Chapter 5

Question 1

• Telecommunications operators
• Internet firms
• Financial institutions that provide online services (e.g., banking institutions, insurance companies, securities companies, and foundations)
• Cybersecurity product and/or service providers
• Enterprises that have websites and provide network services

Answer 1

Network operators examples

Question 2

Issued warnings, confiscated illegal income, and penalties of up to RMB one million (about $152,000 USD)

Answer 2

Failure to comply with the Cybersecurity Law

Question 3

Approach to privacy protection, particularly in the private sector, is significantly different from the approach taken in Europe and in Canada

Answer 3

The United States

Question 4

The only national privacy policies to survive congressional debate have passed into law on a case-by-case basis

Answer 4

Sectorial approach to privacy law

Question 5

Requires accurate and relevant data collection by entities that compile CONSUMER REPORTS as well as persons who use consumer reports

Answer 5

Fair Credit Reporting Act (FCRA)

Question 6

It gives consumers the ability to access and correct their information and limits the use of consumer reports to permissible purposes

Answer 6

Fair Credit Reporting Act (FCRA)

Question 7

FCRA stands for:

Answer 7

Fair Credit Reporting Act

Question 8

Factors in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose

Answer 8

Purpose of consumer report

Question 9

any information that pertains to:
1. creditworthiness
2. credit standing
3. credit capacity
4. character
5. general reputation
6. personal characteristics
7. mode of living

and that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose

Answer 9

Consumer report

Question 10

Any entity that routinely furnishes consumer reports to third parties for a fee

Answer 10

consumer reporting agency (CRA)

Question 11

CRA stands for:

Answer 11

consumer reporting agency

Question 12

1. Provide consumers with access to the information contained in their consumer reports, along with the opportunity to dispute any inaccurate information.
2. Take reasonable steps to ensure the accuracy of information in the consumer report.
3. Not report negative information that is outdated. In most cases, this means account data more than seven years old or bankruptcies more than 10 years old.
4. Provide consumer reports only to entities that have a permissible purpose under the FCRA.
5. Maintain records regarding entities that received consumer reports and provide consumer assistance as required by Federal Trade Commission (FTC) rules.

Answer 12

CRA Requirements

Question 13

Account data more than 7 years old or bankruptcies more than 10 years old

Answer 13

Outdated negative report according to FCRA

Question 14

1. Have a permissible purpose as prescribed by the law
2. Provide certifications to the CRA that they are accessing the report for a permitted purpose
3. Notify consumers when adverse actions are taken and limit the types of adverse actions that can be taken as a result of obtaining or reviewing the information contained within a consumer credit report

Answer 14

Users of credit report requirements

Question 15

All business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined, such as denying or canceling credit or insurance, or denying employment or promotion

Answer 15

Adverse action

Question 16

Civil and criminal penalties that include significant statutory damages

Answer 16

Noncompliance to FCRA

Question 17

FTC and state attorneys general

Answer 17

Enforce violations of FCRA

Question 18

HIPAA stands for:

Answer 18

Health Insurance Portability and Accountability Act

Question 19

U.S. law that specifically addresses health information privacy

Answer 19

HIPAA (Health Insurance Portability and Accountability Act)

Question 20

US national standards for electronic healthcare information transactions

Answer 20

HIPAA rules

Question 21

1. privacy
2. security
3. transactions

Answer 21

3 subsets of HIPAA rules

Question 22

Minimum standards

Answer 22

HIPAA privacy and security rules

Question 23

Any information that identifies, or reasonably could be used to identify, an individual and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to that individual

Answer 23

personal health information (US)

Question 24

1. Healthcare providers (e.g., a hospital)
2. Health plans (a specific program offered by an insurer or other provider)
3. Healthcare clearinghouses (third - party organizations that host, handle or process medical information)

Answer 24

Entities that are directly covered under HIPAA

Question 25

“Business associates” and any other entity that uses or discloses personal health information

Answer 25

Entities that are indirectly covered under HIPAA

Question 26

HHS and state attorneys general

Answer 26

Enforces HIPAA

Question 27

Both civil and criminal penalties with significant fines and potential prison sentences

Answer 27

HIPAA penalties

Question 28

GLBA stands for:

Answer 28

Gramm-Leach-Bliley Act

Question 29

To address all sorts of issues regarding mergers and to provide significant privacy and security protections for consumers

Answer 29

GLBA (Gramm-Leach-Bliley Act)

Question 30

GLBA protects this information.

It is personally identifiable financial information that is
(1) provided by a consumer to a financial institution
(2) resulting from a transaction or service performed for the consumer, or
(3) otherwise obtained by the financial institution

Answer 30

nonpublic financial information

Question 31

US domestic financial institutions, defined to include any U.S. company that is “significantly engaged” in financial activities

Answer 31

Application of GLBA

Question 32

A.K.A. Financial Services Modernization Act of 1999

Answer 32

GLBA (Gramm-Leach-Bliley Act)

Question 33

Publicly available information and any consumer list that is derived without using personally identifiable financial information

Answer 33

Excluded from nonpublic financial information

Question 34

1. Securely store personal financial information
2. Give notice of policies regarding the sharing of personal financial information
3. Give consumers the alternative to opt out of some sharing of personal financial information

Answer 34

GLBA (Gramm-Leach-Bliley Act) basic requirements

Question 35

4. Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be given when a customer relationship is established and annually thereafter.
5. Clearly provide consumers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to a number of significant exceptions related largely to the processing of consumer transactions)

Answer 35

Under GLBA, U.S.-based financial institutions are required to:

Question 36

FTC and state attorneys general

Answer 36

Enforce GLBA (Gramm-Leach-Bliley Act)

Question 37

COPPA stands for

Answer 37

Children’s Online Privacy Protection Act of 2000

Question 38

Operators of commercial websites and online services (especially those directed to children under the age of 13), general-audience websites and online services if they have actual knowledge that they are collecting personal information from children under the age of 13

Answer 38

COPPA applies to:

Question 39

1. Post a privacy policy on the site’s homepage and link to the privacy policy on every page where personal information is collected
2. Provide notice about the site’s information collection practices to parents
3. Obtain verifiable parental consent before collecting personal information from children
4. Give parents a choice as to whether their child’s personal information will be disclosed to third parties
5. Provide parents access and the opportunity to delete the child’s personal information and to opt out of future collection or use of the information
6. Not condition a child’s participation in a game, contest or other activity on the child’s disclosure of more personal information than is reasonably necessary to participate in that activity
7. Maintain the confidentiality, security and integrity of personal information collected from children

Answer 39

COPPA requirements

Question 40

FTC and state attorneys general

Answer 40

Enforce COPPA

Question 41

These US laws relate to specific communications channels and methods such as telemarketing, electronic mail, and fax marketing

Answer 41

U.S. Marketing Communications Laws

Question 42

Regards to the major contrast between U.S. and international approaches to marketing communications

Answer 42

Choice

Question 43

Where do laws generally require the consumer to opt in to marketing programs?

Answer 43

EU and Canada

Question 44

Where do laws generally require the consumer to opt out of marketing programs?

Answer 44

US

Question 45

Apply to for-profit organizations and cover charitable solicitations placed by for-profit telefunders

Answer 45

U.S. Telemarketing Sales Rules (TSR)

Question 46

• Call only between 8 a.m. and 9 p.m.
• Screen and scrub names against the Do Not Call list (DNC)
• Display caller ID information
• Identify themselves and what they are selling
• Disclose all material information and terms
• Comply with special rules for prizes and promotions
• Respect requests to call back
• Retain records for at least 24 hours
• Comply with special rules for automated dialers

Answer 46

U.S. Telemarketing Sales Rules (TSR) requirements:

Question 47

A means for U.S. citizens to register residential and wireless phone numbers that they do not wish to be called for telemarketing purposes

*** Rose from TSR

Answer 47

National Do Not Call Registry

Question 48

The list and the rules and exceptions associated with Do Not Call list for Canadians fall under

Answer 48

Canadian Radio-television and Telecommunications Commission (CRTC)

Question 49

TCPA stands for:

Answer 49

Telephone Consumer Protection Act

Question 50

It regulates telemarketing calls, autodialed calls, prerecorded calls, text messages, unsolicited faxes, and so

Answer 50

Telephone Consumer Protection Act (TCPA)

Question 51

• Obtain prior express written consent from consumers before robocalling them
• No longer use an “established business relationship” to avoid getting consent from consumers when calling their home phones
• Provide an automated, interactive opt-out mechanism during each robocall so consumers can immediately opt out of future robocalls

Answer 51

TCPA requirements to telemarketers

Question 52

Federal Communications Commission (FCC)

Answer 52

Enforces TCPA

Question 53

CAN-SPAM stands for:

Answer 53

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003

Question 54

Anyone who advertises products or services by email directed to or originating from the United States

Answer 54

Application of CAN-SPAM

Question 55

The law covers the transmission of commercial email messages whose primary purpose is advertising or promoting a product or service

Answer 55

CAN-SPAM

Question 56

FTC

Answer 56

Enforces CAN-SPAM

Question 57

Monetary fines and made subject to the possibility of being responsible for paying damages

Answer 57

CAN-SPAM penalties

Question 58

• Prohibits false or misleading headers
• Prohibits deceptive subject lines
• Requires commercial email to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to opt out of future email from that sender
• Prohibits sending commercial email (following a grace period of 10 business days) to an individual who has asked not to receive future email
• Requires all commercial email to include:
  (1) clear and conspicuous identification that the message is an advertisement or solicitation (unless the recipient has provided prior affirmative consent to receive the email),
  (2) clear and conspicuous notice of the opportunity to opt out, and (3) a valid physical postal address of the sender
• Prohibits “aggravated violations” relating to commercial email such as:
  (1) address harvesting and dictionary attacks,
  (2) the automated creation of multiple email accounts, and
  (3) the retransmission of commercial email through unauthorized accounts
• Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior affirmative consent to receive the email)

Answer 58

CAN-SPAM requirements

Question 59

The first US state to pass Security Breach Notification Law

Answer 59

California: SB 1386

Question 60

One must disclose the breach of any computer system that contains unencrypted personal information of California residents

Answer 60

California: SB 1386

Question 61

An individual’s name in combination with any one or more of the following:
(1) social security number
(2) California identification card number
(3) driver’s license number
(4) financial account number or credit or debit card number
in combination with any required security code, access code, or password that would permit access to an individual’s financial account

Answer 61

Personal information (California SB 1386)

Question 62

Once it is determined that there has been a breach, the notification must be made “in as expedient a manner as possible” unless law enforcement requests a delay to meet its investigative requirements

Answer 62

Notice for California: SB 1386

Question 63

FTC and U.S. state attorneys

Answer 63

Enforce unfair trade practices laws/rules

Question 64

States that it is illegal to conduct “unfair or deceptive acts or practices in or affecting commerce

Answer 64

Federal Trade Commission Act

Question 65

Commercial conduct that intentionally causes substantial injury without offsetting benefits and that consumers cannot reasonably avoid; there is no intent requirement

Answer 65

Unfair trade practices

Question 66

Commercial conduct that includes false or misleading claims, or claims that omit material facts; there is no intent requirement

Answer 66

Deceptive trade practices

Question 67

The act was influenced by the EU’s GDPR and is the most expansive privacy law ever introduced at any level of U.S. governance

Answer 67

California Consumer Privacy Act (CCPA)

Question 68

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

Answer 68

Personal information (CCPA)

Question 69

For-profit businesses doing business in California that meet one of three thresholds:

1. Have over $25 million in gross annual revenue
2. Buy, receive, sell or share for commercial purposes the personal information of more than 50,000 consumers, households or devices
3. Derive 50% or more of their revenue from the sale of consumers’ personal information

Answer 69

Application of Personal information (CCPA)

Question 70

1. Disclose information about how they collect and use personal information and for what purposes
2. Refrain from selling the information of a person between the ages of 13 and 16 without their consent and refrain from selling the personal information of persons under 13 without parental consent
3. Post a conspicuous link on their internet homepage stating “Do Not Sell My Personal Information” if sharing personal information with third parties for valuable consideration, giving consumers the power to opt out
4. Not discriminate against any person for exercising their rights under the act by increasing fees or lowering the quality of their service

Answer 70

California Consumer Privacy Act (CCPA) requirements

Question 71

1. The right to deletion of their personal data
2. The right to access personal data that has been collected in the past 12 months
3. The right to access information about categories of third parties to whom their personal data has been sold for each category of information disclosed
4. The right to opt out of having personal data sold to third parties

Answer 71

Consumer rights under California Consumer Privacy Act (CCPA)

Question 72

2 states that followed California in making comprehensive privacy laws

Answer 72

Nevada (Bill 220 Online Privacy Law) and
Maine (Act to Protect the Privacy of Online Consumer Information)

Question 73

European privacy protection is more commonly referred to as

Answer 73

Data protection

Question 74

European privacy protection general rule

Answer 74

Not allow any collection or use of personal data unless permitted to do so by law

Question 75

To harmonize and unify the inconsistent landscape of national data protection laws within the EU

Answer 75

General Data Protection Regulation (GDPR)

Question 76

No. of member states in the EFTA (European Free Trade Association)

Answer 76

3

Question 77

Iceland
Liechtenstein
Norway

Answer 77

Member states in the EFTA (European Free Trade Association)

Question 78

No. of member states in the EU (European Union)

Answer 78

27 (26 now)

Question 79

No. of member states in the EEA (European Economic Area)

Answer 79

30

Question 80

Extends to all member states of the EEA as well as to the UK until the end of the negotiated Brexit transition period

Answer 80

Application of GDPR

Question 81

GDPR stands for:

Answer 81

General Data Protection Regulation

Question 82

EU had passed several directives, the most important is:

Answer 82

EU Directive or simply “the Directive”

Question 83

The EU counterparts to the roles played by the federal and provincial privacy commissioners in Canada

Answer 83

Data protection authorities (DPAs)

Question 84

Civil and criminal enforcement

Answer 84

Penalties in EU

Question 85

Data protection authorities (DPAs)

Answer 85

Enforces European laws

Question 86

The aim is to create a clearer, more certain, and trustworthy legal environment for both businesses and citizens, which will in turn increase both competition and innovation in the digital market

Answer 86

GDPR

Question 87

Any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered and where the actual processing takes place (even if that is outside the EU)

Answer 87

Application of GDPR

Question 88

• A telecommunications organization that offers its goods and services through its EU-based regional offices to EU data subjects
• A retailer that offers its goods or services to EU data subjects via its online website
• A marketing agency that monitors the purchasing habits and behaviors of EU data subjects using data-processing techniques to create individual profiles and predict personal preferences, behaviors and attitudes

Answer 88

Examples of organizations with headquarters in Canada that will be impacted by the GDPR

Question 89

An important core principle of the GDPR; states that personal data should only be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Answer 89

Purpose limitation

Question 90

(1) the data subject gives explicit consent

(2) it is needed to perform a contract

(3) it is needed to comply with a legal obligation

(4) it protects the vital interests of the data subject

(5) it performs a task in the public interest

(6) it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

Answer 90

According to GDPR, processing of data is only lawful if:

Question 91

Interests pursued by the controller or by a third party are overridden by the interests or fundamental rights and freedoms of the data subject

Answer 91

Exemption to GDPR; processing of data is lawful if:

Question 92

1. biometric data
2. genetic data
3. data concerning sexual orientation

Answer 92

Sensitive personal data (GDPR)

Question 93

1. racial or ethnic origin
2. political opinions
3. religious or philosophical beliefs
4. trade union membership

Answer 93

Data special categories (GDPR)

Question 94

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data

Answer 94

Controller (GDPR)

Question 95

Body “which processes personal data on behalf of the controller

Answer 95

Processor (GDPR)