Pass the IAPP Certified Information Privacy Professional CIPP-US Questions and answers with ExamsMirror

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include the violation of collecting information from a child under the age of thirteen without obtaining verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The COPPA Rule also applies to websites or online services that are directed to children under 13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child’s personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child’s personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data. References:

Children’s Privacy | Federal Trade Commission

Kids’ Privacy (COPPA) | Federal Trade Commission

FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy

FTC to Crack Down on Companies that Illegally Surveil Children Learning Online

FTC Takes Action Against Company for Collecting Children’s Personal Information Without Parental Permission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 165-168.

Title VII of the Civil Rights Act of 1964 is a federal law that prohibits employment discrimination based on race, color, religion, sex, and national origin1 It also prohibits retaliation against individuals who assert their rights under the law or participate in an EEOC investigation1 Title VII applies to employers with 15 or more employees, as well as to employment agencies, labor organizations, and joint labor-management committees1

Title VII prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on any of the protected characteristics, unless they are bona fide occupational qualifications (BFOQs)2 BFOQs are rare and narrowly construed exceptions that allow employers to consider a protected characteristic when it is reasonably necessary to the normal operation of the business2 For example, a religious organization may require its employees to share its faith, or a women’s shelter may hire only female counselors2

Option A is incorrect because questions about age are not prohibited by Title VII, but by the Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of age or older from employment discrimination based on age3 The ADEA generally prohibits employers from asking applicants about their age or date of birth, unless age is a BFOQ or the inquiry is part of a lawful affirmative action plan3

Option B is incorrect because questions about a disability are not prohibited by Title VII, but by the Americans with Disabilities Act of 1990 (ADA), which protects qualified individuals with disabilities from employment discrimination based on disability4 The ADA generally prohibits employers from asking applicants about whether they have a disability or the nature or severity of a disability, unless the inquiry is related to the ability to perform the essential functions of the job with or without reasonable accommodation4

Option C is incorrect because questions about a national origin are prohibited by Title VII, but not in all circumstances. Title VII prohibits employers from asking applicants about their national origin, ancestry, birthplace, native language, or accent, unless they are BFOQs or the inquiry is related to a legitimate business purpose, such as verifying eligibility to work in the United States or assessing language proficiency for a job that requires communication skills25

Option D is correct because questions about intended pregnancy are prohibited by Title VII, as amended by the Pregnancy Discrimination Act of 1978 (PDA), which protects women from employment discrimination based on pregnancy, childbirth, or related medical conditions. The PDA prohibits employers from asking applicants about whether they are pregnant or intend to become pregnant, unless they are related to the ability to perform the job. Such questions may indicate an intent to discriminate based on sex or pregnancy, or may deter women from applying for certain jobs.

References: 1: Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission 2: Questions and Answers about Race and Color Discrimination in Employment | U.S. Equal Employment Opportunity Commission 3: Age Discrimination | U.S. Equal Employment Opportunity Commission 4: Disability Discrimination | U.S. Equal Employment Opportunity Commission 5: National Origin Discrimination | U.S. Equal Employment Opportunity Commission : Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission

The scenario describes how the company had no adequate rules about access to customer information and how low-level employees had access to all of the company’s customer data, including financial records. This indicates that the company did not implement proper access controls to limit who can access, use, or disclose customer information based on their roles and responsibilities. Access controls are one of the key elements of information security and privacy, as they help prevent unauthorized or inappropriate access to sensitive data. Without access controls, the company’s customer information was vulnerable to mishandling by employees or outsiders who could exploit the weak security measures. Therefore, the most likely cause of the breach was mishandling of information caused by lack of access controls. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Information Management from a U.S. Perspective, Section 4.2: Information Security, p. 113-114

IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.C: Describe the role of information security in privacy, Subobjective I.C.1: Identify the key elements of information security, p. 8

HIPAA requires covered entities to provide a notice of privacy practices (NPP) to individuals who receive health care services from the covered entity. The NPP must describe how the covered entity may use and disclose protected health information (PHI), the individual’s rights with respect to their PHI, and the covered entity’s obligations to protect the privacy of PHI. The NPP must be provided to the individual no later than the date of the first service delivery, either in person or electronically. The covered entity must also make the NPP available on request and post it on its website if it has one. The covered entity must also make a good faith effort to obtain a written acknowledgment from the individual that they received the NPP. If the individual refuses to sign the acknowledgment, the covered entity must document the attempt and the reason for the refusal.

The other options are not sufficient to comply with HIPAA. Stating the privacy policy verbally (option A) does not provide the individual with a written or electronic copy of the NPP that they can keep for future reference. Posting the privacy notice in a prominent location (option B) does not ensure that the individual receives the NPP or has an opportunity to review it before receiving services. Directing patients to the correct area of the hospital website (option C) does not provide the individual with the NPP at the time of service delivery, unless the individual agrees to receive the NPP electronically and has access to the website at that time. References:

Notice of Privacy Practices for Protected Health Information

Model Notices of Privacy Practices

Sample Notice: Availability of Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices (NPP) Distribution and Acknowledgement

 The HIPAA privacy rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (collectively defined as “covered entities”)1 The rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization1 The rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections1

The HIPAA privacy rule permits a covered entity to disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512 (e) for disclosures for judicial and administrative proceedings are met2 These requirements include:

In response to a court order or administrative tribunal order, the covered entity may disclose only the protected health information expressly authorized by such order2

In response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order or administrative tribunal order, the covered entity must receive satisfactory assurances that the party seeking the information has made reasonable efforts to ensure that the individual who is the subject of the information has been given notice of the request, or that the party seeking the information has made reasonable efforts to secure a qualified protective order2

A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested and requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding2

Option A is incorrect because the HIPAA privacy rule does not only permit disclosure for payment, treatment or healthcare operations. The rule also allows disclosure for other purposes, such as public health, research, law enforcement, judicial and administrative proceedings, as long as the applicable conditions and limitations are met1

Option B is correct because it is consistent with the HIPAA privacy rule’s requirement for disclosures for judicial and administrative proceedings. By responding with a request for satisfactory assurances such as a qualified protective order, HealthCo is ensuring that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2

Option C is incorrect because it is not consistent with the HIPAA privacy rule’s requirement for disclosures for judicial and administrative proceedings. By turning over all of the compromised patient records to the plaintiff’s attorney, HealthCo is disclosing more information than necessary and may violate the privacy rights of other individuals who are not parties to the lawsuit2

Option D is incorrect because it is not consistent with the HIPAA privacy rule’s requirement for disclosures for judicial and administrative proceedings. By responding with a redacted document only relative to the plaintiff, HealthCo is not providing satisfactory assurances that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2

References: 1: Summary of the HIPAA Privacy Rule | HHS.gov 2: May a covered entity use or disclose protected health information for litigation? | HHS.gov

The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), created the California Privacy Protection Agency (CPPA). This agency has been granted significant authority to regulate and enforce California privacy laws, but it does not have the authority to override decisions made by the California Attorney General regarding CCPA enforcement.

Powers Granted to the CPPA by the CPRA:

Adopting and Updating CCPA Regulations:

The CPPA has rulemaking authority, meaning it can adopt, amend, and update CCPA regulations to clarify obligations under the law.

This is explicitly stated in the CPRA.

Investigating Violations:

The CPPA can independently investigate potential violations of the CCPA, even without a complaint from a consumer.

Imposing Administrative Fines:

The CPPA has the authority to impose administrative fines for violations of the CCPA, which is critical for enforcing compliance.

Explanation of Option C:

While the CPPA has broad regulatory and enforcement powers, it cannot override decisions made by the Attorney General. The Attorney General retains certain oversight functions, particularly in transitioning enforcement authority to the CPPA. The CPPA's role is independent and complementary to that of the Attorney General, not one of supremacy.

References from CIPP/US Materials:

California Privacy Rights Act (CPRA): Specifies the creation, powers, and responsibilities of the CPPA.

IAPP CIPP/US Certification Textbook: Discusses the CPPA's rulemaking and enforcement authority.

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.

IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

The Consumer Privacy Bill of Rights is a set of principles that the Obama administration proposed in 2012 to guide the development of privacy legislation and policies in the United States. The report that introduced the bill of rights stated that it was "generally based on the widely accepted Fair Information Practice Principles (FIPPs)"1, which are a set of standards that originated in the 1970s and have influenced many privacy laws and frameworks around the world. The FIPPs include concepts such as individual control, transparency, security, accountability, and data minimization2. The Consumer Privacy Bill of Rights adapted and expanded these principles to address the challenges and opportunities of the digital economy1. References: 1: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy2, page 92: IAPP CIPP/US Certified Information Privacy Professional Study Guide3, page 17.