Misc Items

Question 1

Cable Communications Privacy Act of 1984

Answer 1

CCPA- regulates required notice of cable TV providers, once at start of service and annually thereafter.

You can request opt-out, but exceptions are:

• legit business activities
• court order
• Name and address only

FCC, FTC

Question 2

Communications Assistance to Law Enforcement Act of 1994

Answer 2

CALEA, Digital Telephony Bill.
- requires communications companies to design products to allow for lawful government access (wiretaps, etc)

As of 2005, includes internet.

FCC, FTC

Question 3

CAN-SPAM Consent to Share Requirements

Answer 3

“Express Prior Authorization”- must be an affirmative OK, like a checkbox or button. It can be written, oral, or digital, must there must be a record of it.

Question 4

CAN-SPAM email requirements

Answer 4

• No false or misleading headers
• clear, working return email address
• clear opt-out without cost
• don’t send to those who have unsubscribed (10 day grace period)
• no aggravated actions, like address harvesting
• pornographic content must have a warning label

Now covers texts, too

Question 5

Cybersecurity Information Sharing Act of 2015

Answer 5

CISA- federal government can share unclassified, technical data with companies about attacks/breaches, as well as how to defend against them.

No consent needed. PI must be removed.

DHS, DOJ

Question 6

Electronic Communications Privacy Act of 1986

Answer 6

Collective name of ECPA and Stored Wire Electronic Communications Act, which updates the Federal Wiretap Act.

Protects communications when made, in transit, and stored on computers.

Only one party (provider exception) needs to consent to share.

Question 7

Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehab Act of 1970

Answer 7

Must have written patient consent to share these types of medical records. Covers any program receiving federal funding.

Exceptions:

• medical emergency
• research
• audits, evaluations
• crimes on premises
• child abuse
• court order
• for the organization to provide services

Often in parallel with HIPAA.

AG.

Question 8

FERPA vs. HIPAA

Answer 8

HIPAA doesn’t cover a school if FERPA covers them. This is generally a public-funded school with a nurse on staff.

FERPA does NOT apply to private schools, so HIPAA would cover them.

College health centers treating only students = FERPA
College health centers treating students and staff = FERPA for students, HIPAA for staff

Question 9

5th Amendment

Answer 9

No self-incrimination, which is often interpreted to mean you have a right to privacy in some situations

Question 10

GINA- what agencies enforce it?

Answer 10

EEOC - Title II (employment discrimination)

DOL, HHS, Treasury- title I (genetic info in health insurance)

Question 11

Junk Fax Prevention Act

Answer 11

Created the EBR exception in TCPA. Faxes must have a clear opt out.

FTC, FCC, TCPA

Question 12

21st Century Cures Act of 2016

Answer 12

It’s OK to give researchers health data to “expedite research.”
Provisions:
- OK to view data remotely in compliance with HIPAA
- must have certs of confidentiality
- can’t block pharma’s access to the data
- no personal info

FDA

Question 13

PATRIOT ACT, Section 215

Answer 13

“Library Records” provision and “Tangible Things” provision: allows FBI director to apply for an order to produce materials that assist in investigations against terrorism.
- things like books, papers, records

Only FISA and magistrate judges can grant it. Does NOT need to say why it was granted!

Question 14

USA FREEDOM Act of 2015

Answer 14

Modified Patriot Act:

• outs some restriction on bulk collection, following Snowden
• restored roving wiretaps for terrorist tracking

Question 15

Privacy Protection Act of 1980

Answer 15

PPA- gives the media extra protection from government searches in criminal investigations.

Based on 1978 case Zurcher v Standford Daily, where police used a warrant to look through unpublished photos of a demonstration to find a suspect. SC said this was OK as long as there was strong case that evidence would be found. Still requires warrant or subpoena

Question 16

Binging Corporate Rules (BCRs)

Answer 16

Internal rules for data transfers within multinational companies, like a code of conduct for transfer.

Question 17

Standard Contract Clauses (SCCs)

Answer 17

Established by EU to cover data transfer outside of EU:

• 2 for controller to controller
• 1 for controller to processor

Question 18

4 Types of Privacy

Answer 18

Info (PII, etc)
Communications (mail, phone, email)
Bodily (drug testing, health testing, search, etc)
Territorial (home, work, monitoring, etc)

Question 19

Data Controller vs. Processor

Answer 19

Per GDPR:

• Controller: determines the purpose and means for processing PI
• Processor: processes data on behalf of controller.

Under GDPR, the controller must make sure the processor takes appropriate security measures.

Question 20

Is an IP personal data?

Answer 20

In the EU, yes. In the US, under the Privacy Act, no, but the FTC considers it PI if breached

Question 21

Info Management: Discover, Build, Communicate, Evolve

Answer 21

Discover: ID the issue, self assess, and determine best practice

Build: Make procedures, verify, and implement

Communicate: document and educate

Evolve: affirm, monitor, and adapt

Question 22

What laws DO NOT preempt stricter state law?

Answer 22

GLBA
TSR / TCPA
VPPA (except CA)
ECPA (except in DE and CT)
PPA
RFPA
HIPAA
SAMHSA

Question 23

What laws allow for Private Right of Action?

Answer 23

CCPA
VPPA
FCRA
ECPA
CA SB 1386

Question 24

What laws do NOT allow for private right of action?

Answer 24

GLBA
COPPA
CAN-SPAM
GINA