


















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
CIPP US EXAM SCRIPT 2026 FULL EVALUATION VERIFIED A+
Typology: Exams
1 / 58
This page cannot be seen from the preview
Don't miss anything!



















































◉ Does a consent decree typically admit guilt or wrongdoing? Answer: No. ◉ How are the courts involved in a consent decree? Answer: The document is approved by a judge. ◉ What does a consent decree accomplish? Answer: It formalizes an agreement reached between a federal or state agency and an adverse party. ◉ What are the contents of the consent decree? Answer: It describes the actions that the defendant will take and the decree may be subject to a public comment period. ◉ How much power does a consent decree hold? Answer: Once approved, the consent decree has the effect of a court decision. ◉ In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws. Answer: COPPA has allowed for several consent decrees, which
require violators to pay money to the government and agree not to violate the relevant law in the future. ◉ What services do federal agencies provide? Answer: "1. promulgate rules and enforce them; ◉ 2. provide guidance in the form of opinions." Answer: ◉ How are agency opinions interpreted and used? Answer: They do not carry the weight of law, but do give specific guidance to interested parties trying to interpret agency rules and regulations. ◉ What is a legally binding agreement enforceable in a court of law? Answer: Contract ◉ What provisions might a privacy contract contain? Answer: data useage, data security, breach notification, jurisdiction, and damages. (A contract b/w an EU company and a US data processor might include provision requiring US co to be safe harbor certified/abide by framework) ◉ True/false: Every agreement is a legally binding contract. Answer: False. There are three fundamental requirements for forming a binding contract.
◉ What is consideration? Answer: The legal benefit received by one person and the legal detriment imposed on the other person. ◉ What forms does consideration typically take? Answer: Consideration usually takes the form of money, property or services. ◉ True/False: An agreement without consideration is not a contract. Answer: True. ◉ When may a privacy notice constitute a contract? Answer: If a consumer provides data to a company based on the company's promise to use the data in accordance with the terms of the notice. ◉ What is a tort? Answer: Torts are civil wrongs recognized by law as the grounds for lawsuits. These wrongs are those that result in an injury or harm that constitutes the basis for a claim by the injured party. ◉ What are the goals of tort law? Answer: "a. provide relief for damages incurred; ◉ b. deter others from committing the same wrongs." Answer:
◉ What are the three tort categories? Answer: Intentional torts, negligent torts, and strict liability torts. ◉ What is an Intentional tort? Answer: These are wrongs that the defendant knew / should have known would occur through their actions or inactions. ◉ Give an example of an intentional tort. Answer: Intentionally hitting a person or stealing personal information. ◉ What is a negligent tort? Answer: These occur when the defendant's actions were unreasonably unsafe. ◉ Give an example of a negligent tort. Answer: Causing a car accident by not obeying traffic rules or not having appropriate security controls. ◉ What is a strict liability tort? Answer: These are wrongs that don't depend on the degree of carelessness by the defendant, but are established when a particular action causes damage. ◉ What are some examples of strict liability torts? Answer: Product liability torts (concern potential liability for making and selling defective products without the need for the plaintiff to show negligence by the defendant).
◉ Define "person". Answer: An entity with legal rights, including an individual ("natural person") or a corporation ("legal person") ◉ Define "jurisdiction" Answer: authority of a court to hear a particular case ◉ What two areas of the case must the court have jurisdiction over? Answer: "1. subject matter jurisdiction ◉ 2. personal jurisdiction" Answer: ◉ What is subject matter jurisdiction? Answer: Jurisdiction over the type of dispute / cause of action. ◉ What is personal jurisdiction? Answer: Jurisdiction over the parties (often based on their location) ◉ True/false: Government agencies do not have jurisdictional limits. Answer: FALSE ◉ Define "Preemption" Answer: A superior government's ability to have its laws supersede those of an inferior government
◉ Give an example of pre-emption. Answer: the U.S. federal government has mandated that state governments cannot regulate e-mail marketing; the federal CAN-SPAM Act preempts state laws that might impose greater obligations on senders of commercial electronic messages. ◉ Define "private right of action" Answer: Ability of an individual harmed by a violation of a law to file a lawsuit against the violator. ◉ Define "Notice" Answer: description of an organization's information management practices. ◉ What are the two purposes of a notice? Answer: "1. consumer education ◉ 2. corporate accountability" Answer: ◉ What does the typical notice contain? Answer: It tells the individual what information is collected, how the information is used and disclosed, how to exercise any choices about uses or disclosures,and whether the individual can access or update the information. ◉ True/false: U.S. privacy laws have additional notice requirements. Answer: True.
◉ Give an example of "opt-in" behavior. Answer: A person opts in if he says yes when asked, "May we share your information?" Failure to answer would result in the information not being shared. ◉ Define "opt-out" Answer: a choice can be implied by the failure of the person to object to the use or disclosure. ◉ Given an example of "opt-out" behavior Answer: A company says "Unless you tell us not to, we may share your information." The person then has the ability to opt out of the sharing by saying no. Failure to answer would result in the information being shared. ◉ What defines "meaningful" choice? Answer: Where choice is offered, it should be meaningful, which is that it should be based on a real understanding of the implication of the decision. ◉ Define "access." Answer: Access is the ability to view personal information held by an organization. ◉ What can be used to supplement access? Answer: Updates or corrections to the information may be allowed. ◉ What do U.S. laws often require around access? Answer: They often provide for access and correction when the information is used
for any type of substantive decision making, such as for credit reports. ◉ At the federal level, which agencies engage in regulatory activities concerning the private sector? Answer: FTC, federal banking regulatory agencies (Consumer Financial Protection Bureau, Federal Reserve, Office of the Comptroller of the Currency), the FCC, DOT, Dept. of Health and Human Services through its Office for Civil Rights. ◉ What role does the Department of Commerce play in privacy? Answer: The DOC doesn't have regulatory authority for privacy, but often plays a role in privacy policy for the executive branch. ◉ What authority does the FTC have re: privacy in the private sector? Answer: General authority to enforce against "unfair and deceptive trade practices." ◉ In which areas does the FTC have specific regulatory authority? Answer: "1. marketing communications; ◉ 2. children's privacy" Answer: ◉ Who brings privacy-related enforcement actions at the state level? Answer: State Attorneys General
◉ What six questions are necessary to understand a law, statute, or regulation? Answer: "1. Who is covered by this law? ◉ 2. What types of information (and what uses of information) are covered? Answer: ◉ 3. What exactly is required or prohibited? Answer: ◉ 4. Who enforces the law? Answer: ◉ 5. What happens if I don't comply? Answer: ◉ 6. Why does this law exist?" Answer: ◉ What are some reasons for knowing a law's scope when you don't have to follow it? Answer: "1. the law may suggest good practices that you want to emulate ◉ 2. it may provide an indication of legal trends Answer: ◉ 3. i may provide a proven way to achieve a particular results (i.e. protecting individuals in a given situation)" Answer:
◉ Give an example of a time when the costs of compliance with a law might exceed the risks of noncompliance for a period of time. Answer: If a system that is not appropriately compliant with a new law, but is going to be replaced in a few months, a company may decide that the risks of noncompliance outweigh the costs and risk of trying to accelerate the system transition. ◉ In which state was the first security breach notification law enacted? Answer: California. ◉ What does the CA law regulate? Answer: The CA Data Breach Notification Law regulates entities that do business in CA and that own or license computerized data, including PI. ◉ To whom does the CA law apply? Answer: It applies to natural persons, legal persons, and government agencies. ◉ True/false: if you do business only in Montana or NY, you are still subject to this CA law. Answer: FALSE ◉ Even if you do business in this CA, what is required for this law to apply to you? Answer: You must have computerized data. ◉ What does the CA data breach law cover? Answer: It regulates computerized PI of CA residents.
◉ How must disclosure be carried out? Answer: The disclosure must be made "in as expedient a manner as possible." ◉ What is the exception to the CA law? Answer: There is an exception for the good faith acquisition of PI by an employee or agent of the business, provided the PI is not used or subject to further unauthorized disclosure. ◉ When is a delay in providing notice permissible? Answer: When a delay is requested by law enforcement. ◉ Who enforces the CA law? Answer: The CA Attorney General enforces the law. ◉ True/false: the law provides for a private cause of action. Answer: True. ◉ What happens if one doesn't comply with the CA law? Answer: The CA attorney general or any citizen can file a civil lawsuit against you, seeking damages and forcing you to comply. ◉ Why does the CA data notification law exist? Answer: SB 1386 was enacted because there is a fear that security breaches of computerized databases cause identity theft and individuals should
be notified about the breach so that they can take steps to protect themselves. If you have a security breach that puts people at real risk of identity theft, you should consider notifying them even if you are not subject to this law. ◉ What is the FTC? Answer: The Federal Trade Commission is an independent agency governed by a chairman and four other commissioners. ◉ True/False: The FTC's decisions are under the president's control. Answer: FALSE ◉ What authority does the FTC have? Answer: Authority to enforce against "unfair and deceptive trade practices", as well as specific statutory responsibility for issues such as (a) children's privacy online and (b) commercial e-mail marketing. ◉ What are some of the ways that the FTC has played a prominent role in the development of US privacy standards? Answer: The FTC conducts public workshops on privacy issues, and reports on privacy policy and enforcement. ◉ Are there other federal agencies involved in privacy enforcement? Answer: Yes, although the FTC plays a leading role.
◉ What does the Fair Credit Reporting Act allow? Answer: It has a private right of action, which allows a person to sue a company if his consumer reports have been used inappropriately. ◉ What is criminal litigation? Answer: Criminal lit involves lawsuits brought by the government for violations of criminal laws. ◉ How is criminal litigation different from civil litigation? Answer: Civil lit involves an effort by a private party to correct specific harms. Criminal prosecution, brought by gov, can lead to imprisonment and criminal fines. ◉ Who prosecutes criminal laws? Answer: Department of Justice in the federal government. For states, the state attorney general and local officials (district attorney) usually have criminal prosecutorial power. ◉ What are administrative enforcement actions? Answer: These are carried out pursuant to the statutes that create and empower an agency, such as the FTC. ◉ Where are the rules found for agency enforcement actions in the federal government? Answer: the Administrative Procedure Act (APA).
◉ What does the APA contain? Answer: The APA sets forth basic rules for adjudication within an agency, where court-like hearings may take place before an administrative law judge. ◉ What is the appeals process for agency enforcement actions? Answer: Federal agency adjudications can generally be appealed to federal court. ◉ True/false: A federal agency may sue a party in federal court, with the agency as the plaintiff in a civil action. Answer: True. ◉ Which agencies are responsible for medical privacy? Answer: Office for Civil Rights in the Department of Health and Human Services (HHS), for the Health Insurance Portability and Accountability Act (HIPAA) ◉ Which agencies oversee financial privacy? Answer: Consumer Financial Protection Bureau for financial consumer protection issues generally; federal financial regulators such as the Federal Reserve and the Office of Comptroller of the Currency, for institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA) ◉ Which agencies are responsible for educational privacy? Answer: Department of Education for the Family Educational Rights and Privacy Act.