Download CIPP/US Practice Exam Questions with 100% Correct Answers | Verified | Updated 2024 and more Exams Advanced Education in PDF only on Docsity! CIPP/US Practice Exam Questions with 100% Correct Answers | Verified | Updated 2024 The U.S. Constitution establishes what three branches of government? - Correct Answer-Legislative, Executive, Judicial What establishes the three branches of the U.S. Government? - Correct Answer-The U.S. Consitution What is the purpose of the three-branch government design? - Correct Answer-To provide a separation of powers with a system of check and balances among the branches. What similarities are found between state and federal government? - Correct Answer-The three branches are also often found at the state and often the local levels. What is the legislative branch's make-up? - Correct Answer- The legislative branch is made up of elected representatives who write and pass laws. It includes the Congress (House and Senate). pg. 1 professoraxe l What does the legislative branch do? - Correct Answer- Congress confirms presidential appointees, and can override vetoes. What are the duties of the executive branch? - Correct Answer-The executive branch's duties are to enforce and administer the law. Who makes up the executive branch? - Correct Answer-The President, Vice President, cabinet, and federal agencies (such as the FTC). What can the executive branch do? - Correct Answer- President appoints federal judges. It can veto laws passed by Congress. What can the judicial branch do? - Correct Answer-The Judicial branch determines whether the laws are constitutional. It also interprets laws, the meaning of a law, and how it is applied. It can also examine the intent behind a law's creation. What is the judicial branch? - Correct Answer-The Federal Courts. pg. 2 professoraxe l What does the U.S. Supreme Court do? - Correct Answer- Hears appeals from the circuit courts and decides questions of federal law; also interprets the U.S. Constitution. May also hear appeals from the highest state courts or function as a trial court in rare instances. In what circumstances do federal agencies wield power that is characteristic of all three branches of government? - Correct Answer-When they are given authority by Congress to promulgate and enforce rules pursuant to law. This means they operate under statutes that give them legislative power to issue rules, executive power to investigate and enforce violations of rules/statutes, and judicial power to settle particular disputes. What are the sources of law in the U.S.? - Correct Answer- Federal and state constitutions, legislation, case law (contracts and torts), and agency-issued regulations. What is the supreme law in the U.S.? - Correct Answer-The Constitution. pg. 5 professoraxe l Who drafted the Constitution and when? - Correct Answer- The Constitutional Convention drafted the Constitution in 1787. True/False: The U.S. Constitution does not contain the word "Privacy". - Correct Answer-True. Which parts of the Constitution directly affect privacy? - Correct Answer-The Fourth Amendment limits on government searches. Which Supreme Court decisions affect privacy? - Correct Answer-The S.C. has held that a person has a right to privacy over personal issues such as contraception and abortion, arising from more general protections of due process of law. What are other sources of law affecting privacy? - Correct Answer-State constitutions may create stronger rights than are provided in the U.S. Constitution. Which state expressly recognizes a right to privacy in its constitution? - Correct Answer-California. pg. 6 professoraxe l What areas are regulated by laws enacted by federal Congress and state legislatures? - Correct Answer-applications of information (use of information for marketing or pre- employment screening), certain industries (such as financial institutions or healthcare providers), certain data elements (SSNs or driver's license info), or specific harms (identity theft or children's online privacy) How is law-making power distributed in the U.S.? - Correct Answer-Law-making power is shared between the national and state governments. What does the U.S. Constitution say about laws under the Constitution? - Correct Answer-It states that the Constitution and the laws passed pursuant to it, is "the supreme law of the land." When do states have the power to make laws? - Correct Answer-Where federal law does not prevent it, states have the power to make law. Which Amendment to the Constitution states "the powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States pg. 7 professoraxe l Which agencies enforce the CAN-SPAM Act? - Correct Answer- FTC and FCC. What does the CAN-SPAM Act allow the FTC and FCC to do? - Correct Answer-It provides the FTC and the FCC with the authority to issue regulations that set forth exactly how the opt-out mechanism must be offered and managed. What is case law? - Correct Answer-Case law refers to the final decisions made by judges in court cases. How is case law utilized by the courts? - Correct Answer-When similar issues arise in the future, judges look to past decisions as precedents and decide the new case in a manner consistent with past decisions. What is common law? - Correct Answer-Common law refers to legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations. True/false: common law contrasts with law created by statute. - Correct Answer-True. pg. 10 professoraxe l What is stare decisis? - Correct Answer-It refers to a following of past precedent; stare decisis is a Latin term meaning "to let the decision stand." How do precedents handle the passing of time? - Correct Answer-As time passes, precedents often change to reflect technological and societal changes in values and laws. What are common law's rules in regards to privacy? - Correct Answer-Common law upholds special privilege rules, even in the absence of statutes protecting that confidentiality. Name two special privilege rules. - Correct Answer-"1. Doctor- patient privilege 2. attorney-client confidentiality." - Correct Answer- What is a judgment entered by consent of the parties whereby the defendant agrees to stop alleged illegal activity? - Correct Answer-Consent Decree. pg. 11 professoraxe l Does a consent decree typically admit guilt or wrongdoing? - Correct Answer-No. How are the courts involved in a consent decree? - Correct Answer-The document is approved by a judge. What does a consent decree accomplish? - Correct Answer-It formalizes an agreement reached between a federal or state agency and an adverse party. What are the contents of the consent decree? - Correct Answer-It describes the actions that the defendant will take and the decree may be subject to a public comment period. How much power does a consent decree hold? - Correct Answer-Once approved, the consent decree has the effect of a court decision. In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws. - Correct Answer-COPPA has allowed for several consent decrees, which require violators to pay money to the pg. 12 professoraxe l What requirements must the acceptance meet? - Correct Answer-The acceptance must comply with the terms of the offer and must be communicated to the person who proposed the deal. What is the bargained-for exchange? - Correct Answer- Consideration. What is consideration? - Correct Answer-The legal benefit received by one person and the legal detriment imposed on the other person. What forms does consideration typically take? - Correct Answer-Consideration usually takes the form of money, property or services. True/False: An agreement without consideration is not a contract. - Correct Answer-True. When may a privacy notice constitute a contract? - Correct Answer-If a consumer provides data to a company based on pg. 15 professoraxe l the company's promise to use the data in accordance with the terms of the notice. What is a tort? - Correct Answer-Torts are civil wrongs recognized by law as the grounds for lawsuits. These wrongs are those that result in an injury or harm that constitutes the basis for a claim by the injured party. What are the goals of tort law? - Correct Answer-"a. provide relief for damages incurred; b. deter others from committing the same wrongs." - Correct Answer- What are the three tort categories? - Correct Answer- Intentional torts, negligent torts, and strict liability torts. What is an Intentional tort? - Correct Answer-These are wrongs that the defendant knew / should have known would occur through their actions or inactions. Give an example of an intentional tort. - Correct Answer- Intentionally hitting a person or stealing personal information. pg. 16 professoraxe l What is a negligent tort? - Correct Answer-These occur when the defendant's actions were unreasonably unsafe. Give an example of a negligent tort. - Correct Answer-Causing a car accident by not obeying traffic rules or not having appropriate security controls. What is a strict liability tort? - Correct Answer-These are wrongs that don't depend on the degree of carelessness by the defendant, but are established when a particular action causes damage. What are some examples of strict liability torts? - Correct Answer-Product liability torts (concern potential liability for making and selling defective products without the need for the plaintiff to show negligence by the defendant). When did the concept of a personal privacy tort enter U.S. jurisprudence? - Correct Answer-The late 1890s. What are some current privacy torts? - Correct Answer-"a. intrusion on seclusion; pg. 17 professoraxe l Give an example of pre-emption. - Correct Answer-the U.S. federal government has mandated that state governments cannot regulate e-mail marketing; the federal CAN-SPAM Act preempts state laws that might impose greater obligations on senders of commercial electronic messages. Define "private right of action" - Correct Answer-Ability of an individual harmed by a violation of a law to file a lawsuit against the violator. Define "Notice" - Correct Answer-description of an organization's information management practices. What are the two purposes of a notice? - Correct Answer-"1. consumer education 2. corporate accountability" - Correct Answer- What does the typical notice contain? - Correct Answer-It tells the individual what information is collected, how the information is used and disclosed, how to exercise any choices about uses or disclosures,and whether the individual can access or update the information. pg. 20 professoraxe l True/false: U.S. privacy laws have additional notice requirements. - Correct Answer-True. Who can legally enforce the promises made in a company's privacy notice? - Correct Answer-Federal Trade Commission and states. What are two other names for privacy notices? - Correct Answer-"a. privacy statements b. privacy policies (however, often internal only)" - Correct Answer- Define Privacy Policy. - Correct Answer-Often used to refer to the internal standards used within the organization. Define Privacy Notice. - Correct Answer-Refers to an external communication, issued to consumers, customers, or users. pg. 21 professoraxe l Define Choice. - Correct Answer-The ability to specify whether personal information will be collected and/or how it will be used or disclosed. In what two forms is choice recognized? - Correct Answer- express or implied. Define "opt-in" - Correct Answer-an affirmative indication of choice based on an express act of the person giving the consent. Give an example of "opt-in" behavior. - Correct Answer-A person opts in if he says yes when asked, "May we share your information?" Failure to answer would result in the information not being shared. Define "opt-out" - Correct Answer-a choice can be implied by the failure of the person to object to the use or disclosure. Given an example of "opt-out" behavior - Correct Answer-A company says "Unless you tell us not to, we may share your information." The person then has the ability to opt out of the pg. 22 professoraxe l What role does the State Attorney General serve? - Correct Answer-Serves as the chief legal advisor to the state government and as the state's chief law enforcement officer Which states have successfully pursued privacy actions related to unfair and deceptive practices? - Correct Answer- Minnesota and Washington. Give examples of self-regulatory regimes. - Correct Answer- Network Advertising Initiative, Direct Marketing Association, Children's Advertising Review Unit. True/false: some trade associations issue rules or codes of conduct for members. - Correct Answer-True. Give an example of a regulatory setting where government- created rules expect companies to sign up for self-regulatory oversight. - Correct Answer-The Safe Harbor for companies that transfer personal information from the EU to the US. pg. 25 professoraxe l What six questions are necessary to understand a law, statute, or regulation? - Correct Answer-"1. Who is covered by this law? 2. What types of information (and what uses of information) are covered? - Correct Answer- 3. What exactly is required or prohibited? - Correct Answer- 4. Who enforces the law? - Correct Answer- 5. What happens if I don't comply? - Correct Answer- 6. Why does this law exist?" - Correct Answer- What are some reasons for knowing a law's scope when you don't have to follow it? - Correct Answer-"1. the law may suggest good practices that you want to emulate 2. it may provide an indication of legal trends - Correct Answer- pg. 26 professoraxe l 3. i may provide a proven way to achieve a particular results (i.e. protecting individuals in a given situation)" - Correct Answer- Give an example of a time when the costs of compliance with a law might exceed the risks of noncompliance for a period of time. - Correct Answer-If a system that is not appropriately compliant with a new law, but is going to be replaced in a few months, a company may decide that the risks of noncompliance outweigh the costs and risk of trying to accelerate the system transition. In which state was the first security breach notification law enacted? - Correct Answer-California. What does the CA law regulate? - Correct Answer-The CA Data Breach Notification Law regulates entities that do business in CA and that own or license computerized data, including PI. To whom does the CA law apply? - Correct Answer-It applies to natural persons, legal persons, and government agencies. pg. 27 professoraxe l When is a delay in providing notice permissible? - Correct Answer-When a delay is requested by law enforcement. Who enforces the CA law? - Correct Answer-The CA Attorney General enforces the law. True/false: the law provides for a private cause of action. - Correct Answer-True. What happens if one doesn't comply with the CA law? - Correct Answer-The CA attorney general or any citizen can file a civil lawsuit against you, seeking damages and forcing you to comply. Why does the CA data notification law exist? - Correct Answer-SB 1386 was enacted because there is a fear that security breaches of computerized databases cause identity theft and individuals should be notified about the breach so that they can take steps to protect themselves. If you have a security breach that puts people at real risk of identity theft, you should consider notifying them even if you are not subject to this law. pg. 30 professoraxe l What is the FTC? - Correct Answer-The Federal Trade Commission is an independent agency governed by a chairman and four other commissioners. True/False: The FTC's decisions are under the president's control. - Correct Answer-FALSE What authority does the FTC have? - Correct Answer- Authority to enforce against "unfair and deceptive trade practices", as well as specific statutory responsibility for issues such as (a) children's privacy online and (b) commercial e-mail marketing. What are some of the ways that the FTC has played a prominent role in the development of US privacy standards? - Correct Answer-The FTC conducts public workshops on privacy issues, and reports on privacy policy and enforcement. Are there other federal agencies involved in privacy enforcement? - Correct Answer-Yes, although the FTC plays a leading role. pg. 31 professoraxe l What is civil litigation? - Correct Answer-Civil litigation occurs in the courts, when one person (plaintiff) sues another person (defendant) to redress a wrong. Plaintiff often seeks monetary judgment from defendant. Plaintiff may also seek an injunction. What is an injunction? - Correct Answer-A court order mandating the defendant to stop engaging in certain behaviors. Maybe awarded to plaintiff in civil litigation. What are important categories of civil litigation? - Correct Answer-Contracts and torts. Describe a possible civil litigation scenario involving contracts. - Correct Answer-A plaintiff might sue for breach of a contract that promised confidential treatment of personal information. Describe a possible civil litigation scenario involving torts. - Correct Answer-A plaintiff might sue for invasion of privacy where defendant surreptitiously took pictures in a changing room and broadcast the pictures to the public. pg. 32 professoraxe l Human Services (HHS), for the Health Insurance Portability and Accountability Act (HIPAA) Which agencies oversee financial privacy? - Correct Answer- Consumer Financial Protection Bureau for financial consumer protection issues generally; federal financial regulators such as the Federal Reserve and the Office of Comptroller of the Currency, for institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA) Which agencies are responsible for educational privacy? - Correct Answer-Department of Education for the Family Educational Rights and Privacy Act. Which agencies oversee telemarketing and marketing privacy? - Correct Answer-Federal Communications Commission (along with the FTC) under the Telephone Consumer Protection Act and other statutes. Which agencies are responsible for workplace privacy? - Correct Answer-Equal Employment Opportunity Commission for the Americans with Disabilities Act and other anti- discrimination statutes. pg. 35 professoraxe l Which agency plays a leading role in federal privacy policy development and administers the Safe Harbor agreement between the US and EU? - Correct Answer-Department of Commerce. Which federal department has been increasingly active in privacy, negotiating internationally on privacy issues with other countries/multinational groups such as the UN and OECD? - Correct Answer-State Department. Which agency is responsible for transportation companies under its jurisdiction and for enforcing violations of Safe Harbor agreement between US and EU? - Correct Answer- Department of Transportation. What is the name of the lead agency for interpreting the Privacy Act of 1974? - Correct Answer-US Office of Management and Budget (OMB) What are some of the other functions of the OMB? - Correct Answer-OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments. pg. 36 professoraxe l To which agencies does the Privacy Act of 1974 apply? - Correct Answer-federal agencies and private sector contractors to those agencies. Which Department is subject to privacy rules concerning tax records, including disclosures of such records in the private sector? - Correct Answer-Internal Revenue Service (IRS) Describe one way in which other parts of the Department of Treasury are also involved with financial records issues. - Correct Answer-They are involved in money-laundering rules at the Financial Crimes Enforcement Network. What are some of the privacy issues faced by the Department of Homeland Security? - Correct Answer-E-Verify program for new employees, rules for air traveler records (Transportation Security Administration), and immigration and other border issues (Immigration and Customs Enforcement) What agencies are affected by the increasing development of smart grid? - Correct Answer-Smart grid development is making privacy an important issues for the electric utility system, involving the Department of Energy. pg. 37 professoraxe l What does Section 5 of the FTC Act state: - Correct Answer-"Unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful." Does FTC Act Section 5 say anything specifically about privacy or information security? - Correct Answer-No. True/false: The application of Section 5 to privacy and information security is clearly established today - Correct Answer-True. What marks the beginning of the FTC's enforcement of privacy violations? - Correct Answer-The Fair Credit Reporting Act of 1970. When did the FTC begin bringing privacy enforcement cases under its powers to address unfair and deceptive practices? - Correct Answer-During the 1990s. Name the ways in which Congress added privacy-related responsibilities to the FTC over time. - Correct Answer-The Children's Online Privacy Protection Act (COPPA) of 1998 and pg. 40 professoraxe l the Controlling the Assault of Non-Solicited Portnography and Marketing (CAN-SPAM) Act of 2003. What does Section 6 of the FTC Act do? - Correct Answer-It vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath. To what does the FTC Act Section 5 apply and not apply? - Correct Answer-It applies to "unfair and deceptive practices in commerce" and does not apply to nonprofit organizations. It's powers also do not extend to certain industries, such as banks and other federally regulated financial institutions, as well as common carriers such as transportation and communications industries. What other issues does the FTC retain authority over? - Correct Answer-In addition to the authority granted under Section 5, the FTC retains separate and specific authority over privacy and security issues under other federal statutes. Until the creation of which agency did the FTC issue rules and guidance for the Fair Credit Reporting act and Gramm-Leach- pg. 41 professoraxe l Bliley Act? - Correct Answer-Consumer Financial Protection Bureau (CFPB) What amended the Fair Credit Reporting Act? - Correct Answer-The Fair and Accurate Credit Transactions Act of 2003. What authorities does the CFPB hold? - Correct Answer- Authority to issues rules and guidance for the FCRA and GLBA, and shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator. Who is the rule-making and enforcement agency for COPPA? - Correct Answer-FTC. With which agency does the FTC share rule-making and enforcement power under the Telemarketing Sales Rule and the CAN-SPAM Act? - Correct Answer-The FCC. With which agency does the FTC share rule-making and enforcement power for data breaches related to medical records under the Health Information Technology for pg. 42 professoraxe l What are some actions allowed under the FTC's broad investigative authority? - Correct Answer-"1. subpoenas of witnesses 2. civil investigative demands - Correct Answer- 3. requirements for businesses to submit written reports under oath" - Correct Answer- What may the commission do after an investigation? - Correct Answer-The commission may initiate an enforcement action if it has reason to believe a law is being or has been violated. It issues a complaint. What happens after the commission issues a complaint? - Correct Answer-An administrative trial can proceed before an administrative law judge (ALJ). Can the Administrative Law Judge's opinion be appealed? - Correct Answer-Yes, it can be appealed to the five commissioners. pg. 45 professoraxe l Can the decision of the five commissioners on appeal be appealed? - Correct Answer-Yes, it can be appealed to the federal district court. When does an order by the commission become final? - Correct Answer-60 days after it is served on the company. True/False: The FTC can assess civil penalties. - Correct Answer-False, the FTC lacks authority to assess civil penalties. What can the FTC do if its ruling is ignored? - Correct Answer- It can seek civil penalties in federal court of up to $16,000 per violation and can seek compensation for those harmed by the unfair or deceptive practices. True/False: Each violation of such an order is treated as a separate offense. - Correct Answer-True. True/False: Each day the violator fails to comply with the order is considered a separate offense. - Correct Answer-True. pg. 46 professoraxe l What can the court do if consumers are harmed by the act or practice? - Correct Answer-The court can order "redress" or mandate an injunction against a violator. Can additional penalties be assessed if a company does not respond to a complaint or order? - Correct Answer-Yes. How have FTC privacy enforcement actions been settled in practice? - Correct Answer-Through consent decrees and accompanying consent orders. What is a consent decree? - Correct Answer-In a consent decree, the respondent does not admit fault, but promises to change its practices. Where are consent decrees posted? - Correct Answer-Publicly on the FTC's website. What can the details of these consent decrees be used to do? - Correct Answer-The details of these decrees provide guidance about what practices the FTC considers inappropriate. pg. 47 professoraxe l Why would the company have incentives to negotiate? - Correct Answer-The company avoids a prolonged trial, as well as negative, ongoing publicity; it also avoids the details of its business practices being exposed to the public. Why would the FTC have incentives to negotiate? - Correct Answer-It (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial, and (3) gains an enforcement advantage, due to the fact that monetary fines are much easier to assess in federal court if a company violates a consent decree. What methods were used before the FTC began to use consent decrees in privacy cases? - Correct Answer-the FTC's Bureau of Consumer Protection negotiated such decrees for other consumer protection issues under Section 5 of the FTC Act. True/false: Review of nonprivacy decrees can be instructive for lawyers or others who seek to understand the FTC's approach to and priorities for consumer protection consent decrees. - Correct Answer-True. pg. 50 professoraxe l What motivated the FTC and Commerce Department to begin convening public workshops and conduction other activities to highlight the importance of privacy protection on websites? - Correct Answer-An increase in commercial activity on the Internet that became significant in the mid-1990s. When did organizations begin to post public privacy notices on their websites? - Correct Answer-Mid-1990s. What purpose do privacy notices serve? - Correct Answer-Help inform customers about how their PI was being collected and used, as well as helping with enforcement purposes. How do privacy notices help with enforcement? - Correct Answer-If a company promised a certain level of privacy or security on a company website or elsewhere, and the company did not fulfill its promise, then the FTC considered that breach of promise a "deceptive" practice under Section 5 of the FTC Act. Is there an omnibus federal law requiring companies to have public privacy notices? - Correct Answer-No, Sector-specific statutes such as HIPAA, GLBA, and COPPA impose notice requirements pg. 51 professoraxe l What does California require of companies and organizations doing in-state business? - Correct Answer-To post privacy policies on their websites. Where there is no legal requirement to do so, do the vast majority of commercial websites post privacy websites? - Correct Answer-Yes, according to an FTC survey conducted in 2000. What does the FTC investigate when a company posts a privacy notice? - Correct Answer-Whether they adhere to their own policies; if not, the FTC will bring an enforcement action for deceptive trade practices. What was the first FTC Internet privacy enforcement action? - Correct Answer-In the Matter of GeoCities, Inc. What are the facts of the GeoCities case? - Correct Answer- GeoCities operated a website that provided an online community through which users could maintain personal home pages. To register and become a member of GeoCities, users were required to fill out an online form that requested PI, with which GeoCities created an extensive info database. pg. 52 professoraxe l When did the FTC bring an enforcement action against Microsoft Corp? - Correct Answer-In 2002. What was the basis of the FTC action against Microsoft? - Correct Answer-The action concerned MS's security representations about info collected through its "passport" website service. FTC alleged that representations of high level online security were misleading because the security of the PI was within the control, not of MS. but of MS's vendors and biz partners. FTC also asserted that the Passport service collected and shared more info than disclosed in its privvacy notice and claimed that the access controls for the children's website were inadequate. What are the facts of the Microsoft action? - Correct Answer- MS Passport was an online service that allowed customers to use single sing-in to access multiple web services. MS made claims about the high level of security used to protect users' personal and financial information, as well as Passport's parental controls for its children's services. How did the Microsoft action resolve? - Correct Answer-MS settled the action with the FTC. MS was prohibited from making future misrepresentations about the security and privacy of its products and was required to adopt and pg. 55 professoraxe l implement a comprehensive info sec program. MS was required to undergo a biannual third-party audit to ensure compliance with its program terms. What is the focus of early privacy and security enforcement actions? - Correct Answer-Deceptive practices What did the FTC add to its enforcement scope in 2004? - Correct Answer-Unfair practices, as well as the previously- enforced deceptive practices. Where is the scope of the term "unfairness" clarified? - Correct Answer-In a 1980 policy statement and in 1994 amendments to the FTC Act. What three things are required for an injury to be considered "unfair"? - Correct Answer-The injury caused must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid. What was the first instance of the FTC basing an enforcement action on a company's material change to its PI-handling practices, as well as the first privacy case based on unfairness? pg. 56 professoraxe l - Correct Answer-In the matter of Gateway Learning Corp, in 2004. What are the facts of Gateway? - Correct Answer-Gatewya Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this practice changed. Gateway then began renting personal customer info to third-party marketers and advertisers without providing the opt-out. It later revised its website privacy notice to allow for disclosing to third-party advertisers and continued to rent consumer information without providing notice to customers about the change in policy. What was the outcome of the Gateway case? - Correct Answer-The consent decree stated that thte retroactive application of material changes to the company's data sharing policy was an unfair trade practice. The settlement prohibited Gateway from sharing any PI collected from users under its initial privacy notice unless it obtained an affirmative opt-in from users. It also required Gateway to relinquish the money earned from renting consumer info. pg. 57 professoraxe l were automatically enrolled in Buzz services without having to provide consent. Buzz also exposed PI harvested from Gmail to the public without making this clear to users. These actions conflicted without Google's privacy notice on tis site. What were the FTC assertions in their charges? - Correct Answer-FTC alleged that automatic enrollment without prior notice and explicit consent was a deceptive trade practice. It also asserted that Google was in violation of the US-EU Safe Harbor Framework, which provides a method for US companies to transfer personal data from the EU to the US in compliacne with UE Data protection requirements. Name one reason the Google settlement was noteworthy. - Correct Answer-This consent decree was the first in which a company agreed to implement a "comprehensive privacy program." As of 2012, it was not clear what exact elements a "comprehensive" program should contain. However the term "comprehensive" seems to signal that the FTC believes privacy should be thoroughly integrated with product development and implementation. To enforce, Google agreed to undergo independent third-party privacy audits on a biannual basis. Name a second reason the Google settlement was noteworthy. - Correct Answer-The Google consent decree was pg. 60 professoraxe l the first substantial US-EU Safe Harbor enforcement by the FTC. Complaint stated that Google had represented it would use PI only for the purposes for which it was initially collected or consented to by users. The complaint stated that Google violated Section 5 and failed to live up to its promise to comply with the notice and choice principles of Safe Harbor. When did the FTC settle an enforcement action for deceptive practices with Facebook? - Correct Answer-2011 What did the FTC's 8-count complaint allege, among other things, against Facebook? - Correct Answer-FB deceived consumers by repeatedly making changes to services so that information designated as private was made public. This violated promises FB made in its privacy notice. What did the FB settlement require? - Correct Answer- Required FB to provide users with clear notice and obtain user consent before making retroactive changes to material privacy terms, and barred FB from making any further deceptive privacy claims. FB was also required to establish and maintain a comprehensive privacy program. FB must obtain biannual independent third-party audits of its privacy program for the next 20 years. pg. 61 professoraxe l What does the FB case indicate? - Correct Answer-Broader government efforts to hold companies accountable for information handling practices. In what year did the Obama administration issue a report titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy" - Correct Answer-Early 2012. What report did the FTC issue that, together with the Obama framework, illustrates the evolution from earlier methods of privacy enforcement to current approaches? - Correct Answer-"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy makers." What was the FTC's primary method of enforcement used in the late 1990s? - Correct Answer-"notice and choice approach" - emphasis was placed on having companies provide privacy notices on their websites and offering choice to consumers about whether info would be shared with third parties. Enforcement actions were based on deception and the failure to comply with a privacy promise rather than specific, tangible harm to consumers. pg. 62 professoraxe l Define "access and accuracy" - Correct Answer-Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Define "focused collection" - Correct Answer-Consumers have a right to reasonable limits on the personal data that companies collect and retain. Define "accountability" - Correct Answer-Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. What does the Obama report recommend re: these 7 rights? - Correct Answer-That they be included in federal legislation with the use of multistakeholder processes to develop enforceable codes of conduct until legislation is passed, emphasizing achieving international interoperability, including with trans-border cooperation on privacy enforcement (utilizing FTC). pg. 65 professoraxe l What 3 areas does the FTC emphasize as themes? - Correct Answer-"1. Privacy by Design; 2. Simplified consumer choice; - Correct Answer- 3. Transparency." - Correct Answer- Privacy by Design is what? - Correct Answer-Companies should promote consumer privacy throughout their org and at every stage in the development of their products and services. Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy. What is Simplified Consumer Choice? - Correct Answer- Companies should simplify consumer choices; they don't need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company's relationship with the consumer, or are required or specifically authorized by law. Where appropriate, companies should offer the choice at a time and in a context in which the consumer is making a decision about his/her data. pg. 66 professoraxe l When should companies obtain affirmative express consent? - Correct Answer-Before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes. What is Transparency? - Correct Answer-Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use. What are the FTC's five priority areas for attention? - Correct Answer-"1. Do No Track; 2. Mobile; - Correct Answer- 3. Data Brokers; - Correct Answer- 4. Large platform providers; - Correct Answer- pg. 67 professoraxe l What has happened since CA passed the first breach notification law in 2002? - Correct Answer-Almost every state has passed a similar breach notification law, many of which require orgs to furnish the state attorney general with reports about breaches when they occur. They also impose enforcement responsibility on state attorney generals if they breach notification reveals the implementation of inadequate security controls. States have other specialized statues protecting privacy in what other sectors? - Correct Answer-Medical, financial, and workplace. What is happening on a state level in relation to the smart grid? - Correct Answer-State public utilities commissions have started to set rules for PI collected in connection with the smart grid. True/false: State common law is not a source of privacy enforcement - Correct Answer-False. Plaintiffs can sue under the privacy torts, which traditionally have been categorized as intrusion upon seclusion, appropriation of name or likeness, publicity given to private life and publicity placing a person in a false light. Plaintiffs may also sue under a contract theory in some situations. pg. 70 professoraxe l Give an example of when someone could sue under state common law on a contract theory. - Correct Answer-When a physician, financial institution or other entity holding sensitive information breaches a promise of confidentiality and causes harm. Which project helps coordinate the work of state attorneys general? - Correct Answer-The National Association of Attorneys General Consumer Protection Project, which works to improve the enforcement of state and federal consumer protection laws by State Attorneys General, as well as multistate consumer protection enforcement efforts. It also promotes info exchange among the states with respect to investigations, litigation, consumer education, and both federal and state legislation. What are three ways that self-regulation can occur? - Correct Answer-It can occur through the 3 traditional separation of powers components: legislation, enforcement and adjudication. To what does legislation in self-regulation refer? - Correct Answer-Legislation refers to the question of who should define appropriate rules for protecting privacy. pg. 71 professoraxe l To what does enforcement in self-regulation refer? - Correct Answer-Enforcement refers to the question of who should initiate enforcement actions. To what does adjudication in self-regulation refer? - Correct Answer-Adjudication refers to the question of who should decide whether a company has violated the privacy rules and with what penalties. True/False: For enforcement under Section 5 of the FTC Act or state UDAP laws, self-regulation only occurs at the legislation stage. - Correct Answer-True. Describe how self-regulation occurs under Section 5 of the FTC Act. - Correct Answer-A company writes its own privacy policy or an industry group drafts a code of conduct that companies agree to follow. Under Sec 5, the FTC can then decide whether to bring an enforcement action, and adjudication can occur in front of an administrative law judge, with appeal to federal court. Although it's called "self-regulation", a government agency is involved at the enforcement and adjudication stage. pg. 72 professoraxe l Example: In 2007, the OECD adopted the Recommendation on Cross Border Co-operation in the Enforcement of Laws Protecting Privacy." - Correct Answer- What is the focus/content of the OECD's 2007 Recommendation? - Correct Answer-It focuses on the need to address common privacy issues on a global scale, rather than focusing on country-by-country differences in law or enforcement power. What are member countries asked to do by the 2007 OECD Recommendation - Correct Answer-"1. Discuss the practical aspects of privacy law enforcement cooperation. 2. share best practices in addressing cross-border challenges - Correct Answer- 3. work to develop shared enforcement priorities - Correct Answer- 4. support joint enforcement initiatives and awareness campaign" - Correct Answer- pg. 75 professoraxe l In response to the OECD Recommendation, what did the FTC do? - Correct Answer-The FTC, along with enforcement authorities globally, established the Global Privacy Enforcement Network (GPEN) in 2010. What is the purpose of the GPEN? - Correct Answer-To promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world. Name another cross-border enforcement cooperation effort. - Correct Answer-Asia-Pacific Economic Cooperation (APEC). The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating members to share info and evidence in cross-border investigations and enforcement actions in the APJ region; it also facilitates cooperation and communication between APEC and non-APEC members. True/false: the FTC is not a CPEA participant. - Correct Answer-False. pg. 76 professoraxe l When can cross-border conflicts arise? - Correct Answer-When the privacy laws in one country prohibit disclosure of information, but laws in a different country compel disclosure. Give an example of a cross-border conflict. - Correct Answer- The US generally permits a greater range of discovery in litigation than EU courts, with a party to the litigation in the US potentially facing fines or contempt of court if it does not product records. In contrast, the EU Data Protection Directive and laws of EU member states may prohibit disclosure of the same records. What did the International Chamber of Commerce release in early 2012? - Correct Answer-A policy statement entitled "Cross-border Law Enforcement access to Company Data - Current Issues Under Data Protection and Privacy Law." It highlights problems that may arise when law enforcement compliance requirements conflict with data protection and privacy commitments, provides analysis of these issues, and recommendations for law enforcement bodies facing these challenges. True/false: there is uncertainty about the extent to which the EU and other jurisdictions will bring enforcement actions pg. 77 professoraxe l