Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-US > Data Privacy and Security Laws > Flashcards

Data Privacy and Security Laws Flashcards

6-8 questions

1
Q

What states have state comprehensive privacy laws?

A

California, Colorado, Connecticut, Utah and Virginia

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are distinctions of CA’s comprehensive state privacy law?

A
  • defines several terms using a broad brushstroke, similar to EU approach
  • automatically regulates companies that do business in its state that meet a threshold for annual gross revenue
  • alone to include employees in definition of consumer
  • only state to take expansive view of regulated behavior of businesses by including both selling and sharing PI
  • provides consumer rights and imposes business obligations structured in manner similar to GDPR
  • lacks certain rights found in CO, CT and VA, including explicit right of appealing to the decision to reconsider its decision of denying a request
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do CO, CT, VA and UT’s comprehensive state privacy laws compare?

A

CO, CT and VA have numerous similarities

  • similar key terms, consumer rights and business obligations
  • provides rights not explicitly provided by CA, including right to opt in to sale of sensitive PI and right to appeal

UT similar framework but its definition of business is narrower, and it provides fewer rights to consumers and puts fewer obligations on businesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the types of exemption under state privacy laws?

A

entity-level exemption: exempt entities subject to specific federal law

data-based exemption: exempt only data that is protected by federal law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the entity-level exemptions under state privacy laws?

A
  • HIPAA entities → CT, UT, VA
  • GLBA entities → CO, CT, UT, VA
  • FCRA entities → all 5 states
  • governments and nonprofits → all 5 states
  • institutions of higher ed → CT, UT, VA
  • registered national security associations → CO, CT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the data-level exemptions under state privacy laws?

A
  • HIPAA data → CA, CO, UT, VA
  • GLBA data → all 5 states
  • FCRA data → all 5 states
  • deidentified data → all 5 states
  • publicly available data → all 5 states
  • aggregate data → CA, UT, VA
  • employee data → CO, CT, UT, VA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do the definitions of “business” compare under state privacy laws?

A
  • annual revenue threshold: CA ($25m)
  • # of customers in state whose data is processed: CA, CO, CT, VA (10k customers)
  • gross revenues from selling or sharing data threshold: CA, CO, CT and VA
  • combination of above: UT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the threshold that includes gross revenues from selling or sharing data for each state?

A
  • CA: if company derives at least 50% of gross revenues from selling or sharing data
  • CO: if company processes data of at least 25k consumers and derives any revenue or receives any discount on goods or services from selling personal data
  • CT: if company processes data of at least 25k consumers and derives at least 25% of gross revenues from selling data
  • VA: if company processes data of at least 25k consumers and derives at least 50% of gross revenues from selling data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does Utah define a “business” under its state privacy law?

A

if company has at least $25 million in annual gross revenue and meets one of following: (1) processes data of at least 100k Utah consumers or (2) processes data of at least 25k Utah consumers and derives at least 50% of gross revenues from selling data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do the state privacy laws define “consumer”?

A
  • all 5 states define their own residents to be protected by their respective laws
  • CA includes employees in definition of consumer
  • CO, CT, UT, VA exclude individuals “acting in a commercial or employment context”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define:

personal information

under state privacy laws

A

any data that can be associated or linked with a particular individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How is CA’s definition of “personal information” different?

A

CA extends definition to include information of consumer and consumer’s household, and is the only state to include employment data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does “personal information” typically exclude?

under state privacy law

A
  • deidentified data: data that cannot reasonably fall within definition of personal data
  • data that is publicly available: info that is lawfully made available by federal, state or local governments
  • aggregate data: info relating to a group of consumers where the identities of individual consumers have been removed (CA, UT, VA)
  • employee data: records kept by businesses related to applicants, employees and contractors (CT, UT, VA, CO limited to employment records)
  • data subject to specific federal privacy requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define:

sensitive personal information

under state privacy law

A
  • citizenship; genetic and/or biometric info; physical or mental health conditions; race or ethnicity; religion; sexual orientation → all 5 states
  • children’s data → CO, CT, VA
  • geolocation data → CA, CT, UT, VA
  • union membership, philosophical beliefs, content of mail, email and text messages → CA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What kinds of business activities are regulated under state privacy laws?

A

sale of personal data + sharing of data (only for CA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do states define “sale”?

under state privacy law

A
  • UT, VA restrict regulation of sale to transactions involving monetary compensation
  • CA, CO, CT also include bartering for the data (any exchange for value)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is typically excluded from the definition of “sale”?

under state privacy law

A
  • disclosures of personal data to processor for purpose of processing data for business
  • disclosures of personal data to a 3P for purposes of providing services or products that are requested by the consumer
  • disclosures of personal data where consumer directs the business to disclose the personal data or intentionally uses business to interact with 3P
  • disclosures or transfer of personal data, considered to be an asset, for purposes of M&A or bankruptcy, where 3P assumes control of business’s stake in the asset
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is defined as “sharing” under CA privacy law?

A

sharing or otherwise communicating … a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration

19
Q

What are the nine consumer rights under state privacy laws?

A
  • right to access
  • right to correction (not UT)
  • right to delete
  • right to data portability
  • right to opt out of sales
  • right to opt out of targeting/cross-contextual behavioral advertising
  • right against automated decision-making (not UT)
  • right concerning sensitive personal information
  • right to nondiscrimination
20
Q

How do consumers exercise their rights under state privacy laws?

A
  • by making request of business
  • business has defined period of time of time for a timely response (typically 45 days to respond and addt’l 45 days for response when “reasonably necessary” but in CA, 15 days if consumer asks to opt out)
21
Q

Define:

the right to access

under state privacy laws

A

consumers have right to access specific pieces of PI collected or held by the business

22
Q

Define:

right to correction

under state privacy laws

A

consumers have right to correct inaccuracies in PI collected or held by business (except in UT)

23
Q

Define:

the right to delete

under state privacy laws

A

consumers have the right to delete PI held by a business, unless an exception applies

  • in CA, must also notify 3Ps to delete PI
24
Q

Define:

right to data portability

under state privacy law

A

data, which is in a “readily useable format,” should be made available to the consumer to facilitate the consumer’s ability to provide the info to another entity

25
Q

Define:

right to opt out of sales

under state privacy law

A

consumer can choose to opt out of the sale of PI held by the business

  • in CA, can also opt out of sharing of PI
26
Q

Define:

right to opt out of targeting/cross-context behavioral advertising

under state privacy law

A

consumer can choose to opt out of advertising selected based on personal information collected about the consumer over time from a variety of online sources

27
Q

Define:

right against automated decision-making

under state privacy law

A

consumer can choose to opt out of automated processing of PI that results in decisions about the consumer and/or profiling of the consumer (not in UT)

28
Q

Define:

right concerning sensitive personal information

under state privacy law

A

consumer has a right related to how their sensitive PI is handled by businesses

  • CO, CT, VA → business needs consent to process this data (opt-in) and sensitive PI includes children’s data
  • UT → business must provide notice to process data and opportunity for consumers to opt out
  • CA → complex approach, businesses can self-restrict to certain uses of sensitive PI or provide consumers notice and opportunity to opt out
29
Q

Define:

right to nondiscrimination

under state privacy law

A

businesses cannot discriminate against consumers for exercising their rights under these laws

30
Q

What are core business obligations under state privacy laws?

A
  • notice/transparency
  • notice or right to opt out and conspicuous method to exercise
  • opt-in by default of children’s data
  • security measures
  • purpose/processing limitation (not UT)
  • risk assessments (not UT)
31
Q

Define:

notice/transparency obligation

under state privacy law

A

business required to provide consumers with notice of certain data practices, privacy programs and/or privacy operations via privacy notice

32
Q

What should a privacy notice explain?

under state privacy laws

A
  • categories of data
  • purpose for processing each category of data
  • any sale and how to opt out
  • categories of data shared with third parties
  • how to exercise consumer rights
  • for CA, duration and retention of each cateogry of personal data and categories of sensitive personal data
33
Q

Define:

notice of right to opt out

under state privacy laws

A

all 5 states require that businesses provide consumers with notice of the right to opt out and a conspicuous method to allow consumers to exercise these rights

  • in CA, businesses that sell or share PI must provide a link on the business’s web pages that says “Do Not Sell or Share My Personal Information”
  • for businesses that use or disclose sensitive PI, CA requires business to have a “Limit the Use of My Personal Information” link on websites
34
Q

Define:

notice at point of collection

under state privacy law

A

CA requires consumers be informed “at or before the point of collection” about the categories of personal data collected and the purposes of their use

35
Q

What are the specific opt-in by default of children’s data rules in each state?

A
  • CA requires businesses obtain opt-in consent to sell or share PI of consumers under age of 16
  • CT requires businesses obtain opt-in consent from consumers under age of 16 (but at least 13) to sell their PI or process their PI for targeted advertising
  • CT, CO, VA treat PI of consumers under age of 13 as sensitive PI and require opt-in consent from these consumers to process their data
  • UT requires opt-in consent for processing of personal information of consumers under age of 13
36
Q

Define:

purpose/processing limitations

under state privacy law

A

business is prohibited from collecting and/or processing personal information except for a specific purpose (except in UT)

37
Q

Define:

risk assessments obligation

under state privacy law

A

business is obligated to conduct a formal risk assessment related to privacy and/or cybersecurity (except in UT)

processing activities that can trigger need for a risk assessment include:

  • processing PI for purpose of targeting ad
  • selling personal data
  • processing sensitive data
  • processing personal data for profiling under certain circumstances
38
Q

Define:

security requirements

under state privacy law

A

business is obligated to ensure security measures are in place related to data, including “reasonable administrative, technical and physical data security practices” that are designed to protect the confidentiality and integrity of that data

39
Q

What does enforcement look like under state privacy laws?

A
  • all five states can impose penalties for noncompliance but amount per violation varies
  • state AG has either sole or joint enforcement power in each of these states
  • CA also provides limited private right of action related to security breaches that compromise personal information, as well as usernames and passwords that permit access to accounts
40
Q

What are civil penalties under each state law?

A
  • CA → civil penalties can be up to $2500 for typical violations and up to $7500 for intentional violations
  • UT, VA → civil penalties can reach $7500 per violation
  • CO → violations are treated as “deceptive trade practices” under CO’s Consumer Protection Act, where fines can be up to $20k per violation
  • CT → violations also treated as “unfair trade practices” under CT’s Unfair Protection Act, where fines can be up to $5k per willful violation
41
Q

Who does the state AG share enforcement power with in each state?

A
  • VA, UT → state AG solely responsible
  • CT → state AG works in conjunction with Division of Consumer Protection to enforce law
  • CO → both state AG and local DAs have power to enforce law
  • CA → both state AG and CPPA have power to enforce
42
Q

Define:

cure period

under state privacy law

A

specified number of days to address a violation without being subject to sanction

  • UT, VA: 30 days
  • CO, CT: cure period will sunset end of this year
43
Q

state data security laws

A
  • 2/3 of states have laws requiring companies to take data security measures to protect citizens’ personal information
  • ~20 states have laws that impose a reasonableness standard for security but don’t provide specific cybersecurity requirements (e.g., CA)
  • 10 states impose extensive cybersecurity requirements (MA strictest)
  • four states (CT, IA, OH, UT) have “safe harbor” laws for cybersecurity instead of obligations
44
Q

Define:

state data destruction laws

A
  • ~2/3 of states have these
  • typically require that companies destroy or dispose of PI in such a way that it is no longer readable or decipherable
  • common elements of (1) to whom law applies; (2) required notice; (3) exemptions; (4) covered media; (5) penalties

CIPP-US (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions