Download CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers and more Exams Nursing in PDF only on Docsity! CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers The U.S. Constitution establishes what three branches of government? - Correct Answer ✅Legislative, Executive, Judicial What establishes the three branches of the U.S. Government? - Correct Answer ✅The U.S. Consitution What is the purpose of the three-branch government design? - Correct Answer ✅To provide a separation of powers with a system of check and balances among the branches. What similarities are found between state and federal government? - Correct Answer ✅The three branches are also often found at the state and often the local levels. What is the legislative branch's make-up? - Correct Answer ✅The legislative branch is made up of elected representatives who write and pass laws. It includes the Congress (House and Senate). What does the legislative branch do? - Correct Answer ✅Congress confirms presidential appointees, and can override vetoes. What are the duties of the executive branch? - Correct Answer ✅The executive branch's duties are to enforce and administer the law. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Who makes up the executive branch? - Correct Answer ✅The President, Vice President, cabinet, and federal agencies (such as the FTC). What can the executive branch do? - Correct Answer ✅President appoints federal judges. It can veto laws passed by Congress. What can the judicial branch do? - Correct Answer ✅The Judicial branch determines whether the laws are constitutional. It also interprets laws, the meaning of a law, and how it is applied. It can also examine the intent behind a law's creation. What is the judicial branch? - Correct Answer ✅The Federal Courts. What two parts make up the U.S. Congress? - Correct Answer ✅The Senate and the House of Representatives (legislative branch) What can Congress do when enacting legislation? - Correct Answer ✅Congress can delegate the power to promulgate regulations to federal agencies (such as the FTC). What laws has Congress enacted involving the FTC? - Correct Answer ✅Congress has enacted several laws that give the CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Who drafted the Constitution and when? - Correct Answer ✅The Constitutional Convention drafted the Constitution in 1787. True/False: The U.S. Constitution does not contain the word "Privacy". - Correct Answer ✅True. Which parts of the Constitution directly affect privacy? - Correct Answer ✅The Fourth Amendment limits on government searches. Which Supreme Court decisions affect privacy? - Correct Answer ✅The S.C. has held that a person has a right to privacy over personal issues such as contraception and abortion, arising from more general protections of due process of law. What are other sources of law affecting privacy? - Correct Answer ✅State constitutions may create stronger rights than are provided in the U.S. Constitution. Which state expressly recognizes a right to privacy in its constitution? - Correct Answer ✅California. What areas are regulated by laws enacted by federal Congress and state legislatures? - Correct Answer ✅applications of information (use of information for marketing or pre-employment screening), certain industries (such as CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers financial institutions or healthcare providers), certain data elements (SSNs or driver's license info), or specific harms (identity theft or children's online privacy) How is law-making power distributed in the U.S.? - Correct Answer ✅Law-making power is shared between the national and state governments. What does the U.S. Constitution say about laws under the Constitution? - Correct Answer ✅It states that the Constitution and the laws passed pursuant to it, is "the supreme law of the land." When do states have the power to make laws? - Correct Answer ✅Where federal law does not prevent it, states have the power to make law. Which Amendment to the Constitution states "the powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."? - Correct Answer ✅The Tenth Amendment to the Constitution. What is one area of law where states may pass privacy/other laws with stricter requirements than federal law? - Correct Answer ✅HIPAA medical privacy rule. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers In which areas do federal laws pre-empt state laws, preventing states from passing stricter provisions? - Correct Answer ✅Limits on commercial e-mails in the CAN-SPAM Act. What is the CAN-SPAM Act? - Correct Answer ✅Controlling the Assault of Non-Solicited Pornography and Marketing Act. Aside from the ability to make and enforce laws and regs, what does the U.S. legal system rely on? - Correct Answer ✅"1. Legal precedent based on court decisions 2. Doctrines implicit in legal precedent - Correct Answer ✅ 3. Customs and uses of legal precedent" - Correct Answer ✅ What are two key areas of the common law? - Correct Answer ✅Contracts and torts. What regulatory agencies are required by law to issue regulations and rules - Correct Answer ✅FTC (Federal Trade Commission) or the FCC (Federal Communications Commission). What do rules and regulations passed by regulatory agencies do? - Correct Answer ✅These rules and regulations place specific compliance expectations on the marketplace. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Does a consent decree typically admit guilt or wrongdoing? - Correct Answer ✅No. How are the courts involved in a consent decree? - Correct Answer ✅The document is approved by a judge. What does a consent decree accomplish? - Correct Answer ✅It formalizes an agreement reached between a federal or state agency and an adverse party. What are the contents of the consent decree? - Correct Answer ✅It describes the actions that the defendant will take and the decree may be subject to a public comment period. How much power does a consent decree hold? - Correct Answer ✅Once approved, the consent decree has the effect of a court decision. In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws. - Correct Answer ✅COPPA has allowed for several consent decrees, which require violators to pay money to the government and agree not to violate the relevant law in the future. What services do federal agencies provide? - Correct Answer ✅"1. promulgate rules and enforce them; CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers 2. provide guidance in the form of opinions." - Correct Answer ✅ How are agency opinions interpreted and used? - Correct Answer ✅They do not carry the weight of law, but do give specific guidance to interested parties trying to interpret agency rules and regulations. What is a legally binding agreement enforceable in a court of law? - Correct Answer ✅Contract What provisions might a privacy contract contain? - Correct Answer ✅data useage, data security, breach notification, jurisdiction, and damages. (A contract b/w an EU company and a US data processor might include provision requiring US co to be safe harbor certified/abide by framework) True/false: Every agreement is a legally binding contract. - Correct Answer ✅False. There are three fundamental requirements for forming a binding contract. What are the three factors required to form a contract? - Correct Answer ✅Offer, Acceptance, Consideration. What is the proposed language to enter into a bargain? - Correct Answer ✅Offer CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Which terms of the offer must be specific and definite? - Correct Answer ✅Price, quantity, and description. What ends the original offer? - Correct Answer ✅A counteroffer. What actions must be taken with an offer for it to qualify to form a contract? - Correct Answer ✅The offer must be communicated to another person and remain open until it is accepted, rejected, retracted or has expired. What is acceptance? - Correct Answer ✅The assent or agreement by the person to whom the offer was made that the offer is accepted. What requirements must the acceptance meet? - Correct Answer ✅The acceptance must comply with the terms of the offer and must be communicated to the person who proposed the deal. What is the bargained-for exchange? - Correct Answer ✅Consideration. What is consideration? - Correct Answer ✅The legal benefit received by one person and the legal detriment imposed on the other person. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What are some current privacy torts? - Correct Answer ✅"a. intrusion on seclusion; b. public revelation of private facts; - Correct Answer ✅ c. interfering with a person's right to publicity; - Correct Answer ✅ d. casting a person in a false light." - Correct Answer ✅ What is a defense to some of the traditional privacy torts? - Correct Answer ✅The speaker is exercising free speech rights under the First Amendment. What are some other, more recent, privacy-related torts considered by courts? - Correct Answer ✅Allegations that a company was negligent for failing to provide adequate safeguards for PI, thus causing harm due to disclosure of the data. Lack of adequate safeguards therefore may expose a company to damages under tort law. Define "person". - Correct Answer ✅An entity with legal rights, including an individual ("natural person") or a corporation ("legal person") Define "jurisdiction" - Correct Answer ✅authority of a court to hear a particular case CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What two areas of the case must the court have jurisdiction over? - Correct Answer ✅"1. subject matter jurisdiction 2. personal jurisdiction" - Correct Answer ✅ What is subject matter jurisdiction? - Correct Answer ✅Jurisdiction over the type of dispute / cause of action. What is personal jurisdiction? - Correct Answer ✅Jurisdiction over the parties (often based on their location) True/false: Government agencies do not have jurisdictional limits. - Correct Answer ✅FALSE Define "Preemption" - Correct Answer ✅A superior government's ability to have its laws supersede those of an inferior government Give an example of pre-emption. - Correct Answer ✅the U.S. federal government has mandated that state governments cannot regulate e-mail marketing; the federal CAN-SPAM Act preempts state laws that might impose greater obligations on senders of commercial electronic messages. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Define "private right of action" - Correct Answer ✅Ability of an individual harmed by a violation of a law to file a lawsuit against the violator. Define "Notice" - Correct Answer ✅description of an organization's information management practices. What are the two purposes of a notice? - Correct Answer ✅"1. consumer education 2. corporate accountability" - Correct Answer ✅ What does the typical notice contain? - Correct Answer ✅It tells the individual what information is collected, how the information is used and disclosed, how to exercise any choices about uses or disclosures,and whether the individual can access or update the information. True/false: U.S. privacy laws have additional notice requirements. - Correct Answer ✅True. Who can legally enforce the promises made in a company's privacy notice? - Correct Answer ✅Federal Trade Commission and states. What are two other names for privacy notices? - Correct Answer ✅"a. privacy statements CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Financial Protection Bureau, Federal Reserve, Office of the Comptroller of the Currency), the FCC, DOT, Dept. of Health and Human Services through its Office for Civil Rights. What role does the Department of Commerce play in privacy? - Correct Answer ✅The DOC doesn't have regulatory authority for privacy, but often plays a role in privacy policy for the executive branch. What authority does the FTC have re: privacy in the private sector? - Correct Answer ✅General authority to enforce against "unfair and deceptive trade practices." In which areas does the FTC have specific regulatory authority? - Correct Answer ✅"1. marketing communications; 2. children's privacy" - Correct Answer ✅ Who brings privacy-related enforcement actions at the state level? - Correct Answer ✅State Attorneys General On what basis are state privacy enforcement actions brought? - Correct Answer ✅pursuant to state laws prohibiting unfair and deceptive practices. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What role does the State Attorney General serve? - Correct Answer ✅Serves as the chief legal advisor to the state government and as the state's chief law enforcement officer Which states have successfully pursued privacy actions related to unfair and deceptive practices? - Correct Answer ✅Minnesota and Washington. Give examples of self-regulatory regimes. - Correct Answer ✅Network Advertising Initiative, Direct Marketing Association, Children's Advertising Review Unit. True/false: some trade associations issue rules or codes of conduct for members. - Correct Answer ✅True. Give an example of a regulatory setting where government- created rules expect companies to sign up for self-regulatory oversight. - Correct Answer ✅The Safe Harbor for companies that transfer personal information from the EU to the US. What six questions are necessary to understand a law, statute, or regulation? - Correct Answer ✅"1. Who is covered by this law? 2. What types of information (and what uses of information) are covered? - Correct Answer ✅ CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers 3. What exactly is required or prohibited? - Correct Answer ✅ 4. Who enforces the law? - Correct Answer ✅ 5. What happens if I don't comply? - Correct Answer ✅ 6. Why does this law exist?" - Correct Answer ✅ What are some reasons for knowing a law's scope when you don't have to follow it? - Correct Answer ✅"1. the law may suggest good practices that you want to emulate 2. it may provide an indication of legal trends - Correct Answer ✅ 3. i may provide a proven way to achieve a particular results (i.e. protecting individuals in a given situation)" - Correct Answer ✅ Give an example of a time when the costs of compliance with a law might exceed the risks of noncompliance for a period of time. - Correct Answer ✅If a system that is not appropriately compliant with a new law, but is going to be replaced in a few months, a company may decide that the risks of noncompliance outweigh the costs and risk of trying to accelerate the system transition. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What is the exception to the CA law? - Correct Answer ✅There is an exception for the good faith acquisition of PI by an employee or agent of the business, provided the PI is not used or subject to further unauthorized disclosure. When is a delay in providing notice permissible? - Correct Answer ✅When a delay is requested by law enforcement. Who enforces the CA law? - Correct Answer ✅The CA Attorney General enforces the law. True/false: the law provides for a private cause of action. - Correct Answer ✅True. What happens if one doesn't comply with the CA law? - Correct Answer ✅The CA attorney general or any citizen can file a civil lawsuit against you, seeking damages and forcing you to comply. Why does the CA data notification law exist? - Correct Answer ✅SB 1386 was enacted because there is a fear that security breaches of computerized databases cause identity theft and individuals should be notified about the breach so that they can take steps to protect themselves. If you have a security breach that puts people at real risk of identity theft, you should consider notifying them even if you are not subject to this law. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What is the FTC? - Correct Answer ✅The Federal Trade Commission is an independent agency governed by a chairman and four other commissioners. True/False: The FTC's decisions are under the president's control. - Correct Answer ✅FALSE What authority does the FTC have? - Correct Answer ✅Authority to enforce against "unfair and deceptive trade practices", as well as specific statutory responsibility for issues such as (a) children's privacy online and (b) commercial e-mail marketing. What are some of the ways that the FTC has played a prominent role in the development of US privacy standards? - Correct Answer ✅The FTC conducts public workshops on privacy issues, and reports on privacy policy and enforcement. Are there other federal agencies involved in privacy enforcement? - Correct Answer ✅Yes, although the FTC plays a leading role. What is civil litigation? - Correct Answer ✅Civil litigation occurs in the courts, when one person (plaintiff) sues another person (defendant) to redress a wrong. Plaintiff often seeks monetary judgment from defendant. Plaintiff may also seek an injunction. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What is an injunction? - Correct Answer ✅A court order mandating the defendant to stop engaging in certain behaviors. Maybe awarded to plaintiff in civil litigation. What are important categories of civil litigation? - Correct Answer ✅Contracts and torts. Describe a possible civil litigation scenario involving contracts. - Correct Answer ✅A plaintiff might sue for breach of a contract that promised confidential treatment of personal information. Describe a possible civil litigation scenario involving torts. - Correct Answer ✅A plaintiff might sue for invasion of privacy where defendant surreptitiously took pictures in a changing room and broadcast the pictures to the public. Do privacy rights ever create private rights of action? - Correct Answer ✅Yes, and this allows an individual plaintiff to sue based on violations of the statute. What does the Fair Credit Reporting Act allow? - Correct Answer ✅It has a private right of action, which allows a person to sue a company if his consumer reports have been used inappropriately. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Which agencies are responsible for workplace privacy? - Correct Answer ✅Equal Employment Opportunity Commission for the Americans with Disabilities Act and other anti-discrimination statutes. Which agency plays a leading role in federal privacy policy development and administers the Safe Harbor agreement between the US and EU? - Correct Answer ✅Department of Commerce. Which federal department has been increasingly active in privacy, negotiating internationally on privacy issues with other countries/multinational groups such as the UN and OECD? - Correct Answer ✅State Department. Which agency is responsible for transportation companies under its jurisdiction and for enforcing violations of Safe Harbor agreement between US and EU? - Correct Answer ✅Department of Transportation. What is the name of the lead agency for interpreting the Privacy Act of 1974? - Correct Answer ✅US Office of Management and Budget (OMB) What are some of the other functions of the OMB? - Correct Answer ✅OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers To which agencies does the Privacy Act of 1974 apply? - Correct Answer ✅federal agencies and private sector contractors to those agencies. Which Department is subject to privacy rules concerning tax records, including disclosures of such records in the private sector? - Correct Answer ✅Internal Revenue Service (IRS) Describe one way in which other parts of the Department of Treasury are also involved with financial records issues. - Correct Answer ✅They are involved in money-laundering rules at the Financial Crimes Enforcement Network. What are some of the privacy issues faced by the Department of Homeland Security? - Correct Answer ✅E-Verify program for new employees, rules for air traveler records (Transportation Security Administration), and immigration and other border issues (Immigration and Customs Enforcement) What agencies are affected by the increasing development of smart grid? - Correct Answer ✅Smart grid development is making privacy an important issues for the electric utility system, involving the Department of Energy. Which agency is affected by the increasing use of Unmanned Aerial Vehicles (drones)? - Correct Answer ✅The surveillance implications have raised issues for the Federal Aviation Administration (FAA). CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers True/false: Almost every agency in the federal government is or may soon become involved with privacy in some manner within that agency's jurisdiction. - Correct Answer ✅True. What is the sole federal agency to bring criminal enforcement actions which can results in imprisonment or criminal fines? - Correct Answer ✅Department of Justice. Name one statue that provides for both civil and criminal enforcement - Correct Answer ✅HIPAA. Where a statute provides for both civil and criminal enforcement, how is jurisdiction apportioned? - Correct Answer ✅Procedures exist for the roles of both HHS and the Department of Justice (in HIPAAs case)' When was the FTC founded? - Correct Answer ✅1914 For what purpose was the FTC founded? - Correct Answer ✅FTC was founded to enforce antitrust laws. What changes to the FTC mission were affected in 1938? - Correct Answer ✅a statutory change caused the FTC mission to shift to a consumer protection focus. True/False: today, the FTC focuses on both antitrust law enforcement, and consumer protection - Correct Answer ✅True. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Until the creation of which agency did the FTC issue rules and guidance for the Fair Credit Reporting act and Gramm-Leach- Bliley Act? - Correct Answer ✅Consumer Financial Protection Bureau (CFPB) What amended the Fair Credit Reporting Act? - Correct Answer ✅The Fair and Accurate Credit Transactions Act of 2003. What authorities does the CFPB hold? - Correct Answer ✅Authority to issues rules and guidance for the FCRA and GLBA, and shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator. Who is the rule-making and enforcement agency for COPPA? - Correct Answer ✅FTC. With which agency does the FTC share rule-making and enforcement power under the Telemarketing Sales Rule and the CAN-SPAM Act? - Correct Answer ✅The FCC. With which agency does the FTC share rule-making and enforcement power for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009? - Correct Answer ✅HHS. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Describe FTC's regulation-issuing authority? - Correct Answer ✅The FTC has general authority to issue regulations to implement protections against unfair and deceptive acts and practices. Because the FTC's regulations re: unfair and deceptive acts are not promulgated under the usual procedures of the Administrative Procedure Act, describe how they are handled? - Correct Answer ✅Any such regulation must comply with the more complex and lengthy procedures under the Magnuson-Moss Warranty Federal Trade Commission Improvement Act of 1975. True / false: as of recently, the FTC has not put forth any privacy or information security regulation under its Magnuson-Moss authority. - Correct Answer ✅True. Describe the situation surrounding FTC and the APA rule- making authority. - Correct Answer ✅FTC has supported congressional proposals to provide the FTC with APA rule- making authority; such proposal shave not been successful to date, in part due to opposition from companies that are against increased regulation. What begins the typical FTC enforcement action? - Correct Answer ✅A claim that a company has committed an unfair or deceptive practice OR has violated a specific consumer protection law. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers In what ways can the enforcement action be brought to the FTC's attention? - Correct Answer ✅"1. press reports covering the questionable practices 2. complaints from consumer groups of competitors" - Correct Answer ✅ What options might the FTC exercise if the complaint is minor? - Correct Answer ✅FTC may work with the company to resolve the problem without launching a formal investigation. In what situations will the FTC proceed to full enforcement? - Correct Answer ✅Where the violation is significant or there is a pattern of noncompliance. What are some actions allowed under the FTC's broad investigative authority? - Correct Answer ✅"1. subpoenas of witnesses 2. civil investigative demands - Correct Answer ✅ 3. requirements for businesses to submit written reports under oath" - Correct Answer ✅ What may the commission do after an investigation? - Correct Answer ✅The commission may initiate an CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers guidance about what practices the FTC considers inappropriate. Once an individual or company has agreed to a consent decree, what can violations of that decree lead to? - Correct Answer ✅Following an FTC investigation, it can lead to enforcement in the federal district court, including civil penalties as discussed above. What can the federal court grant? - Correct Answer ✅It can grant injunctions and other forms of relief. Which FTC division monitors and litigates violates of consent decrees in cooperation with the Department of Justice? - Correct Answer ✅The FTC's Enforcement Division within the Bureau of Consumer Protection. True/false: Consent decree terms vary depending on the violation. - Correct Answer ✅TRUE What does the consent decree usually state? - Correct Answer ✅What affirmative actions the respondent needs to take and which practices their respondent must refrain from engaging in. What does the consent decree require of the respondent? - Correct Answer ✅To maintain proof of compliance with the decree; inform all related individuals of the consent decree CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers obligations; provide the FTC with confirmation of its compliance with the decree; inform the FTC if company changes will affect the respondent's ability to adhere to its terms. Can FTC respondents face civil penalties for noncompliance with a consent decree? - Correct Answer ✅Yes. What are companies increasingly subjected to or required to do re: privacy cases? - Correct Answer ✅Companies are subject to periodic outside audits or reviews of their practices, or they may be required to adopt and implement a comprehensive privacy program. True/False: Over time, consent decrees have become more specific in nature. - Correct Answer ✅True. What do the company and FTC have incentive to do? - Correct Answer ✅Both have incentives to negotiate a consent decree rather than proceed with a full adjudication process. Why would the company have incentives to negotiate? - Correct Answer ✅The company avoids a prolonged trial, as well as negative, ongoing publicity; it also avoids the details of its business practices being exposed to the public. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Why would the FTC have incentives to negotiate? - Correct Answer ✅It (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial, and (3) gains an enforcement advantage, due to the fact that monetary fines are much easier to assess in federal court if a company violates a consent decree. What methods were used before the FTC began to use consent decrees in privacy cases? - Correct Answer ✅the FTC's Bureau of Consumer Protection negotiated such decrees for other consumer protection issues under Section 5 of the FTC Act. True/false: Review of nonprivacy decrees can be instructive for lawyers or others who seek to understand the FTC's approach to and priorities for consumer protection consent decrees. - Correct Answer ✅True. What motivated the FTC and Commerce Department to begin convening public workshops and conduction other activities to highlight the importance of privacy protection on websites? - Correct Answer ✅An increase in commercial activity on the Internet that became significant in the mid- 1990s. When did organizations begin to post public privacy notices on their websites? - Correct Answer ✅Mid-1990s. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers parental or guardian consent before collective information from children 12 years of age or under. When did FTC bring an action against Eli Lilly & Co? - Correct Answer ✅2004 What are the facts of Eli Lilly & Co case? - Correct Answer ✅Eli Lilly is a pharaceutical manufacturer that maintained a website where users would provide PI for messages and updates reminding them to take their medication. The website included a privacy notice that made promises about the security and privacy of the info provided. When Eli Lilly ended the program, it sent subscribers an e-mail announcement, inadvertently addressed to and revealing the e-mail addresses of all subscribers. What was the basis of the enforcement action against Eli Lilly by the FTC? - Correct Answer ✅It reuslted in settlement terms, which required Eli Lilly to adhere to representations about how it collects, uses and protects user information. It also required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program. Before the Eli Lilly case, what had the FTC required of companies? - Correct Answer ✅Only that they stop the current unfair and deceptive practices; after the settlement, it became clear that the scope of settlement terms had expanded to include implementation and evaluation of security programs. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers When did the FTC bring an enforcement action against Microsoft Corp? - Correct Answer ✅In 2002. What was the basis of the FTC action against Microsoft? - Correct Answer ✅The action concerned MS's security representations about info collected through its "passport" website service. FTC alleged that representations of high level online security were misleading because the security of the PI was within the control, not of MS. but of MS's vendors and biz partners. FTC also asserted that the Passport service collected and shared more info than disclosed in its privvacy notice and claimed that the access controls for the children's website were inadequate. What are the facts of the Microsoft action? - Correct Answer ✅MS Passport was an online service that allowed customers to use single sing-in to access multiple web services. MS made claims about the high level of security used to protect users' personal and financial information, as well as Passport's parental controls for its children's services. How did the Microsoft action resolve? - Correct Answer ✅MS settled the action with the FTC. MS was prohibited from making future misrepresentations about the security and privacy of its products and was required to adopt and implement a comprehensive info sec program. MS was required to undergo a biannual third-party audit to ensure compliance with its program terms. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What is the focus of early privacy and security enforcement actions? - Correct Answer ✅Deceptive practices What did the FTC add to its enforcement scope in 2004? - Correct Answer ✅Unfair practices, as well as the previously- enforced deceptive practices. Where is the scope of the term "unfairness" clarified? - Correct Answer ✅In a 1980 policy statement and in 1994 amendments to the FTC Act. What three things are required for an injury to be considered "unfair"? - Correct Answer ✅The injury caused must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid. What was the first instance of the FTC basing an enforcement action on a company's material change to its PI-handling practices, as well as the first privacy case based on unfairness? - Correct Answer ✅In the matter of Gateway Learning Corp, in 2004. What are the facts of Gateway? - Correct Answer ✅Gatewya Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers privacy policies with the launch of its Google Buzz social networking service. What are the facts of the Google case? - Correct Answer ✅Google Buzz was a social networking service integrated with Google's e-mail service, Gmail. When it launched, consumers were automatically enrolled in Buzz services without having to provide consent. Buzz also exposed PI harvested from Gmail to the public without making this clear to users. These actions conflicted without Google's privacy notice on tis site. What were the FTC assertions in their charges? - Correct Answer ✅FTC alleged that automatic enrollment without prior notice and explicit consent was a deceptive trade practice. It also asserted that Google was in violation of the US-EU Safe Harbor Framework, which provides a method for US companies to transfer personal data from the EU to the US in compliacne with UE Data protection requirements. Name one reason the Google settlement was noteworthy. - Correct Answer ✅This consent decree was the first in which a company agreed to implement a "comprehensive privacy program." As of 2012, it was not clear what exact elements a "comprehensive" program should contain. However the term "comprehensive" seems to signal that the FTC believes privacy should be thoroughly integrated with product development and implementation. To enforce, Google agreed to undergo independent third-party privacy audits on a biannual basis. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Name a second reason the Google settlement was noteworthy. - Correct Answer ✅The Google consent decree was the first substantial US-EU Safe Harbor enforcement by the FTC. Complaint stated that Google had represented it would use PI only for the purposes for which it was initially collected or consented to by users. The complaint stated that Google violated Section 5 and failed to live up to its promise to comply with the notice and choice principles of Safe Harbor. When did the FTC settle an enforcement action for deceptive practices with Facebook? - Correct Answer ✅2011 What did the FTC's 8-count complaint allege, among other things, against Facebook? - Correct Answer ✅FB deceived consumers by repeatedly making changes to services so that information designated as private was made public. This violated promises FB made in its privacy notice. What did the FB settlement require? - Correct Answer ✅Required FB to provide users with clear notice and obtain user consent before making retroactive changes to material privacy terms, and barred FB from making any further deceptive privacy claims. FB was also required to establish and maintain a comprehensive privacy program. FB must obtain biannual independent third-party audits of its privacy program for the next 20 years. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What does the FB case indicate? - Correct Answer ✅Broader government efforts to hold companies accountable for information handling practices. In what year did the Obama administration issue a report titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy" - Correct Answer ✅Early 2012. What report did the FTC issue that, together with the Obama framework, illustrates the evolution from earlier methods of privacy enforcement to current approaches? - Correct Answer ✅"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy makers." What was the FTC's primary method of enforcement used in the late 1990s? - Correct Answer ✅"notice and choice approach" - emphasis was placed on having companies provide privacy notices on their websites and offering choice to consumers about whether info would be shared with third parties. Enforcement actions were based on deception and the failure to comply with a privacy promise rather than specific, tangible harm to consumers. What enforcement method was adopted by Chairmen Muris and Majoris in the mid-2000s? - Correct Answer ✅"harm- based model" - used in the Gateway and BJ's cases; placed new emphasis on addressing substantial injury, as required under the FTC's unfiarness authority. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What does the Obama report recommend re: these 7 rights? - Correct Answer ✅That they be included in federal legislation with the use of multistakeholder processes to develop enforceable codes of conduct until legislation is passed, emphasizing achieving international interoperability, including with trans-border cooperation on privacy enforcement (utilizing FTC). What 3 areas does the FTC emphasize as themes? - Correct Answer ✅"1. Privacy by Design; 2. Simplified consumer choice; - Correct Answer ✅ 3. Transparency." - Correct Answer ✅ Privacy by Design is what? - Correct Answer ✅Companies should promote consumer privacy throughout their org and at every stage in the development of their products and services. Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy. What is Simplified Consumer Choice? - Correct Answer ✅Companies should simplify consumer choices; they don't need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company's relationship with the consumer, or are required or specifically authorized by law. Where CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers appropriate, companies should offer the choice at a time and in a context in which the consumer is making a decision about his/her data. When should companies obtain affirmative express consent? - Correct Answer ✅Before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes. What is Transparency? - Correct Answer ✅Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use. What are the FTC's five priority areas for attention? - Correct Answer ✅"1. Do No Track; 2. Mobile; - Correct Answer ✅ 3. Data Brokers; - Correct Answer ✅ 4. Large platform providers; - Correct Answer ✅ 5. Promoting enforceable self-regulatory codes." - Correct Answer ✅ CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What does "do not track" encompass? - Correct Answer ✅The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes. True/false: the FTC encourages greater self-regulation around location and other mobile-related services. - Correct Answer ✅True. What is the FTC's priority around Data brokers? - Correct Answer ✅The FTC supports targeted legislation to provide consumers with access to info held about them by data brokers who are not already covered by the Fair Credit Reporting Act. Explain the FTC's prioritization of large platform providers. - Correct Answer ✅The FTC is examining special issues raised by very large online companies that may do what the FTC calls "comprehensive" tracking. What provisions do most states have in place? - Correct Answer ✅Each state has a law roughly similar to Section 5 of the FTC Act, commonly known as Unfair and Deceptive Acts and Practices (or UDAP) statutes. In addition to covering unfair and deceptive practices, what do some state statutes allow? - Correct Answer CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What are three ways that self-regulation can occur? - Correct Answer ✅It can occur through the 3 traditional separation of powers components: legislation, enforcement and adjudication. To what does legislation in self-regulation refer? - Correct Answer ✅Legislation refers to the question of who should define appropriate rules for protecting privacy. To what does enforcement in self-regulation refer? - Correct Answer ✅Enforcement refers to the question of who should initiate enforcement actions. To what does adjudication in self-regulation refer? - Correct Answer ✅Adjudication refers to the question of who should decide whether a company has violated the privacy rules and with what penalties. True/False: For enforcement under Section 5 of the FTC Act or state UDAP laws, self-regulation only occurs at the legislation stage. - Correct Answer ✅True. Describe how self-regulation occurs under Section 5 of the FTC Act. - Correct Answer ✅A company writes its own privacy policy or an industry group drafts a code of conduct that companies agree to follow. Under Sec 5, the FTC can then decide whether to bring an enforcement action, and adjudication can occur in front of an administrative law judge, with appeal to federal court. Although it's called "self- CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers regulation", a government agency is involved at the enforcement and adjudication stage. Give an example of a self-regulatory system that goes through all 3 stages without government agency involvement. - Correct Answer ✅The PCI DSS provides an enforceable security standard for PCI; the rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit ard companies. Compliance with the standard requires hiring a third party to conduct security assessments and detect violations; failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties of $5,000 to $100,000 per month. Give examples of third-party privacy seal and certification programs that provide assurances that companies are complying with self-regulatory programs. - Correct Answer ✅TRUSTe, Better Business Bureau. True/false: The US - EU Safe Harbor Framework requires participating companies to name a compliance third party. - Correct Answer ✅TRUE COPPA authorizes the FTC to confirm what? - Correct Answer ✅That certification programs are in compliance with the law. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers What is the DAA and how does it's icon program serve as a self-regulatory effort? - Correct Answer ✅Digital Advertising Alliance is a coalition of media and advertising organizations; it developed an icon program to inform consumers about how they can exercise choice with respect to online behavioral advertising. True/false: The future of the DAA's self-regulatory program is closely linked to ongoing policy debates about whether and how a Do Not Track program will be instituted. - Correct Answer ✅True. Is the US moving closer to the EU model of external regulation or closer to the self-regulatory model? - Correct Answer ✅self-regulatory model, which allows the industry with greater expertise about their systems to create, establish and enforce the rules. The White House emphasizes a multistakeholder approach, including the consumer groups and other stakeholders outside the industry. Name one trend and one example of cross-border enforcement. - Correct Answer ✅"Trend: enforcement agencies in different countries must engage in closer cooperation. Example: In 2007, the OECD adopted the Recommendation on Cross Border Co-operation in the Enforcement of Laws Protecting Privacy." - Correct Answer ✅ CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers compliance requirements conflict with data protection and privacy commitments, provides analysis of these issues, and recommendations for law enforcement bodies facing these challenges. True/false: there is uncertainty about the extent to which the EU and other jurisdictions will bring enforcement actions against companies that operate only in the US. - Correct Answer ✅True. Which companies are subject to the EU data laws? - Correct Answer ✅Companies with assets and employees in the EU, who also operate in the EU, are subject to the EU data protection laws. What does the 1998 Data Protection Directive say about whether a non-EU company is subject to enforcement there. - Correct Answer ✅It is ambiguous. Companies wishing to transfer data from the EU to the US have various lawful options. They - and other multinational corporate entities with a presence in Europe - may draft binding corporate rules (BCR), subject to review and authorization by member states. What are other options for multinational corporations with an EU presence? - Correct Answer ✅Participation in the US - EU Safe Harbor program; using contracts for data export that have been approved by a data protection authority. CIPP/US Practice Questions and Answers (Latest Update 2023) Verified Answers Where are the limits on trans-border data flows found? - Correct Answer ✅In Articles 25 and 26 of the Data Protection Directive. What did the EU Council introduce in early 2012? - Correct Answer ✅A draft Data Protection Regulation with provisions that would replace the Data Protection Directive. What does Article 3 of the draft Data Protection Regulation suggest? - Correct Answer ✅It has language suggesting that EU law applies to online sellers who operate only in the US: "The Regulation applies where processing activities are related to (a) the offering of goods or services to such data subjects in the Union, or (b) the monitoring of their behavior; this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law."