Chapter 8: State Laws Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

T/F: If a job seeker doesn’t consent to a credit report, it is illegal to reject them based on FCRA?

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How many states banned using credit reports in hiring decisions?

A

11 plus DC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CFIPA aka

A

SB-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CFIPA

A

California Financial Information Privacy Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CFIPA purpose…

A

Controls sharing of consumer financial information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CFIPA requirement for sharing with affiliate

A

Provide notification and allow customers to opt out before sharing data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CFIPA requirement for sharing with non-affiliate 3rd party

A

Express written consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CFIPA discrimination provision

A

May not discriminate against those not providing consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CFIPA penalties

A

Up to $2,500 per violation
$500,000 max per incident
No cap for willful violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CalECPA requirements

A

Warrant to access “electronic communication information”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CalECPA Exemptions (2)

A

Access with permission, if recovering stolen property
Emergencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CCPA Personal information categories

A

Name
SSN
Address
IP Address
Email Address
Biometric info
Web browsing history
Geolocation data
Retail transactions
Inferences drawn from such information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CCPA preemption exception

A

CCPA doesn’t apply when it is preempted by other laws (CFIPA, HIPAA, GLBA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CCPA Rights (5)

A

Right to Know
Right to Access
Right to Delete
Right to opt-out
Nondiscrimination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CCPA Right to know

A

Businesses must notify customers about what they collect and how it is used when it is collected. Also, purpose limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CCPA Right to Access

A

Consumers have a right to know what information companies have and be able to receive a copy in a portable format

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CCPA Right to delete

A

Businesses must delete any PI that is collected.
Exceptions: Info needed to complete transactions, detect fraud, legal requirements, and a few others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CCPA Right to opt out

A

Businesses that intend to sell PI must give consumers the right to opt out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

CCPA nondiscrimination

A

People exercising rights must not be treated differently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

CCPA Private right of action requirements

A

Unauthorized disclosure of unencrypted data.
Must include combo of name and another identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CCPA Private right of action fines

A

$100-$750 per incident. Actual damages if greater

22
Q

CPRA

A

Passed by voters
Introduces “Sensitive Personal Information”

23
Q

New CPRA rights

A

Correction
Opt-out of automated decision making
Know about automated decision making
Restrict Sensitive personal information

24
Q

CPPA

A

California Consumer Privacy Protection Agency

25
Q

CPPA purpose

A

Enforce CPRA and CCPA

26
Q

CPRA targeted advertising

A

Must regulate the use of PI

27
Q

CPRA Audits and Risk Assessments

A

Required if processing consumer PI poses a significant risk to privacy or security

28
Q

Delware Online Privacy and Protection Act (DOPPA)

A

Applies to websites accessible to people in Delaware.
Excludes hosting providers.

29
Q

DOPPA requirements

A

Privacy policy
Process to review and update PI
Info about how Do Not Track is handled
Infor about 3rd parties collecting PI

30
Q

DOPPA childrens protections apply to

A

Anyone under 18

31
Q

DOPPA prohibits advertising ______ to children?

A

Adult products including tanning beds

32
Q

DOPPA rules for book service providers

A

May not share reading habits with the gov’t without a court order

33
Q

Nevada SB 538

A

Website must have privacy policies covering the basics (collection, use, sharing, 3rd parties).
Applies to websites with 20K plus visits

34
Q

Nevada SB 538

A

30 day cure period
Up to $5,000 fine

35
Q

NJ Personal Information and Privacy Protection Act

A

Limits when and how companies scan ID cards.
Also, storage, retention, and destruction

36
Q

NJ PIPA fines

A

$2,500 first offense
Up to $5.000 for the rest

37
Q

Washington Biometric Privacy Law

A

Covers biometric identifiers for Washington residents
Excludes photo and video

38
Q

Washington biometric law use limitations

A

Notice of collection
Consent required to store biometric data

39
Q

Washington Biometric Privacy Law opt-out scenarios

A

People can opt-out of having data disclosed

40
Q

Facebook BIPA fine (2021)

A

$650 million

41
Q

NYDFS

A

Requires financial institutions to implement security controls

42
Q

NYDFS aligned with what standard?

A

NIST CSF

43
Q

NYDFS NIST CSF requirements

A

Hire a CISO
Risk assessments
Pentest
Annual reports on the security program
Annual compliance certification

44
Q

NYDFS breach reporting

A

Required to report to state officials or agencies

45
Q

Washington HB 1149 Bank Card law

A

Businesses that mismanage bank cards causing a breach must pay for replacement

46
Q

TN SB 2005 Breach Notification avoidance

A

If data is encrypted up to federal standards and they can show the keys were not compromised

47
Q

IL Breach notification

A

Must notify if Usernames or emails and passwords are taken

48
Q

CA AB 2828 breach notification

A

Must notify if encrypted data and keys are compromised

49
Q

NM HB 15 Breach notification

A

Encrypted data with keys.
Biometric data

50
Q

MA HB 4806 Breach notification

A

Instructions on how to place credit freeze
Timelines for notification
Must offer credit monitoring

51
Q

Utah Consumer Privacy Act Scope

A

Businesses exceeding $5 Million or processing data of over 100K Utah residents, or 25K residents if data is sold.