Chapter 8: State Laws

Question 1

T/F: If a job seeker doesn’t consent to a credit report, it is illegal to reject them based on FCRA?

Answer 1

False

Question 2

How many states banned using credit reports in hiring decisions?

Answer 2

11 plus DC

Question 3

CFIPA aka

Answer 3

SB-1

Question 4

CFIPA

Answer 4

California Financial Information Privacy Act

Question 5

CFIPA purpose…

Answer 5

Controls sharing of consumer financial information

Question 6

CFIPA requirement for sharing with affiliate

Answer 6

Provide notification and allow customers to opt out before sharing data.

Question 7

CFIPA requirement for sharing with non-affiliate 3rd party

Answer 7

Express written consent

Question 8

CFIPA discrimination provision

Answer 8

May not discriminate against those not providing consent

Question 9

CFIPA penalties

Answer 9

Up to $2,500 per violation
$500,000 max per incident
No cap for willful violations

Question 10

CalECPA requirements

Answer 10

Warrant to access “electronic communication information”

Question 11

CalECPA Exemptions (2)

Answer 11

Access with permission, if recovering stolen property
Emergencies

Question 12

CCPA Personal information categories

Answer 12

Name
SSN
Address
IP Address
Email Address
Biometric info
Web browsing history
Geolocation data
Retail transactions
Inferences drawn from such information

Question 13

CCPA preemption exception

Answer 13

CCPA doesn’t apply when it is preempted by other laws (CFIPA, HIPAA, GLBA)

Question 14

CCPA Rights (5)

Answer 14

Right to Know
Right to Access
Right to Delete
Right to opt-out
Nondiscrimination

Question 15

CCPA Right to know

Answer 15

Businesses must notify customers about what they collect and how it is used when it is collected. Also, purpose limitation

Question 16

CCPA Right to Access

Answer 16

Consumers have a right to know what information companies have and be able to receive a copy in a portable format

Question 17

CCPA Right to delete

Answer 17

Businesses must delete any PI that is collected.
Exceptions: Info needed to complete transactions, detect fraud, legal requirements, and a few others

Question 18

CCPA Right to opt out

Answer 18

Businesses that intend to sell PI must give consumers the right to opt out

Question 19

CCPA nondiscrimination

Answer 19

People exercising rights must not be treated differently

Question 20

CCPA Private right of action requirements

Answer 20

Unauthorized disclosure of unencrypted data.
Must include combo of name and another identifier

Question 21

CCPA Private right of action fines

Answer 21

$100-$750 per incident. Actual damages if greater

Question 22

CPRA

Answer 22

Passed by voters
Introduces “Sensitive Personal Information”

Question 23

New CPRA rights

Answer 23

Correction
Opt-out of automated decision making
Know about automated decision making
Restrict Sensitive personal information

Question 24

CPPA

Answer 24

California Consumer Privacy Protection Agency

Question 25

CPPA purpose

Answer 25

Enforce CPRA and CCPA

Question 26

CPRA targeted advertising

Answer 26

Must regulate the use of PI

Question 27

CPRA Audits and Risk Assessments

Answer 27

Required if processing consumer PI poses a significant risk to privacy or security

Question 28

Delware Online Privacy and Protection Act (DOPPA)

Answer 28

Applies to websites accessible to people in Delaware.
Excludes hosting providers.

Question 29

DOPPA requirements

Answer 29

Privacy policy
Process to review and update PI
Info about how Do Not Track is handled
Infor about 3rd parties collecting PI

Question 30

DOPPA childrens protections apply to

Answer 30

Anyone under 18

Question 31

DOPPA prohibits advertising ______ to children?

Answer 31

Adult products including tanning beds

Question 32

DOPPA rules for book service providers

Answer 32

May not share reading habits with the gov’t without a court order

Question 33

Nevada SB 538

Answer 33

Website must have privacy policies covering the basics (collection, use, sharing, 3rd parties).
Applies to websites with 20K plus visits

Question 34

Nevada SB 538

Answer 34

30 day cure period
Up to $5,000 fine

Question 35

NJ Personal Information and Privacy Protection Act

Answer 35

Limits when and how companies scan ID cards.
Also, storage, retention, and destruction

Question 36

NJ PIPA fines

Answer 36

$2,500 first offense
Up to $5.000 for the rest

Question 37

Washington Biometric Privacy Law

Answer 37

Covers biometric identifiers for Washington residents
Excludes photo and video

Question 38

Washington biometric law use limitations

Answer 38

Notice of collection
Consent required to store biometric data

Question 39

Washington Biometric Privacy Law opt-out scenarios

Answer 39

People can opt-out of having data disclosed

Question 40

Facebook BIPA fine (2021)

Answer 40

$650 million

Question 41

NYDFS

Answer 41

Requires financial institutions to implement security controls

Question 42

NYDFS aligned with what standard?

Answer 42

NIST CSF

Question 43

NYDFS NIST CSF requirements

Answer 43

Hire a CISO
Risk assessments
Pentest
Annual reports on the security program
Annual compliance certification

Question 44

NYDFS breach reporting

Answer 44

Required to report to state officials or agencies

Question 45

Washington HB 1149 Bank Card law

Answer 45

Businesses that mismanage bank cards causing a breach must pay for replacement

Question 46

TN SB 2005 Breach Notification avoidance

Answer 46

If data is encrypted up to federal standards and they can show the keys were not compromised

Question 47

IL Breach notification

Answer 47

Must notify if Usernames or emails and passwords are taken

Question 48

CA AB 2828 breach notification

Answer 48

Must notify if encrypted data and keys are compromised

Question 49

NM HB 15 Breach notification

Answer 49

Encrypted data with keys.
Biometric data

Question 50

MA HB 4806 Breach notification

Answer 50

Instructions on how to place credit freeze
Timelines for notification
Must offer credit monitoring

Question 51

Utah Consumer Privacy Act Scope

Answer 51

Businesses exceeding $5 Million or processing data of over 100K Utah residents, or 25K residents if data is sold.