Privacy

Question 1

The CCPA is most similar to what set of laws?

Answer 1

Europe’s General Data Protection Regulation (GDPR).

Question 2

The CCPA applies to what?

Answer 2

Any statutorily defined business that processes consumers’ personal information, provided that the entity does business in California, and either has annual gross revenues exceeding $25 million, buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices or receives 50 percent or more of annual revenue results from sales of consumers’ personal information.

Question 3

Who does the CCPA protect?

Answer 3

Any “natural person who is a California resident.”

Question 4

What kind of information does the CCPA protect?

Answer 4

Personal information, which includes any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Question 5

What is de-identified information?

Answer 5

Information that can be used by a business without restriction, but it cannot “reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”

Question 6

Under the CCPA, what are a business’ notice obligations?

Answer 6

A business must provide 2 types of Notice: Initial (Notice “at or before the point of collection,” about the nature and purpose of the collection) and Website (Notice that provides a full description of the rights that a consumer may exercise).

Question 7

What are a consumer’s rights under the CCPA?

Answer 7

A consumer has a 1) right to request certain disclosures of information and the right to opt out of data sales via a “clear and conspicuous” link.

Question 8

Under what circumstances is a private individual permitted to bring an action under the CCPA?

Answer 8

Data breach incidents.

Question 9

Who enforces the CCPA?

Answer 9

California attorney general except where a data breach has occured.

Question 10

What are the four steps of dealing with a data breach?

Answer 10

The steps are 1) determining whether a breach has happened, 2) containing the breach, 3) notifying impacted parties, and 4) post-incident evaluations and training.

Question 11

State data breach laws have what basic elements in common?

Answer 11

The elements are 1) The definition of personal information, 2) The definition of a “security breach,” 3) The level of harm requiring notification, 4) Whom to notify, 5) When to notify affected parties, 6) What to include in the notification letter, 7) How to notify affected parties, 8) Notice requirements to state attorney general or state agency, 9) When notice is required to credit reporting agencies, 10) Exceptions, and 11) Penalties and rights of action.

Question 12

Under data breach statutes, what is personal information?

Answer 12

First and Last Name with any one of 1) SS#, 2) Drivers License or ID Card #, or 3) financial account information.

Question 13

Who is subject to state data breach notification laws?

Answer 13

Any person/business who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses, or maintains computerized data that includes personal information.

Question 14

What is a data breach?

Answer 14

Unauthorized access to or acquisition of unprotected/unsecured electronic files, media, databases, or computerized data containing personal information.

Question 15

Under HIPAA, what is Protected health information (PHI)?

Answer 15

Any individually identifiable health information, held by a covered entity or its business associate, that identifies the individual or offers a reasonable basis for identification and relates to a past, present or future physical or mental condition, provision of health care, or payment for healthcare to that individual.

Question 16

What are covered entities under HIPAA?

Answer 16

Healthcare providers that conduct certain transactions in electronic form, Health plans, or Healthcare clearinghouses.

Question 17

What is a business associate under HIPAA?

Answer 17

Any person or organization that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.

Question 18

What is the Security Rule under HIPAA and how was it modified under HITECH?

Answer 18

Security Rule required covered entities to ensure the confidentiality of PHI against reasonably anticipated threats, have agreements with business associates to protect the information, identify a person designated to oversee compliance, and conduct ongoing evaluations of protection measures and training. HITECH imposed the same restrictions against business associates.

Question 19

The Privacy Rule under HIPAA requires what?

Answer 19

A covered entity must provide a detailed notice of privacy rights at the date of first service, including the right to obtain a copy of the information. Entities must also require authorization for use of info outside of HIPAA guidelines and implement appropriate safeguards to protect the information.

Question 20

What entities are regulated by the FCRA?

Answer 20

Any “consumer reporting agency” (CRA) that furnishes a “consumer report.”

Question 21

What is a CRA under FCRA?

Answer 21

Any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

Question 22

What is a consumer report under the FCRA?

Answer 22

A consumer report is any communication by a CRA related to an individual that pertains to the person’s: Creditworthiness, Credit standing, Credit capacity, Character, General reputation, Personal characteristics, or Mode of living.

Question 23

How does the FCRA regulate users of consumer reports?

Answer 23

Consumer reports must be appropriately accurate, current, and complete. Consumers must receive notice when a consumer report is used to make adverse decisions about them. Consumer reports may be used only for permissible purposes. Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors.

Question 24

Under the FCRA, what must a CRA do?

Answer 24

Provide consumers with access to the information contained in their consumer reports as well as the opportunity to dispute any inaccurate information. Take reasonable steps to ensure the maximum possible accuracy of the information in the consumer report. Not report negative information that is outdated. Provide consumer reports only to entities that have a permissible purpose under the FCRA. Maintain records regarding entities that received consumer reports. Provide consumer assistance as required by FTC rules.

Question 25

Where is enforcement of the FCRA available?

Answer 25

FCRA is available through dispute resolution, private litigation, and government actions.

Question 26

What is FACTA?

Answer 26

Fair and Accurate Credit Transactions Act. FACTA required truncation of card numbers, gave consumers the right to request a free credit report, and imposed the Disposal Rule and the Red Flags Rule.

Question 27

Does FACTA preempt state laws?

Answer 27

Yes.

Question 28

What is the Disposal Rule under FACTA?

Answer 28

The Disposal Rule requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that consumer information in a way that prevents unauthorized access and misuse of the data.

Question 29

What is the Red Flags Rule under FACTA?

Answer 29

The rule requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft. Specifically, the rule applies to financial institutions and creditors.

Question 30

What is GLBA and what does it require?

Answer 30

Graham-Leach-Blyly Act. The Act requires financial institutions: 1) Store personal financial information in a secure manner, 2) Provide notice of their policies regarding the sharing of personal financial information, 3) Provide consumers with the choice to opt out of sharing some personal financial information.

Question 31

What is the GLBA’s Privacy Rule?

Answer 31

GLBA Privacy Rule requires that financial institutions: 1) Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices, 2) Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties, 3) Refrain from disclosing to any nonaffiliated third-party an account number, 4) Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records.

Question 32

What is the GLBA’s Safeguards Rule?

Answer 32

GLBA requires that covered entities must implement physical, technological, and administrative safeguards as well as designate an employee to oversee the program, and regularly reevaluate security.

Question 33

What does FERPA do?

Answer 33

FERPA generally prevents schools from divulging education record information, such as grades and behavior, to parties other than the student without that student’s consent.

Question 34

What entities are regulated by FERPA?

Answer 34

FERPA applies to all educational institutions that receive federal funding—elementary schools, secondary schools, and postsecondary schools.

Question 35

FERPA provides what rights to students?

Answer 35

Students over the age of 18 have the following rights: 1) Control the disclosure of their education records to others, 2) Review and seek amendment of their own education records, 3) Receive annual notice of their rights under FERPA, and 4) File complaints with the U.S. Department of Education.

Question 36

Under what circumstances is disclosure under FERPA permitted?

Answer 36

Disclosure of information is permitted if one of the following is satisfied: 1) The information is not “personally identifiable,” 2) The information is considered “directory information” whose release the student has not blocked, 3) Consent has been provided by the holder of the rights under FERPA, 4) The disclosure is made to the holder of the rights, 5) A statutory exception applies, such as for health or safety purposes.

Question 37

What types of campus-related information is not considered to be an education record?

Answer 37

Some examples of campus-related information include directory information, campus police records, employment records for non-students, and medical information.

Question 38

Is medical information about a student at a privately-operated school governed by FERPA?

Answer 38

No. Medical information generally would be controlled by HIPAA instead. For public schools, FERPA applies instead of HIPAA.

Question 39

The Telemarketer Sales Rule regulates covered entities in what manner?

Answer 39

The TSR (which implements the Telephone Consumer Protection Act) requires covered organizations to: 1) Call only between 8 a.m. and 9 p.m., 2) Screen and scrub names against the national DNC list, 3) Display caller ID information, 4) Identify themselves and what they are selling, 5) Disclose all material information and terms, 6) Comply with special rules for prizes and promotions, 7) Respect requests to call back, 8) Retain records for at least 24 hours, and 9) Comply with special rules for automated dialers.

Question 40

What must a telemarketer disclose at the beginning of a call?

Answer 40

Required disclosures include: 1) The identity of the seller, 2) That the purpose of the call is to sell goods or services, 3) The nature of those goods or services, and 4) In the case of a prize promotion, that no purchase or payment is necessary to participate or win.

Question 41

What categories of information should be disclosed in a sales call?

Answer 41

1) Cost and quantity, 2) Material restrictions, limitations or conditions, 3) Performance, efficacy or central characteristics, 4) Refund, repurchase or cancellation policies, 5) Material aspects of prize promotions, 6) Material aspect of investment opportunities, 7) Affiliations, endorsements or sponsorships, 8) Credit card loss protection, 9) Negative-option features, 10) Debt relief services

Question 42

Do text messages have the same protections as phone calls?

Answer 42

Yes, based on FCC order

Question 43

What is the Safe Harbor rule under the TSR?

Answer 43

A company can avoid prosecution under the TSR if they, or someone on their behalf, relied on procedures put in place to avoid violation of the TSR and have records of their compliance. This would include violations of the DNC (checked the DNC registry and have a list updated within the last 31 days) or the hangup/dead air rules(have a protocol that ensures less than 3% of calls ended up that way), etc.

Question 44

Who can enforce the TSR and what is the limit of the civil fine?

Answer 44

State attorneys general, private citizens, or the FTC. Civil penalties exist up to more than 40k.

Question 45

When does the DNC not apply?

Answer 45

Non-profits calling on their own behalf, Inbound calls to persons with a recent existing relationship (provided no additional sales calls), and business to business calls.

Question 46

What rules govern robocalls?

Answer 46

Prior consent must be obtained for residential lines

Consumers must be able to opt-out of calls

Question 47

What records must be retained under the TSR?

Answer 47

In general, the following records must be maintained for two years from the date that the record is produced: 1) Advertising and promotional materials, 2) Information about prize recipients, 3) Sales records, 4) Employee records, 5) All verifiable authorizations or records of express informed consent or express agreement

Question 48

Covered entities are prohibited from doing what under the CAN-SPAM Act?

Answer 48

Prohibits false or misleading headers
Prohibits deceptive subject lines
Requires commercial emails to contain a functioning, clearly and conspicuously displayed return email address that allows the recipient to contact the sender
Requires all commercial emails to include clear and conspicuous notice of the opportunity to opt-out along with a cost-free mechanism for exercising the opt-out, such as by return email or by clicking on an opt-out link
Prohibits sending a commercial email (following a grace period of 10 business days to an individual who has asked not to receive future email
Requires all commercial email to include (1) clear and conspicuous identification that the message is a commercial message (unless the recipient has provided prior affirmative consent to receive the email) and (2) a valid physical postal address of the sender (which can be a post office box)
Prohibits “aggravated violations” relating to commercial emails, such as (1) address-harvesting and dictionary attacks, (2) the automated creation of multiple email accounts, and (3) the retransmission of commercial email through unauthorized accounts
Requires all commercial email containing sexually oriented material to include a warning label (unless the recipient has provided prior authorization)

Question 49

Does the CAN-SPAM Act preempt most laws?

Answer 49

Yes.

Question 50

What is CPNI?

Answer 50

CPNI is information collected by telecommunications carriers related to their subscribers. CPNI includes subscription information, services used, and network and billing information as well as phone features and capabilities. It also includes call log data such as time, date, destination, and duration of calls.

Question 51

What is the VPPA and what triggered it?

Answer 51

Video Privacy Protection Act. The Act was passed in response to the disclosure and publication of then-Supreme Court nominee Robert Bork’s video rental records.

Question 52

What does the VPPA control?

Answer 52

Use of video rental records. With the advent of streaming and social media, consumers can opt-out of certain protections with consent.

Question 53

What are the Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising and the Network Advertising Initiative (NAI) Code of Conduct examples of?

Answer 53

Self-regulation by industry groups.

Question 54

What groups are subject to employee background screening by law?

Answer 54

Typically, anyone who works with the elderly, children, or the disabled must now undergo background screening.

Question 55

What are the exceptions to the general rule that lie detectors may not be used in an employment setting (a/k/ the EPPA)?

Answer 55

The Employee Privacy Protection Act excludes certain occupations (including government employees, employees in certain security services, those engaged in the manufacture of controlled substances, certain defense contractors, and those in certain national security functions) and also excludes investigations of certain types of misconduct (such as theft or embezzlement).

Question 56

Under what circumstances is drug testing permitted?

Answer 56

Federal law permits drug testing under the following circumstances: 1) employees of the U.S. Customs and Border Protection, 2) employees in the aviation, railroading and trucking industries and preempts state law.

Question 57

When is drug testing permitted?

Answer 57

Pre-employment
Reasonable suspicion of use based on specific facts
Routine testing if notified at hiring
Post-accident testing where there is a suspicion that the accident was caused by drugs or alcohol
Random testing

Question 58

What does the Stored Communications Act prohibit?

Answer 58

A general prohibition against the unauthorized acquisition, alteration, or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.

Question 59

What are a business’ obligations under the CCPA?

Answer 59

A business must: 1) Respond to consumer requests within 45 days, 2) Make certain disclosures, 3) Provide options for consumers to interact, 4) Include a vehicle to prohibit the sale of information, 5) Train employees, and 6) Not discriminate against consumers.

Question 60

What does CPRA do?

Answer 60

California Privacy Rights Act expands the CPRA and creates a new agency to enforce the Act. Additional changes include expanded breach liability, ongoing auditing obligations for high-risk entities, a prohibition against profiling, required opt-in for use of children’s data, and data retention requirements based on necessity.

Question 61

Does HIPAA preempt state law?

Answer 61

No.

Question 62

What is GINA?

Answer 62

Genetic Information Nondiscrimination Act prohibits employers from making decisions against people or families based on genetic testing, including as it relates to healthcare coverage.

Question 63

What is the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act?

Answer 63

Among the first privacy protections, limits the ability of healthcare professionals to disclose addiction-related disorders to the government, and obligates the entity to put protocols in place to protect patient information.

Question 64

What is the 21st Century Cures Act?

Answer 64

The Act that allows easier access to health information where it is done for research purposes under certain purposes and obligates the healthcare professionals to ensure confidentiality of the information used.

Question 65

What is COPPA

Answer 65

COPPA is the Children’s Online Privacy Protection Act, which protects a child’s use of the internet and materials marketed to children. The Act prohibits collecting information for children under 13 without parental consent. Websites must provide clear notice of data collection.

Question 66

What role does Dodd-Frank provide in online banking?

Answer 66

Dodd-Frank created the Consumer Financial Protection Bureau. The CFPB holds the authority to make rules and enforce those rules against abusive acts and practices by companies in the financial products sector. These rules require financial products companies to have adequate technological protections on their systems.

Question 67

What is the CAN-SPAM Act?

Answer 67

Controlling the Assault of Non-Solicited Pornography and Marketing Act. These rules cover email marketing and have been extended to mobile devices.

Question 68

What does the Telecommunications Act control?

Answer 68

The Telecommunications Act of 1996 restricts the access, use and disclosure of customer proprietary network information (or CPNI).

Question 69

What is the GDPR?

Answer 69

GDPR, or General Data Protection Regulation, provides the EU’s rules on disclosure of private information.

Question 70

Who does the GDPR apply to?

Answer 70

The personal data of EU residents or those of a European Economic Area related to goods or services regardless of location. Controllers/Processors in the EU are regulated or Controllers where member law applies are also governed.

Question 71

What are the consumer’s rights under GDPR?

Answer 71

Rights are: 1) withdraw consent, 2) request a copy, or 3) halt use and object to automated decisions.

Question 72

What must regulated companies do under the GDPR?

Answer 72

Regulated companies must: 1) provide notice, 2) ensure data transfers, 3) protect data and take responsibility for vendors, and 4) demonstrate compliance.