intended to provide consumers with the ability to correct inaccurate credit information that could affect their access to credit, employment, insurance, and other benefits. The FCRA gives consumers the right to access their credit reports from the three major credit reporting agencies (Equifax, Experian, and TransUnion) for free once every 12 months, and to dispute any errors or inaccuracies with the credit reporting agencies or the information furnishers (such as lenders, creditors, or debt collectors). The FCRA also requires the credit reporting agencies and the information furnishers to investigate and resolve the disputes within 30 days, and to delete or correct any information that is found to be inaccurate, incomplete, or outdated. The FCRA also provides consumers with the right to place fraud alerts or security freezes on their credit reports if they are victims or potential victims of identity theft, and to receive notifications from users of their credit reports (such as employers or insurers) if any adverse action is taken based on their credit information. References:

• Fair Credit Reporting Act - Wikipedia
• What is the Fair Credit Reporting Act (FCRA)? | Money
• The Fair Credit Reporting Act of 1970 - The Balance
• How the Fair Credit Reporting Act (FCRA) Protects Consumer Rights

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records and gives parents or eligible students the right to access, amend, and control the disclosure of their records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education12

FERPA requires schools to do all of the following:

• Verify the identity of students who make requests for access to their records. Schools must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom they disclose education records12
• Provide students with access to their records within a specified amount of time. Schools must provide parents or eligible students with an opportunity to inspect and review the student’s education records within 45 days of receiving a request. Schoolsare not required to provide copies of records unless it is impossible for parents or eligible students to review the records at the school12
• Respond to all reasonable student requests regarding explanation of their records. Schools must provide parents or eligible students with an opportunity to request the amendment of the student’s education records that they believe are inaccurate, misleading, or otherwise in violation of the student’s privacy rights. Schools must consider the request and decide whether to amend the records within a reasonable time. If the school decides not to amend the records, it must inform the parent or eligible student of their right to a hearing on the matter12

FERPA does not require schools to do the following:

• Obtain student authorization before releasing directory information in their records. Directory information is information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Examples of directory information include the student’s name, address, phone number, e-mail address, date and place of birth, major field of study, participation in sports and activities, dates of attendance, degrees and awards received, and most recent school attended. Schools may disclose directory information without consent unless the parent or eligible student has opted out of such disclosure. Schools must notify parents and eligible students of the types of information they designate as directory information and of their right to opt out of directory information disclosure12

Therefore, the correct answer is D. Obtain student authorization before releasing directory information in their records.

References:

• Family Educational Rights and Privacy Act (FERPA)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.3: The Family Educational Rights and Privacy Act (FERPA)

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

• Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

According to the FTC report, the most important directive for businesses is to adopt a “privacy by design” approach, which means integrating privacy protections throughout the entire product lifecycle, from initial design to disposal. This includes implementing reasonable security measures, collecting only the data needed for a specific purpose, retaining data only as long as necessary, and safely disposing of data that is no longer needed. The FTC report also recommends that businesses provide clear and transparent privacy notices, offer consumers meaningful choices about how their data is used, and increase their accountability for data practices. References: FTC Report, IAPP CIPP/US Study Guide (p. 32-33)

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services. The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123 References: 1: Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011. 2: Consumer Financial Protection Bureau, Wikipedia. 3: Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

The APEC Privacy Framework is a set of non-binding principles adopted by the Asia-Pacific Economic Cooperation (APEC) that aim to promote electronic commerce and protect information privacy in the region. The Framework is consistent with the core values of the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and reaffirms the value of privacy to individuals and to the information society. The Framework consists of nine principles: Preventing Harm, Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability. Privacy by Design is not one of the principles in the APEC Privacy Framework, although it is a concept that is endorsed by the OECD Guidelines and other privacyframeworks. References: APEC Privacy Framework (2015), APEC Privacy Principles, IAPP CIPP/US Study Guide, Chapter 4.