Module 1: Introduction to Privacy Flashcards
What are the 4 Fair Information Practices (FIP)
1) Rights of individuals: Notice, choice and consent, data subject access
2) Controls on the information: Information security, information quality
3) Information life cycle: Collection, use and retention, disclosure, destruction
4) Management: Management and administration, monitoring, and enforcement
Name 5 major components of milestone legislations re: FIPs
1) US Health, Education and Welfare FIPs (1973): created after secret dossiers were created. Also created Privacy Act of 1974.
2) OECD guidelines (1980): created as a set of guidelines across economies (The Organisation for Economic Co-operation and Development)
3) Council of Europe Convention (1981): the first legally binding international data protection convention
4) APEC Privacy Framework (2004): Non-binding data protection guidelines for Asia-Pacific countries.
5) Madrid Resolution (2009): Looked at creating at guiding privacy practices for Europe
Name 4 types of information
1) Personal Information includes name, gender, address, etc.
2) Sensitive information is information that is riskier to expose you to harm (e.g. SSN, medical records, etc).
3) Non-personal information is anonymized data and aggregated data.
4) Pseudonymized data is the replacement of personal information with pseudonyms, or artificial replacements.
Name 3 sources of personal information
1) Public records: information that government agencies publish for public consumption
2) Publicly available information: newspapers, phonebooks, etc.
3) Nonpublic information: information we want protected from public disclosure
Name 4 data protection roles
1) Data Subject: Who the information is about
2) Data Controller: Who controls access to information and what is done about it.
3) Data Processor: Processes data on behalf of the controller.
4) Regulator or data protection authority (DPA)
Name 4 sources of privacy protection
1) Markets: they want to create trust in their services, so they make sure they build in privacy controls.
2) Technology
3) Law: a good privacy law benefits us all, but quickly written laws only cause confusion
4) Self-regulation: 2 types–self-regulatory and co-regulatory (laws + regulating themselves). Establish enforceable codes.
Legislation: who writes the rules
Adjudication: who is breaking the rules
Enforcement: who enforces non-compliance
Name 4 types of privacy protection models
1) Few or no general laws (e.g. Cuba)
2) Co-regulatory: enforceable by industry body OR government (e.g. Australia). COPPA is an example of this – the government can enforce but lets industry-specific bodies do work too.
3) Sectoral: Industry-specific laws (e.g. U.S.)
4) Comprehensive: Omnibus laws (e.g. EU)
Name the 3 branches of government
1) Executive: enforces laws
2) Legislative: makes laws
3) Judicial: interprets laws
Name 8 sources of US law.
1) Constitutions
2) Legislation
3) Regulations and rules
4) Contract law
5) Case law
6) Common law
7) Consent decree
8) Tort law
What 3 things must be necessary for a contract to be binding?
1) Offer
2) Acceptance
3) Consideration
What is consideration in contract law?
Each party must change their position. Usually one of two things: 1) a promise to do something not legally obligated to 2) A promise not to do something you have the right to.
What is common law?
Used synonymously with case law in US. A system where courts can set precedent (vs. cannot work without laws in place). Generally legal precedent and social customs set laws.
What is a consent decree?
An agreement or settlement that resolves a dispute without admission of guilt or liability. It describes actions the defendant will take. Same effect as a court decision. Often used by SEC and FTC, since it’s easier for all.
What are torts?
Civil wrongs recognized by law as having the grounds for lawsuits. Provides relief and deters others from committing the same wrongs
What are the three general tort categories?
Intentional: defendant knew or should have known action would cause harm
Negligent: defendant’s actions were unreasonable unsafe
Strict liability: defendant has legal responsibility for damages even if not negligent or at fault.
What is a person (in legal terms)?
Any entity with legal rights. Can be a human being or corporation.
What are the two types of legal authority?
General: blanket authority to regulate a field of activity
Specific: Targeted at singular activities outlined by legislation
Does CAN-SPAM preempt state laws?
Yes
What are the 3 data subject rights?
1) Notice: What’s collected and why. Generally a Privacy Policy
2) Choice: opt-in or opt-out
3) Access: view personal information held by an org
Name 6 federal agencies that regulate privacy
1) FTC
2) Federal banking agencies such as the CFPB, Federal Reserve Board, or Office of the Comptroller of the Currency
3) FCC
4) DOT
5) HHS (through Office of Civil Rights)
6) Department of Commerce
Who regulates privacy at the state level?
Attorneys general (except California Privacy Protection Authority)
Name the three conditions that can trigger GDPR application
1) Processing of personal data when a controller or processor is established in EU
2) Processing of personal data of EU subjects relating to offering goods or services or monitoring behavior
3) Processing of personal data by a controller not established in the EU but in a place where member state law applies
Name 2 ways to transfer data from GDPR areas to the US aside from adequecy decisions
1) Binding Corporate Rules (BCRs): multinational company can transfer data between countries after certification of their practices by an EU privacy supervisory agency
2) Standard Contractual Clauses (SCCs): A company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisory agency
Name 4 accountability requirements GDPR controllers have that processors don’t
1) Privacy by design
2) Privacy by default
3) Data Protection Impact Assessments (DPIAs)
4) Data breach reporting (to data subject; processor must notify controller)
When is a DPO required under GDPR?
When the core activities are:
• Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
• Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale”
• Processing by public bodies, other than courts acting in judicial capacity
Name 6 responsibilities of a DPO under GPDR
- To monitor compliance with the GDPR
- Advise controller and processors
- Manage risk
- Cooperate with supervisory authorities
- Communicate with data subjects and supervisory authorities
- Exercise professional secrecy
Who must a Processor notify when there is a data breach under GDPR?
The Controller
Who must a Controller inform when there is a data breach under GDPR?
1) The supervisory authority
2) The data subject
What is an adequacy decision?
A finding by the European Commission that a third country, territory, specific sector in a third country or an international organization offers levels of data protection that are essentially equivalent to that within the EU.
What are the 3 triggers for CCPA?
Any for-profit entity doing business in California that either:
1) Does more than $25 million USD in annual revenue
2) Holders PI of 50k+ people, households or devices
3) Makes at least half of its revenue from sale of PI
Who is protected under CCPA?
“Consumers:” aka “natural person who is a California resident.” Those who are in the state for other than temporary/transitory purpose, or those domiciled in the State but outside of the State for a temporary/transitory purpose.
Name 3 consumer rights under CCPA:
1) Request records
2) Right to erasure (with some exceptions)
3) Opt-out of sale
Name 8 obligations for businesses under the scope of CCPA
1) Provide certain disclosure to consumers
2) Provide at least two methods for receiving consumer requests e.g. (toll-free number [not needed if only e-commerce], link on website)
3) Have a verification process
4) Provide the information free of charge, within 45 days and in a portable format
5) Disclosure to consumers the third parties to whom the business sells the PI
6) Include a “Do Not Sell My Personal Information” button on website
7) Do not “discriminate against a consumer”
8) Train employees on consumer rights pursuant to the law
What are the fees for violating CCPA (enforced by AG)?
$2,500 fine per violation (record) not addressed within 30 days
$7,500 per record for intentional violations within 30 days
What are fees for violating CCPA (private right of action)
Consumers can sue for $100-750 per violation, or further actual damages.
Name 6 categories of legal liability
1) Negligence
2) Breach of warranty (failure of seller to fulfill promise, claim or representation)
3) Misrepresentation (false security about safety of a product or service)
4) Defamation (written = libel, oral = slander)
5) Strict tort liability ( imposition of liability on a party without a finding of fault ]such as negligence or tortious intent])
6) Statutory action (enacted by statute)
Describe the FTC/GeoCities consent decree
In 1099, the FTC said GeoCities didn’t disclose how they would data. They said they sold it by creating a database for selling ads. GeoCities agreed to disclose info and require parental permission for children 12 and younger.
What two remedies can the FRC seek through federal courts?
Injunctions and civil penalties
What law/section section gives broad powers to the FTC to protect consumer from deceptive acts and practices?
Section 5(b) of the FTC Act of 1913
What is the FTC division for investigating privacy cases?
Division of Privacy and Identity Protection, or DPIP
Describe the FTC/Snapchat consent decree
In 2014, FTC argued Snapchat’s “disappearing” messages could be saved and the “find friends” feature was seen as the only option, data was collected, and it was insecure, allowing hackers to create a database of millions. Consent decreed said it would not engage with the practices for 20 years.
Describe the FTC/LifeLock consent decree
In 2010, the FTC argued LifeLock failed to encrypt customer data or restrict access, putting data at risk. LifeLock paid fines, agreed to maintain a comprehensive security program, be assed every two years and cease deceptive advertising until 2026. In 2015, the FTC filed a contempt action, and a court ordered them to pay millions as repayment, plus a fine to either state AG or federal govt.
Describe the FTC/Wyndham administrative action
FTC argued Wyndham did not protect sensitive data. Wyndham did not settle. Courts found in favor of FTC, then Wyndham entered a consent order.
How does the DOT enforce privacy laws?
Responsible for transportation companies under its jurisdiction, incl. enforcing violations of the Privacy Shield (now not true). Federal Aviation Administration (FAA) manages drones, National Highway Traffic Safety Administration (NHTSA) manages internet-connected cars.
What role does the Department of Commerce play in privacy law?
Plays a role in federal privacy policy development, administers the EU/US Privacy Shield
What does the Office of Management and Budget do re: privacy?
Lead agency for interpreting Privacy Act of 1974, issues guidance to agencies and their contractors
What is the Privacy Act of 1974?
Establishes FIPs for federal agencies and their contractors
What does the IRS do re: privacy?
Subject to privacy rules concerning tax records
What does the DHS do re: privacy?
Runs the E-Verify program, rules for air traveler records (through TSA), immigration and other border issues (ICE)
What does the Office of Civil Rights (HHS) do re: privacy?
Plays role in enforcing HIPPA (investigates complaints, conducts compliance reviews, for covered entities, education and outreach), works with DOJ to refer criminal violations of HIPPA.
What were privacy priorities of the FTC in the late 90s?
Providing notice of policies, allowing choice on how data is shared, take entities who were lying or not complying with their privacy notices
What were the privacy priorities of the FTC from 2001-2009?
Emphasized “injury” under the FTC unfairness authority. E.g. 2004 Gateway/Hooked on Phonics (rented customer information it promised to keep private), 2005 BJ’s Wholesale (security flaws allowed unauthorized access and identity theft)
What were the privacy priorities of the FTC in 2009+?
Developing privacy program requirements (e.g. what are FIPs for orgs), reaching beyond tangible financial harm
What were the privacy priorities of the FTC in 2012+?
White House Report “Consumer Privacy Bill of Rights,” emphasizing privacy by design and simplified consumer choice and control.
What were the FTC’s principles in the 2015 Privacy and Security Update?
- Know what data you have and who has a legitimate right or need to access it
- Limit data retained based on legitimate need
- Implement safeguards to protect data
- Dispose of data when no longer needed
- Have a plan for responding to security incidents
What are 4 risks of using privacy information properly that an organization should balance?
1) Legal risks
2) Reputational risks
3) Operational risks (efficiency, etc.)
4) Investment risks
What type of privacy/data accountability considerations should an organization consider? Name 7.
1) Length of storage
2) Sensitivity
3) Encryption
4) International data transfer laws
5) Who determines rules?
6) Processes
7) Dependence on other systems
What steps should a company take when developing privacy policies?
1) Discover (define the privacy program)
2) Build
3) Communicate
4) Evolve
What steps should an org take to manage incidents (e.g. security breaches, cyberattacks)?
1) Preparation (prepare users/IT staff to handle potential incidents
2) Identification
3) Containment
4) Eradication (removing root cause of incident)
5) Recovery (permit systems back into the environment)
6) Lessons learned
Name 4 examples of US laws/guidelines with Opt-In preferences?
COPPA
HIPPA
Fair Credit Reporting Act (FCRA)
Some email marketing
Name 4 examples of US laws/guidelines with Opt-Out preferences?
Gramm-Leach-Bliley Act (GLBA)
CAN-Spam
Do Not Call Rules
CCPA DNS Provision
What amendment gives power to the states to make law?
10th: “[t]he powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.”
Does FCRA/FACTA preempt state law?
Yes, but states retain right to enact identity theft laws
Does CAN-SPAM preempt state laws?
Yes
