BC - Exam Questions

Question 1

CCPA

California Consumer Privacy Act

Answer 1

Individual data subject rights include rights to:
(1) notice;
(2) access;
(3) deletion;
(4) correct inaccurate information;
(5) opt out of data selling;
(6) limit the use or disclosure of sensitive information; and
(7) not be discriminated against for exercising rights

Significant controller obligations exist, including: (1) prohibition on selling data of anyone under 16 (parental consent may be obtained for 13-16);
(2) disclosure obligations;
(3) adoption of adequate security practices; and
(4) written data vendor contracts

Question 2

4 Risks defined under the E.U.’s Artificial Intelligence Act

Answer 2

Unacceptable risk
High risk
Limited risk and
Minimal risk.

Question 3

Privacy-Enhancing Technology

Answer 3

Privacy-Enhancing Technologies (PETs) are “technologies whose purpose is privacy.” These can take many forms. The most common example is encryption technologies.

While many PETs are software-based, hardware can also be considered a PET, such as an RFID-blocking sleeve for a bank card that prevents the card from being read without your knowledge. Other examples of PETs include the following:
mix networks,
secure multi-party computation,
differential privacy,
anonymous digital credentials,
privacy information retrieval, homomorphic encryption,
secret splitting, and
zero knowledge proofs.

Question 4

A practice or act that results in a substantial injury that could not reasonably be avoided, and
that lacks off-setting benefits, best refers to which of the following?

Answer 4

Unfair

Section 5 of the FTC Act states that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” It provides the FTC the authority to bring an enforcement action for both “deceptive” and “unfair” trade practices, which cover two separate types of conduct.

Question 5

Acts that involve material misstatements or omissions that are likely to mislead consumers who are acting reasonably under the circumstances best refere to?

Answer 5

Deceptive trade practice or act

Section 5 of the FTC Act states that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” It provides the FTC the authority to bring an enforcement action for both “deceptive” and “unfair” trade practices, which cover two separate types of conduct.

Question 6

Audit Life Cycle

Answer 6

1. Planning
2. Preparation
3. Conducting the audit
4. Reporting
5. Follow-up

Once the audit is completed in the third step, the results of the audit should be recorded and compiled into a report that identifies weaknesses and steps that can be taken to improve the organization’s privacy practices. After a report is compiled and distributed, the final phase of the audit life cycle involves planning, scheduling, and completing the remedial steps identified in the report, as well as addressing any questions and concerns about the report (e.g., questions about methodology).

Question 7

What U.S. law requires that organizations maintain a link to its privacy notice on the landing page of its website and on any page where certain information is collected?

Answer 7

Children’s Online Privacy Protection Act

The Children’s Online Privacy Protection Act of 1998 (“COPPA”) applies to operators of commercial websites in the United States that are directed toward children. Under COPPA, an operator must provide notice of what information it collects, how it uses that information, and whether that information is disclosed to third parties. Moreover, COPPA calls for operators to maintain a link to its privacy notice on the landing page of its website, as well as on each page where personal information is collected from a child.

Question 8

GCR Tools?
Government, Risk, Complinace

Answer 8

GRC tools are corporate management tools that are not privacy specific but can be relied upon by a privacy team as part of managing an organization’s data protection compliance obligations.

Governance, risk, and compliance tools help facilitate the management of an organization’s overall governance, enterprise risk management and compliance with regulations. They are not necessarily privacy-specific, but can be used as a privacy tech tool to manage an organization’s data management and privacy compliance obligations. On average, according to recent survey data, about 12% of an organization’s privacy budget is spent on purchasing privacy tools and roughly 20% of privacy professionals rely on GRC tools.

Question 9

No-option consent

Answer 9

Obtaining consumer consent may not be appropriate in every situation. The “No Option” form of consumer choice involves situations in which the authority to collect and utilize data is implied from the situation. In its 2012 report on Protecting Consumer Privacy in an Era of Rapid Change, the U.S. Federal Trade Commission adopted the principle that “[c]ompanies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.” Some of these “commonly accepted” categories include product fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing.

Question 10

ISO 29134

Answer 10

The ISO guidelines consist of
a preparing phase,
a performing phase, and
a follow up phase.

Looking at the overall structure of the resulting report of conducting a privacy impact assessment (PIA) falls into the category of the performing phase.
It is an action based on factors discovered during the preparing phase that must be completed prior to following up with audits or other appropriate measures.