CIPP/US Flashcards
Laws Requiring Opt-In
COPPA - parent consent to collect/use/disclose child PI
HIPPA - marketing (except promo gifts & face-to-face convo), psychotherapy notes (exceptions), disclosed to 3rd party (exceptions)
NOT - TPO, emergency, legal
FCRA - employment/background use of consumer report, investigative report, non-permissible purpose
VPPA - before disclose to third party
GDPR - for marketing, sensitive D
TCPA - DNC list and…(telemarket = written)…
(i) Prerecorded - wireless (telemarketing & info), residential (telemarketing, NOT info)
(ii) Robo-call/text - wireless (telemarketing & info), residential (telemarketing)
(iii) EXCEPT - politics, survey, charity, gov, emergency, package delivery
FERPA - from parent/student b4 disclose to third parties (exceptions - school officials, other schools, directory info, emergency, law, fin aid, gov audit, studies)
FTC - Material change privacy notice
States - sensitive data
CCPA - selling PI of 13-16 yr old, collecting under 13 yr old
BIPA - collecting/using
Laws Requiring Opt-Out
GLBA - transfer to unaffiliated 3rd party for their use (no required opt-in to share w/ affiliates)
VPPA - if using for marketing after initial consent
CAN-SPAM - emails
Do-not-call rules allow opt-out
FCRA - opt-out for sharing among affiliates for marketing
COPPA - parents can opt-out
TCPA - opt-out required for robocalls, texts, faxes
HIPAA - opt-out for fundraising/marketing
GDPR - opt-out of activities (e.g. direct marketing)
DPPA - marketing, non-permissible purpose
CCPA - opt-out of sale/sharing (Do Not Sell/Share my PI link)
VA/CO/CT/UT - opt-out for certain processing (targeted ads, data sales)
Jurisdiction
Court (to hear issue) - subject matter J & personal J
General authority - over field of activity
Specific authority - singular activities outlined
Both - FTC general UDAP, specific COPPA
Sectoral (GLBA/FCRA/HIPPA); broad (FTC/UDAP); geographic (CPA/state UDAP)
Key Regulators
FTC, FCC, DoC, HHS, Banking (Fed Reserve Board, Comptroller of Currency/OCC), state AGs, state data protection agencies (GDPR/CA), self-regulatory systems; DOS; DOC; DOT; FAA; FHTSA; OMB; IRS; DHS; TSA; ICE; DOE; DOJ
Law Scope & Application of Laws
Who covered; what types of info; what is required; prohibitions; enforcers; penalties; purpose; preemption; etc.
Civil Liability
Contract; statutory; tort (intentional, negligent,& strict liability)
4 Privacy Torts + privacy negligence
- Intrusion on seclusion
- Public revelation of private fact
- Interfere w/ right of publicity
- False light casying
Negligence - fail adequate safeguards for PI causing harm due to disclosure
FTC Jurisdiction
All areas of commerce (NOT non-profit or certain regulated industries like banks)
Cases = cybersecurity unfairness; hacks
Specific = COPPA, HITECH, FCRA, CAN-SPAM
Broad - Section 5, UDAP
NO J = common carriers engaging in common carrier duties
FTC UDAP
- Promise level of security & don’t fulfill
- Material misstatement or omission
- Fail to comply w/ representations
- Fail reasonable security measures
- Failure monitor employee access
- Failure to secure sensitive data
- Fail to disclose breach
- Internal governance failures to notify GC/execs
FTC monetary damages
- Monetary relief if violate C&D
- SCOTUS 2001 AMG Capital - FTC no monetary relief under FTC Act/13(b), only injunctions
- Statutes providing monetary relief - COPPA, TSR
- Fed/state partnerships to get monetary relief
FTC rule making authority
- General authority for rules on UDAP (not normal APA?), must establish prevalence of acts, UDAP & economic effect
- Magnuson-Moss Warranty
FTC enforcement processes
- Investigation authority - subpoena, civil investigation, reports under oath
- Complaint - administrative trial before ALJ, appeal before 5 commissioners, appeal to fed court
- Consent orders/decrees - settlement, no admit fault, proof of compliance, audits, etc.
Data inventory
- Types, sources, uses, collection, disclosure of PI,
- Lifecycle (creation, storage, sharing, use, archive, deletion)
- Customer D, employee D, B2B D?
Data classification
- Classic categories = public, confidential, proprietary, sensitive, restricted, etc.
- Considerations - level of sensitive, protection, who has access, location, segregated from other D (as needed), etc.
Data flow mapping
General - what D, where, why, which systems connect/use, process for handling D
Top-down (GDPR) - record of processing activities, document purpose of processing, parties who PI disclosed, retention, safeguards
Bottom-up - data, inventory & classify, describe process, document lienage of data & metadata
4 Steps of info management
- discovery environment/goals/regs
- Build policies/experts/procedures
- Communicate w/ internal/external stakeholders
- Evolve to changes in law/tech/market/other
Privacy Policy (internal)
Implement company policy; inform employees; compliance; penalties; operations.
Multiple for defined divisions or lines of business
Privacy Policy (external)
Informs customers/users/employees on D collection, use, storage, sharing/disclosure, how to exercise choices
Statutory requirements - GLBA, etc.
Accessibility - online or physical biz copy; GLBA annual w/ clear opt-out notice; notice on revision; long v. short versions; notice at/before collection;
Deceptive/contract to violate; dated/version
Data breach readiness assessment
Level of risk, likelihood and severity of breach, type and nature of data, technical safeguards, impact on data subject, possibility of damage, etc.
Security
Key controls - administrative, technical, physical
Established controls - firewalls, encryption, levels, etc.
NIST Cyber framework (6 key principles)
- Identify - people, systems, data, capabilities
- Protect/safeguard
- Detect/identify
- Incident/anomalies
- Respond
- Recover
Opt-out scope & mechanism
- By channel (calls, emails, etc.)
- Channel of marketing = channel for opt-out
- CAN-SPAM - requires online opt-out (no mail/call)
- GLBA - apply opt-out regardless of media used
- Third parties should honor opt-out to main party
Implied authority/opt-in
2012 FTC report - no choice needed if consistent w/ context of transaction, company relationship w/ consumer, etc.
Employee training
HIPPA requires - sensitive data; keep records of who is trained.