Misc Items Flashcards
Cable Communications Privacy Act of 1984
CCPA- regulates required notice of cable TV providers, once at start of service and annually thereafter.
You can request opt-out, but exceptions are:
- legit business activities
- court order
- Name and address only
FCC, FTC
Communications Assistance to Law Enforcement Act of 1994
CALEA, Digital Telephony Bill.
- requires communications companies to design products to allow for lawful government access (wiretaps, etc)
As of 2005, includes internet.
FCC, FTC
CAN-SPAM Consent to Share Requirements
“Express Prior Authorization”- must be an affirmative OK, like a checkbox or button. It can be written, oral, or digital, must there must be a record of it.
CAN-SPAM email requirements
- No false or misleading headers
- clear, working return email address
- clear opt-out without cost
- don’t send to those who have unsubscribed (10 day grace period)
- no aggravated actions, like address harvesting
- pornographic content must have a warning label
Now covers texts, too
Cybersecurity Information Sharing Act of 2015
CISA- federal government can share unclassified, technical data with companies about attacks/breaches, as well as how to defend against them.
No consent needed. PI must be removed.
DHS, DOJ
Electronic Communications Privacy Act of 1986
Collective name of ECPA and Stored Wire Electronic Communications Act, which updates the Federal Wiretap Act.
Protects communications when made, in transit, and stored on computers.
Only one party (provider exception) needs to consent to share.
Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehab Act of 1970
Must have written patient consent to share these types of medical records. Covers any program receiving federal funding.
Exceptions:
- medical emergency
- research
- audits, evaluations
- crimes on premises
- child abuse
- court order
- for the organization to provide services
Often in parallel with HIPAA.
AG.
FERPA vs. HIPAA
HIPAA doesn’t cover a school if FERPA covers them. This is generally a public-funded school with a nurse on staff.
FERPA does NOT apply to private schools, so HIPAA would cover them.
College health centers treating only students = FERPA
College health centers treating students and staff = FERPA for students, HIPAA for staff
5th Amendment
No self-incrimination, which is often interpreted to mean you have a right to privacy in some situations
GINA- what agencies enforce it?
EEOC - Title II (employment discrimination)
DOL, HHS, Treasury- title I (genetic info in health insurance)
Junk Fax Prevention Act
Created the EBR exception in TCPA. Faxes must have a clear opt out.
FTC, FCC, TCPA
21st Century Cures Act of 2016
It’s OK to give researchers health data to “expedite research.”
Provisions:
- OK to view data remotely in compliance with HIPAA
- must have certs of confidentiality
- can’t block pharma’s access to the data
- no personal info
FDA
PATRIOT ACT, Section 215
“Library Records” provision and “Tangible Things” provision: allows FBI director to apply for an order to produce materials that assist in investigations against terrorism.
- things like books, papers, records
Only FISA and magistrate judges can grant it. Does NOT need to say why it was granted!
USA FREEDOM Act of 2015
Modified Patriot Act:
- outs some restriction on bulk collection, following Snowden
- restored roving wiretaps for terrorist tracking
Privacy Protection Act of 1980
PPA- gives the media extra protection from government searches in criminal investigations.
Based on 1978 case Zurcher v Standford Daily, where police used a warrant to look through unpublished photos of a demonstration to find a suspect. SC said this was OK as long as there was strong case that evidence would be found. Still requires warrant or subpoena
Binging Corporate Rules (BCRs)
Internal rules for data transfers within multinational companies, like a code of conduct for transfer.
Standard Contract Clauses (SCCs)
Established by EU to cover data transfer outside of EU:
- 2 for controller to controller
- 1 for controller to processor
4 Types of Privacy
Info (PII, etc)
Communications (mail, phone, email)
Bodily (drug testing, health testing, search, etc)
Territorial (home, work, monitoring, etc)
Data Controller vs. Processor
Per GDPR:
- Controller: determines the purpose and means for processing PI
- Processor: processes data on behalf of controller.
Under GDPR, the controller must make sure the processor takes appropriate security measures.
Is an IP personal data?
In the EU, yes. In the US, under the Privacy Act, no, but the FTC considers it PI if breached
Info Management: Discover, Build, Communicate, Evolve
Discover: ID the issue, self assess, and determine best practice
Build: Make procedures, verify, and implement
Communicate: document and educate
Evolve: affirm, monitor, and adapt
What laws DO NOT preempt stricter state law?
GLBA TSR / TCPA VPPA (except CA) ECPA (except in DE and CT) PPA RFPA HIPAA SAMHSA
What laws allow for Private Right of Action?
CCPA VPPA FCRA ECPA CA SB 1386
What laws do NOT allow for private right of action?
GLBA
COPPA
CAN-SPAM
GINA