Privacy Program Framework - Section II.B. - Implementing a Privacy Program Framework

Question 1

The notion that individuals should not be surprised by having their information processed in a particular way prohibited by local law is sometimes referred to as what?

Answer 1

Surprise Minimization Rule

Question 2

What type of international transfer mechanism is best described as a form of co-regulation?

Answer 2

Transfers made pursuant to codes of conduct of third-party certification authorities.

Question 3

What did the European Court of Justice hold in the case Schrems v. Data Protection Comm’r?

Answer 3

The Safe Harbor program that most companies utilized to transfer data between the U.S. and E.U. was not compliant with the GDPR.

Question 4

A determination that the information being transferred will be subject to an equivalent or greater level of protection in the transferee country is referred to as what?

Answer 4

Adequacy Decision

Question 5

What are the two most prominent examples of self-regulatory authorities in the marketing industry?

Answer 5

(1) The Digital Advertising Alliance; and
(2) The Network Advertising Initiative.

Question 6

Who is responsible for enforcing the self-regulatory principles developed by the Digital Advertising Alliance?

Answer 6

Both the Council of Better Business Bureaus and the Data & Marketing Association.

Question 7

What is the primary reason that organizations attempt to funnel privacy-related media inquiries through a single point of contact?

Answer 7

To maintain a consistent message regarding an organization’s privacy practices.

Question 8

What is the California Privacy Protection Agency (CPPA)?

Answer 8

The CPPA is an administrative agency created by the California Privacy Rights Act (CPRA), responsible for administering and enforcing the California Consumer Privacy Act (CCPA).

Question 9

What made the California Consumer Privacy Act unique when compared with state and federal laws throughout the United States?

Answer 9

It was the first attempt in the United States to regulate information privacy with a comprehensive approach that applies to all market segments.

Question 10

What types of conduct can result in a higher-level violation of the GDPR?

Answer 10

Higher level violations include violations of data subject rights and non-compliant cross-border transfers.

Question 11

What are the ways in which information about an E.U. resident may be transferred outside of the E.U.?

Answer 11

(1) Adequacy decisions;
(2) Binding corporate rules;
(3) Standard contract clauses;
(4) Ad hoc contract clauses;
(5) Codes of conduct; and
(6) Derogations (or exceptions).

Question 12

What countries has the E.U. determined have adequate data protection laws?

Answer 12

Andorra,
Argentina,
Canada,
Faroe Islands,
Guernsey,
Israel,
Ilse of Man,
Japan,
Jersey,
New Zealand,
Switzerland,
South Korea,
Uruguay, and the
United Kingdom.

Question 13

In what situation(s) does the GDPR apply to data controllers and processors that operate within the E.U.?

Answer 13

The GDPR applies to all processing activities of data controllers and processors operating in the E.U. regardless of whether the processing occurs in the E.U.

Question 14

What law requires organizations to include a “Do Not Sell My Personal Information” button on its website?

Answer 14

California Consumer Privacy Act (CCPA)

Question 15

A well thought out and comprehensive privacy framework will be rendered useless if what happens?

Answer 15

There is a failure to effectively communicate that policy to internal and external stakeholders.

Question 16

Can a data protection authority permanently ban a data controller from engaging in processing activities under the GDPR?

Answer 16

No. Although Article 58 grants data protection regulators the authority to temporarily ban processing activities, there is no authority to permanently ban processing activities.

Question 17

What does the AdChoices program aim to achieve?

Answer 17

Providing consumers the ability to opt-out of online and internet-based advertisements.

Question 18

True or False: As long as a company’s privacy notice is accurate, it does not have to worry about the FTC initiating a “deceptive” trade practice enforcement action.

Answer 18

False. A complaint about “deceptive” trade practices can result from any misstatement about a company’s privacy practices, including statements made in an organization’s binding corporate rules or other similar representations.

Question 19

True or False: Data protection authorities are the first-line enforcement authority for organizations transferring data internationally pursuant to a code of conduct of a third-party certification authority.

Answer 19

False. Compliance monitoring is primarily carried out by the certifying authority, though a data protection authority retains the authority to bring an enforcement action.

Question 20

True or False: The GDPR applies only to organizations that operate in the European Economic Area.

Answer 20

False. The GDPR has an extra-territorial reach.

Question 21

What international transfer mechanisms under the GDPR need pre-approval by a supervisory agency?

Answer 21

Binding corporate rules and ad hoc contract clauses.

Question 22

Data that is transferred internationally with the express consent of the data subject is transferred pursuant to what type of mechanism?

Answer 22

A derogation listed under Article 49 of the GDPR.

Question 23

True or False: Binding corporate rules must be certified by a privacy supervisory agency within the E.U. before personal data can be transferred pursuant to those rules.

Answer 23

True

Question 24

What are some examples in which an organization may have to communicate its privacy practices to data protection authorities?

Answer 24

To obtain approval for certain data practices (e.g., cross-border transfers), in response to an investigation or demand, and as part of breach notification requirements.

Question 25

What are the primary concerns an organization must be aware of when transferring data across international borders?

Answer 25

(1) Transferring data into a new jurisdiction may result in an organization becoming subject to additional privacy and data security law; and
(2) Failure to implement appropriate procedures can result in legal non-compliance.

Question 26

What is an external privacy organization?

Answer 26

A non-governmental organization that advocate for privacy protections.

Question 27

What three elements must the FTC prove in order to establish an “unfair” trade practice?

Answer 27

A trade practice that results in
(1) a substantial injury
(2) with a lack of off-setting benefits and
(3) the injury is one that consumers themselves could not reasonably have avoided.

Question 28

The Payment Card Industry Data Security Standard (PCI-DSS) and the Digital Advertising Alliance (DAA) are examples of what type of privacy protection?

Answer 28

Self-regulatory protections.

Question 29

What three elements must the FTC prove in order to establish a “deceptive” trade practice?

Answer 29

(1) A material
(2) statement or omission
(3) that is likely to mislead consumers who are acting reasonably under the circumstances.

In order to establish that a party has engaged in “deceptive” trade practices in violation of Section 5 of the FTC Act, the FTC must establish that the company under investigation has made (1) a material (2) statement or omission (3) that is likely to mislead consumers who are acting reasonably under the circumstances. In order to meet this standard, the misstatement must be material. A material term is one that is likely to affect consumer decision-making. Whether information is handled in accordance with the Privacy Shield Framework is likely to meet this standard, while a misstatement about whether data is stored in New York or New Jersey is not likely to meet this standard.

Question 30

What is the Digital Advertising Alliance?

Answer 30

A consortium of advertising and marketing trade groups that has developed the self-regulatory AdChoices program.

Question 31

What are the two primary steps necessary to effectively implement a privacy framework?

Answer 31

(1) Effective communication to internal and external stakeholders; and
(2) Maintaining continuous alignment with applicable laws and regulations.

Question 32

True or False: The failure to abide by self-regulatory programs does not have any consequences because participation is voluntary.

Answer 32

False. Failure to comply with voluntarily imposed self-regulation may have significant consequences, including exclusion from a program, fines, and government investigations.