Pass the IAPP Certified Information Privacy Professional CIPP-US Questions and answers with ExamsMirror

The Illinois Biometric Information Privacy Act (BIPA) regulates the collection, storage, and use of biometric identifiers and biometric information, such as fingerprints, retina scans, and facial recognition data. However, BIPA does not regulate photographs, as they are explicitly excluded from the definition of "biometric identifiers" under the law.

Key Definitions Under BIPA:

Biometric Identifier:Includes fingerprints, retina or iris scans, voiceprints, and scans of hand or face geometry.

Biometric Information:Refers to any information derived from biometric identifiers.

Exclusions:BIPA explicitly excludes certain types of data from regulation, such as photographs, writing samples, and physical descriptions.

Explanation of Options:

A. Photographs of local convicted felons uploaded to a news website:This is correct because photographs are explicitly excluded from BIPA's definition of biometric identifiers.

B. Fingerprint scans of elementary school students used to open their lockers:This would be regulated under BIPA, as fingerprints are considered biometric identifiers.

C. Security software designed to identify local convicted felons in retail stores via facial recognition:This would also be regulated under BIPA, as facial recognition involves scans of face geometry, which qualify as biometric identifiers.

D. Retina scans of elementary school students used to verify their identities for attendance purposes:Retina scans are biometric identifiers under BIPA and would therefore be regulated.

References from CIPP/US Materials:

Illinois BIPA (740 ILCS 14/10): Defines biometric identifiers and excludes photographs from regulation.

IAPP CIPP/US Certification Textbook: Discusses the scope and application of BIPA.

According to the FTC report, the most important directive for businesses is to adopt a “privacy by design” approach, which means integrating privacy protections throughout the entire product lifecycle, from initial design to disposal. This includes implementing reasonable security measures, collecting only the data needed for a specific purpose, retaining data only as long as necessary, and safely disposing of data that is no longer needed. The FTC report also recommends that businesses provide clear and transparent privacy notices, offer consumers meaningful choices about how their data is used, and increase their accountability for data practices. References: FTC Report, IAPP CIPP/US Study Guide (p. 32-33)

The Federal Trade Commission (FTC) issued its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC’s privacy enforcement and policy efforts, which were:

Data brokers

Large platform providers

Mobile

Promoting enforceable self-regulatory codes

International data transfers

Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.

Unlike many other countries, the United States does not have a comprehensive federal law that regulates the privacy of private-sector employees. Instead, the privacy protection of employees depends largely on state law, contract law, and tort law. State law may provide specific rights and remedies for employees regarding issues such as drug testing, background checks, electronic monitoring, social media access, and genetic information. Contract law may create obligations and expectations for employers and employees based on written or implied agreements, such as employment contracts, employee handbooks, or collective bargaining agreements. Tort law may allow employees to sue their employers for invasion of privacy, such as intrusion upon seclusion, public disclosure of private facts, false light, or appropriation of name or likeness. The other options are less likely to provide privacy protection to private-sector employees in the United States. The FTC Act primarily regulates the privacy practices of businesses that collect and use consumer data, not employee data. The U.S. Constitution only protects individuals from unreasonable searches and seizures by the government, not by private employers. The HHS only enforces the HIPAA Privacy Rule, which applies to covered entities and business associates that handle protected health information, not to all private-sector employers. References:

IAPP CIPP/US Study Guide, Chapter 6: Workplace Privacy

Privacy Rights of Employees Using Workplace Computers in the United States

Employee Privacy Laws

 Under state breach notification laws, personal information is typically defined as an individual’s first name or first initial and last name plus one or more other data elements, such as Social Security number, state identification number, account number, medical information, etc. However, first and last name alone are not usually considered personal information, unless they are combined with other data elements that could identify the individual or compromise their security or privacy. Therefore, option B is the correct answer, as it is not typically included in the definition of personal information under state breach notification laws. References:  https://www.ncsl.org/technology-and-communication/security-breach-notification-laws https://iapp.org/resources/article/state-data-breach-notification-chart/

The best way for Otto to minimize the privacy risks involved in using a cloud provider for the HR data is to ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit. This would allow Otto to verify that the cloud provider has implemented adequate security measures, such as encryption, access controls, and backup systems, to protect the HR data from unauthorized access, use, or disclosure. It would also allow Otto to check that the cloud provider is complying with the applicable privacy laws and regulations, such as the CCPA, the APEC Privacy Framework, and the breach notification requirements. By conducting an on-site audit, Otto can identify any gaps or weaknesses in the cloud provider’s privacy practices and address them promptly. This would also demonstrate due diligence and accountability on the part of Filtration Station, which could mitigate the legal and reputational consequences of a data breach. References:

[IAPP CIPP/US Study Guide], Chapter 3: Data Assessments, pp. 77-78.

IAPP CIPP/US Body of Knowledge, Section III: Government and Court Access to Private-sector Information, Subsection B: Cross-Border Data Transfer, Topic 2: APEC Privacy Framework.

IAPP CIPP/US Practice Questions, Question 125.

A cure provision in state data privacy laws gives businesses an opportunity to remediate violations of the law within a specified timeframe after receiving notice of the alleged violation. This provision is intended to promote compliance rather than immediately imposing penalties or enforcement actions.

Key Aspects of Cure Provisions:

Notice and Cure Period:

Businesses are given a timeframe (e.g., 30 days) to address the alleged violation before formal enforcement actions are taken by state authorities.

Encouraging Compliance:

Cure provisions incentivize businesses to implement corrective actions and ensure compliance without incurring fines or penalties for minor or first-time violations.

State-Specific Examples:

The California Consumer Privacy Act (CCPA) initially included a 30-day cure provision, though it was later limited under the California Privacy Rights Act (CPRA).

Other state laws, such as Virginia’s Consumer Data Protection Act (VCDPA), also include cure provisions.

Explanation of Options:

A. To allow a business a limited timeframe to fix alleged violations before facing enforcement:This is correct. Cure provisions are specifically designed to give businesses an opportunity to address violations before facing enforcement actions.

B. To allow consumers a period of time to discover their data has been mishandled:This describes consumer rights related to data breach notifications, not cure provisions.

C. To allow a state to initiate formal enforcement actions for a fixed time period:Cure provisions delay enforcement actions rather than initiate them.

D. To allow certain provisions of a law to expire after a defined time period:This describes sunset provisions, not cure provisions.

References from CIPP/US Materials:

CCPA and CPRA: Discuss the cure provisions and their role in enforcement.

IAPP CIPP/US Certification Textbook: Highlights the purpose and impact of cure provisions in state privacy laws.

Most state breach notification laws require entities to notify affected individuals and/or regulators when there is unauthorized access to or acquisition of personal information that compromises its security, confidentiality, or integrity. However, some states provide exceptions to this requirement under certain conditions, such as:

If the data involved was encrypted or otherwise rendered unreadable or unusable, and the encryption key or other means of access was not compromised. This is based on the assumption that encrypted data is not accessible to unauthorized parties, even if they obtain the data.

If the entity was subject to and complied with another federal or state law that provides similar or greater protection and notification requirements, such as the GLBA Safeguards Rule or the HIPAA Breach Notification Rule. This is to avoid duplication or inconsistency of obligations for entities that are already regulated by other laws.

If the entity conducted a risk assessment and determined that there is no reasonable likelihood of harm to the affected individuals, based on factors such as the nature and extent of the data, the circumstances of the breach, the evidence of misuse, and the ability to mitigate the risk. This is to allow entities to exercise some discretion and judgment in evaluating the potential impact of the breach.

However, none of the state laws provide an exception for the mere access of data without exportation. Access alone is considered a breach that triggers the notification requirement, unless one of the other conditions applies. Therefore, option B is not a sufficient excuse for not providing breach notification under state law.

References:

[IAPP CIPP/US Study Guide], Chapter 9: State Data Security Laws, pp. 209-211.

CIPP/US Practice Questions (Sample Questions), Question 29.

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

In the United States, pandemic contact-tracing apps are regulated under a patchwork of federal and state privacy laws, rather than a single, comprehensive framework. Contact-tracing initiatives often involve the collection and processing of sensitive data, including location and health information, which may fall under different legal regimes depending on the jurisdiction and type of data.

Key Regulations Affecting Contact-Tracing Apps:

State Privacy Laws:

States such as California (via the California Consumer Privacy Act - CCPA) and others have privacy laws that may apply to contact-tracing apps, particularly when personal data is collected or shared.

State-level health privacy laws may also govern how health-related data is collected and used.

HIPAA:

HIPAA (Health Insurance Portability and Accountability Act) applies only if the app is used by or on behalf of a covered entity (e.g., healthcare providers or health plans). If the app is operated by a private company without a connection to a HIPAA-covered entity, HIPAA likely does not apply.

Federal Guidance:

The Federal Trade Commission (FTC) enforces general privacy protections under Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

The FTC has also issued guidance on privacy considerations for health-related apps.

Other Federal and Sector-Specific Laws:

If the app collects health-related data, it could also trigger obligations under laws like the Americans with Disabilities Act (ADA) or sector-specific rules.

Explanation of Options:

A. Contact tracing is covered exclusively under the Health Insurance Portability and Accountability Act (HIPAA):This is incorrect. HIPAA applies only to covered entities and their business associates, not broadly to all contact-tracing apps or initiatives.

B. Contact tracing is regulated by the U.S. Centers for Disease Control and Prevention (CDC):This is incorrect. While the CDC provides guidance and recommendations for public health, it does not have regulatory authority over contact-tracing apps.

C. Contact tracing is subject to a patchwork of federal and state privacy laws:This is correct. Contact-tracing apps in the U.S. are governed by various federal, state, and sector-specific laws, creating a patchwork regulatory framework.

D. Contact tracing is not regulated in the United States:This is incorrect. While there is no single regulatory framework for contact tracing, the practice is subject to multiple federal and state laws.

References from CIPP/US Materials:

IAPP CIPP/US Certification Textbook: Discusses the application of HIPAA, state privacy laws, and federal regulations to health-related technologies, including contact-tracing apps.

FTC Guidance on Health Apps: Details privacy considerations for app developers handling health-related data.