PrivacyReffFlashCards

Question

Commercial | Activity

Answer 1

This refers to any transaction, act or conduct, or any regular course of conduct that is commercial as defined by PIPEDA, which may include selling, bartering or leasing of donor, membership, or other fundraising lists. Non-profit associations, unions, and private schools may exist outside of this definition.

Answer 2

``` Electronic messaging in any form, including e-mail, SMS text messages, and messages sent via social media where the purpose could be deemed asencouraging participation in a commercial activity. These may be electronic messages that offer to promote, purchase, sell, or lease products, goods, or services. ```

Answer 3

Undocumented legal principles developed over time according to on societal expectations and customs.

Answer 4

The class of privacy that encompasses protection of the means of correspondence, including mail, phone conversations, and e-mail

Answer 5

Laws governing the collection, use, and disclosing of personal information in both public and private sectors.

Answer 6

Assessing and inspecting an information system for clues after being compromised or exploited.

Answer 7

The principle that data should be protected | against unauthorized or unlawful processing.

Answer 8

An email consent for direct marketing where marketers send a confirmation email eliciting a response ahead of the actual marketing e-mail.

Answer 9

The confirmation of an individual’s agreement to the collection, use, and disclosure of their personal data. There are two thoughts on this: opt-in (making an affirmative action) and opt-out (implied by lack of action).

Answer 10

The type of consent requiring that an individual indicate agreement with a data controller through active communication.

Answer 11

The type of consent that is inferred from | the action or inaction of the individual.

Answer 12

A judgment into which the parties enter by consent. The defendant usually agrees to stop alleged illegal activity and pay a fine, without any admission. A judge needs to approve and formalize the agreement reached between a U.S. federal or state agency and an adverse party.

Answer 13

The independent bureau within the Federal Reserve created by the Dodd-Frank Act with enforcement power to take action against abusive acts and practices as included in the law.

Answer 14

Any person or entity that assembles or evaluates personal information in order to provide consumer reports to third parties

Answer 15

A small text file stored on a client machine to be retrieved by a web server. These keep track of the end user’s browsing activities and pool individual requests into sessions. They also allow users to stay signed in. Types include first party, third party, session, and persistent.

Answer 16

A security measure initiated by a consumer to locks their data with consumer reporting agencies to prevent identity thef.

Answer 17

Any organization that regularly engages in compiling or evaluating personal information in order to provide consumer reports to third parties under the Fair Credit Reporting Act.

Answer 18

The customer’s ability to view, correct, or delete the personal information collected from or about them.

Answer 19

Data relating to private-sector clients, healthcare patients, and the public for public-sector agencies that provide services

Answer 20

``` The unauthorized collection of computerized data that interrupts the security, confidentiality, or integrity of personal information maintained by a data collector. ```

Answer 21

A scheme organizing different categories of | data with appropriate handling and access.

Answer 22

The natural or legal person, public authority, agency or any other body who alone or jointly decides the intentions and means of personal data processing.

Answer 23

A piece of data with a distinct definition which can’t be whittled down further. Examples include date of birth, numerical identifier, or location coordinates. In isolation these may not be considered personal data but they would be when combined.

Answer 24

``` Comparing personal data compiled from a number of sources, including personal information banks, in order to make decisions about the individuals to whom the data relate. ```

Answer 25

Any operation or set of operations performed on personal data including alteration, collection, recording, restriction, storage, use, retrieval, disclosure, dissemination, combination, organization, erasure, or destruction, whether by automated means.

Answer 26

The natural or legal person public authority, agency or other body not employed by the controller who processes personal data as instructed by the controller.

Answer 27

``` The fair information practices principle that says personal data should be relevant, accurate, up-to-date, and complete. Four questions to consider: does it meet the business needs; is it accurate; is it complete, and is it recent? ```

Answer 28

The natural or legal person, public authority, agency, third party, or another body getting personal data by disclosure. This would not apply to public authorities getting personal data in the context of an EU or member state law inquiry.

Answer 29

An identified or identifiable natural person about whom the organization has personal information.

Answer 30

``` The actions of corporate entities who mislead or misrepresent products or services to consumers and customers in the context of US federal law. The FTC and attorney general or office of consumer protection would respond to these issues. Law typically allows enforcement by the government and actions for damages brought by harmed consumers. ```

Answer 31

Common law tort focuses on this concept, which is defined as a communication intending to harm another’s reputation

Answer 32

Using log files to identify a website visitor for security and system maintenance purposes. Log files typically include URLs, web browsers, font preferences, operating systems, IP addresses, and time stamps.

Answer 33

A protective measure for the authenticity of an electronic document, such as an e-mail, text file, spreadsheet or image file. It would be rendered invalid if anything is changed in the electronic document post attachment

Answer 34

Direct contact made to an individual by the seller, in contrast to mass media marketing through radio or TV.

Answer 35

A potential policy allowing consumers the right to opt out of web tracking, in the same vein as the existing US Do-Not-Call Registry.

Answer 36

This act granted the FTC authority to create the National Do-Not-Call Registry. The registry is open to all consumers who wish to place their phone number on the national list to stop telemarketers (except political activities and non-profits) from calling unsolicited.

Answer 37

This act amended the US Do-Not-Call Implementation Act to make registration permanent in place of the requirement for re-registration

Answer 38

US Congress passed this act in 2010 to restructure and enhance financial regulation. This created the Consumer Financial Protection Bureau with rule-making authority over FCRA, GLBA, and other laws.

Answer 39

The Electronic Communications Privacy and Stored Wire Electronic Communications Acts combined, which reformed the Federal Wiretap Act of 1968. This law protects e-mail and phone calls while being made, stored on computers, and in transit.

Answer 40

Information exchanged between parties | and their attorneys in preparation for trial.

Answer 41

An individual’s medical file that may be shared across multiple healthcare settings via computer. Examples include radiology images, medical history, medication and allergies, personal stats, immunization status, laboratory test results, vital signs, demographics, and billing information.

Answer 42

Monitoring that is done through electronic means, using things like video surveillance, communications, and location.

Answer 43

Personal information reasonably necessary for an organization to collect, use, or disclose in order to establish, maintain, or terminate employment or volunteer work.

Answer 44

The understanding that the employment contract can be ended by the employee or the employer at any moment for any reason.

Answer 45

The independent US federal agency enforcing laws against discrimination in the workplace. Discrimination complaints based on an individual’s race, color, origin, religion, age, intelligence, disability, and retaliation would be investigated. Discrimination suits may be filed against employers on behalf of alleged victims.

Answer 46

A prior or existing connection between the individual and a marketer that allows them to call the individual even if they are on the DNC registry. It would be formed by a voluntary two way communication between the marketer and a residential subscriber for the purpose of an inquiry, application, purchase, or transaction by the residential subscriber regarding products or services offered.

Answer 47

The first EU-wide legislation protecting personal data use and privacy which was adopted in 1995 and replaced by GDPR in 2018.

Answer 48

``` A agreement between the EU and United States invalidated by the Court of Justice of the European Union in 2015 which allowed legal transfer of personal data between the US and the EU without an adequacy decision. The EU-US Privacy Shield replaced this agreement in 2016. ```

Answer 49

``` The data transfer mechanism created in 2016 to replace the invalidated US-EU Safe Harbor agreement which allowed for the transfer of personal data from the EU to the United States for participating companies before it was invalidated in 2020 by Max Schrems. ```

Answer 50

``` The executive body of the European Union created to implement the EU’s decisions and policies.It proposes drafts of legislation that are then handed over to Parliament and the Council of the EU. It also makes data transfer adequacy decisions. ```

Answer 51

``` Anexpansion of the FCRA focusing on identity theft prevention and customer access. It requires credit reporting agencies to allow consumers a free credit report once in twelve months. It also empowers consumers to request alerts when there is suspicion of identity theft. ```

Answer 52

A US federal privacy law enacted in 1970 to demand relevancy and accuracy in data collection, the provision of the ability for consumers to access and correct their information, and limitations on the use of consumer reports for appropriate purposes, like the extension of insurance or credit and employment.

Answer 53

``` The United States agency regulating interstate communications through satellite, radio, cable, and telecommunications. Its authority coincides with the FTC in privacy law for the enforcement and regulation provided by the Telephone Consumer Protection Act. ```

Answer 54

The primary consumer protection agency in the US which compiles complaints about companies, business practices, and identity theft under the FTC Act and other laws. They bring enforcement action from the FCRA and Section 5 of the FTC Act on unfair and deceptive trade practices.

Answer 55

A corporation acting as a regulator for exchange markets and brokerage firms to ensure that security exchange markets operate transparently and protect investors. It is subject to the Securities and Exchange Commission.

Answer 56

This act was passed after the savings and loans crisis of the 1980s to allow financial regulators to impose penalties for failing to comply up to $5,000,000 for failure t o comply with regulations including GLBA’s information privacy requirements.

Answer 57

A US. federal law ensuring access to federal executive branch documents by citizens. There limited exemptions

Answer 58

``` Attributes from this method, as opposed to the POST HTML method, prescribe how form data is provided to a URL, particularly in name/value pairs showing passwords and other sensitive information in the browser’s address bar. ```

Answer 59

The collection of data protection authorities set by an OECD recommendation for collaboration among member countries on enforcing privacy laws, developing common priorities, sharing best practices, and supporting joint enforcement and awareness activities.

Answer 60

``` The Financial Services Modernization Act of 1999 reorganizing financial services regulation for any US company “significantly engaged” in financial activities. It pertains to the handling of non-public personal information, like a consumer’s name a nd address and interactions with financial institutions. ```

Answer 61

``` A US rule under HITECH requiring that vendors of personal health records and related entities inform consumers if the security of their individually identifiable health information is breached. ```

Answer 62

This act focuses on privacy and security issues with PHI as defined by HIPAA. Privacy provisions specified pertain to the introduction of categories of violations based on accountability corresponding to penalty ranges.

Answer 63

A US law passed to make national standards for electronic healthcare transactions. It requires that the U.S. Department of Health and Human Services create regulations securing the privacy and security of personal health information. Patients must opt in before their information is shared with third parties

Answer 64

This approach recognizes different values of data and data handling through an organization between collection and deletion. The stages involved are: collection, processing, use, disclosure, retention, and destruction.

Answer 65

``` The class of privacy which refers to the right of individuals, groups, or institutions to determine when, how, and to what extent information about them is disclosed to others. ```

Answer 66

Protecting information in order to prevent loss, unauthorized access, and misuse. This includes measuring threats and risks to information and the processes and measures to be taken to preserve the confidentiality, integrity and availability of information.

Answer 67

This act created the Existing Business Relationship exception to the US Telephone Consumer Protection Act’s ban of fax-based marketing without consent. It required that marketing faxes include how to opt out of future unsolicited communications.

Answer 68

A court’s authority to hear a specified case. Courts must have authority over both the type of dispute (subject matter) and the parties (personal). It also refers to the geographical area or subject-matter applicable to such authority.

Answer 69

Services that use location information to provide applications and services, including gaming, social networking, and entertainment, usually needing geolocation to identify the real-world geographic location

Answer 70

Records or information received from licensed physicians, hospitals, clinics, or other medical facilities with the consent of the related individual.

Answer 71

``` The establishment that the level of information disclosed by healthcare providers to third parties is the smallest amount required to fulfill the desired purpose as provided by HIPAA. ```

Answer 72

The authentication process using multiple verification methods, like a password and code sent to a phone number, or log-in and biometric identifier.

Answer 73

Consumers in the US put their phone number on a list prohibiting unsolicited calls from telemarketers. Registration is permanent and enforced by FCC, FTC, and state attorneys general for a fine of up to $16,000 per violation.

Answer 74

``` The US federal agency governing the National Labor Relations Act by holding elections to determine if employees want to receive union representation and investigating improper labor practices. ```

Answer 75

A category of subpoena whose use was expanded by The USA PATRIOT Act. Access is administered by separate statutory provisions without a court order to communication providers, travel agencies, financial institutions, and consumer credit agencies.

Answer 76

An organization is liable for damages related to any breach of legal duty to protect personal information and if an individual is harmed in the process.

Answer 77

Personally identifiable financial information resulting from a transaction or service made for the consumer, shared by the consumer to a financial institution, or otherwise collected by the financial institution, as defined by GLBA.

Answer 78

A universal set of internationally accepted privacy principles and guidance for countries developing regulations related to cross-border data flows and law-enforcement access to personal data. The principles are Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.

Answer 79

Laws covering a wide range of organizations or natural persons, not simply a specific market sector or population

Answer 80

Websites or online advertising services that track and analyze search terms, demographics, online activity, offline activity, browser or user profiles, location data, or preferences, to offer advertising.

Answer 81

One of two approaches to choice, where an individual makes an affirmative indication of agreement, like checking a box to allow the business to disclose the information to third parties.

Answer 82

One of two approaches to choice, where the lack of action on the part of the individual is taken as their implication of choice, so for example, their information will be shared with third parties if they don’t uncheck a box.

Answer 83

An international organization that supports policies created to boost employment, sustainable economic growth, and the standard of living.

Answer 84

Contracting a third party to complete business processes, possibly including the processing of personal information.

Answer 85

``` A self-regulatory system of security standards for payment card data drafted by the Payment Card Industry Security Standards Council. Compliance necessitates companies above a certain threshold to conduct third party security assessments. ```

Answer 86

Technologies and processes created to secure the whole network environment by blocking penetration from the outside.

Answer 87

What personal information is called in the EU, defined by GDPR as any information relating to an identified or identifiable natural person.

Answer 88

Also called personal data, a term defined by CCPA as information that identifies or could be linked to a particular consumer.

Answer 89

A device used to render a diagnostic opinion | on whether an individual is being honest.

Answer 90

As opposed to those of the GET method, this method’s attributes specify how form data is given to a web page in a more secure way.

Answer 91

``` superior government making its law supersede those of an inferior government, such as the US federal government’s declaration that no state government can regulate consumer credit reporting. ```

Answer 92

A measurement of an organization’s compliance to its own privacy policies and procedures, applicable laws, regulations, and industry standards. The organization’s practices are measured by how they alignwith legal obligations and stated practices from subjective information including employee interviews and complaints, or objective standards including logs or training attendance.

Answer 93

This is an approach to privacy where privacy is embedded into technology, systems, and practices from the early design stage to include privacy requirements in the processing of personal information. It was first outlined in a framework with seven foundational principles.

Answer 94

A statement provided to the data subject explaining how an organization collects, uses, stores, and discloses personal information.

Answer 95

``` An individual designated as the head of privacy compliance and operations in an organization. The US federal government sees this person as the official in charge of the implementation and management of all privacy and confidentiality efforts. ```

Answer 96

An internal statement that explains an organization or entity’s handling of personal information to the members of the organization interacting with the personal information, informing them about the collection, use, retention, and destruction of the data and data subject rights.

Answer 97

This HIPAA rule created national standards for the protection of individuals’ medical records and other health information held by health plans, healthcare clearinghouses, and electronic healthcare providers. It requires the establishment of safeguards to protect the privacy of personal health information with limits on unauthorized use and disclosure.

Answer 98

The individual harmed by violation of the law may file a lawsuit against the violator unless stated otherwise in the law.

Answer 99

Any individually identifiable health information created, received, transmitted, or stored by a HIPAA-covered entity or its business associate or employee which can be used to identify the individual is created or received by a covered entity or an employer and is related to any physical or mental condition or payment or provision of healthcare.

Answer 100

A judge’s declaration of what information not to be made public and the conditions that apply for accessing the protected information.

Answer 101

Information that a government entity maintains, obtains, and makes available to the general public.

Answer 102

A statement from a US common law tort saying that an invasion of privacy involves liability when making something public in a manner that is highly offensive and is not of legitimate concern to the public

Answer 103

This prohibits both parties from using or disclosing protected health information for any purpose beyond the litigation, with the understanding that at the end of litigation the PHI will be deleted or returned.

Answer 104

Technologies that utilize radio waves to identify people or things with encoded microchips.

Answer 105

Substance testing that is only acceptable in specific scenarios including industries where employees have a small expectation of privacy or as necessary for public safety or national security. It’s sometimes required by law but prohibited in certain jurisdictions.

Answer 106

The action of reapplying characteristics to pseudonymized or de-identified data that could be used to identify an individual. There is risk in undoing the de-identification actions applied to data.

Answer 107

``` A deciding factor for allowing substance testing as a condition of continued employment which is based on facts and inferences from those facts, like speech, smell, appearance, or behavior. ```

Answer 108

An individual’s right to have the business or organization amend or correct their personal data if it is inaccurate.

Answer 109

A FTC regulation mandating that financial institutions and creditors must put measures in place to detect and prevent identity theft. It has been amended to exclude any creditor that provides funds on the behalf of a person for incidental service expenses from the definition of a creditor, which allowed some lawyers, doctors, and other service companies to avoid the scope of the regulation.

Answer 110

The act of finding and covering information from documents provided as part of a discovery request or evidence for court proceedings.

Answer 111

The part of the information life cycle that pertains to organizations keeping personal information only as long as required to fulfill the intended purpose.

Answer 112

The right of an individual to ask and obtain their personal data from a business or other organization.

Answer 113

The US law ensuring transparency from publicly held companies. As provided by the law, public companies must create a process so that the company can confidentially receive and handle complaints about actual or potential fraud due to misuse of assets and fabrications in financial reporting from self-exclaimed “whistle-blowers.”

Answer 114

Programs that require participants to follow codes of information practices and agree to monitoring in order for the company to publish the programs’ seal on their website.

Answer 115

A cryptographic key used in connection to a cryptographic algorithm, which may be uniquely and privately linked with one or more entities. The term suggests that the key be protected from disclosure or substitution.

Answer 116

An established source of standards and best practices for implementing data retention policies to help keep track of electronic discovery compliance.

Answer 117

Models for privacy based on stakeholders through legislation, Enforcement, and adjudication.

Answer 118

A case wherein the knock-and-announce rule was established, relating to home privacy and US Fourth Amendment search and seizures

Answer 119

``` An energy system that tracks electricity use through continuous monitoring, automation, and remote computerization in place of the traditional electric transmission system of physically reading customer meters to find grid issues. ```

Answer 120

A commercial email sent unsolicited.

Answer 121

Article 9 of GDPR defines this as personal information revealing things like racial origin, political opinions, religious beliefs, health, sexual preferences, or criminal convictions. This information should not be processed except in specific circumstances.

Answer 122

``` This act enacted as part of the ECPA in the US bans acquiring, altering, or blocking electronic communications in electronic storage facilities where this service is provided without authorization ```

Answer 123

A written court order made in a civil, criminal, or administrative case requiring the named individual to appear in court and testify under oath about the subject of a lawsuit, investigation, or proceeding

Answer 124

``` A screening to determine if drugs have been used in settings including preemployment, regular testing, at will, reasonable suspicion, or post-accident testing. ```

Answer 125

Allowed where notifying thousands of impacted data subjects of a data breach would place a burden on the organization due to cost.

Answer 126

``` The first law to limit unsolicited and automated telemarketing in fax and phone communications establishing a private right of action for recipients, a $500 fine per violation, and any damages to be sustained. ```

Answer 127

The class of privacy involving limitations to the ability of a person to infringe upon another’s environment.

Answer 128

Sending or moving personal data from | one organization to another

Answer 129

Providing information about the data processing to the datasubject in a short, readable, and easily accessible manner, using clear and plain language.

Answer 130

The US federal agency with the responsibility to improve working conditions, advance opportunities, and protect benefits and collective bargaining for the welfare of job seekers, wage earners, and retirees.

Answer 131

Commercial behavior that knowingly causes significant and unavoidable injury to consumers without offsetting benefits.

Answer 132

Personal data record keeping systems should not be secret. Individuals need to have a way to find out what information about them is stored and how it is used, to prevent their information obtained for one purpose from being used or made available for other purposes, and to correct or amend their information. Any organization creating, maintaining, using, or disclosing personal data must assure the reliability of the data for the stated use and take measures to prevent misuse of the data.

Answer 133

A broad-ranging act intended to stop terrorism which increased the authority of US. law enforcement to capture and surveil communications and records.

Answer 134

Non-core services that are outside the voice calls and fax transmissions available at almost no cost to promote the business.

Answer 135

Recordings without sound.

Answer 136

A technology to let phone calls be made over an LAN or the Internet, in a similar risk to network-connected PBX systems but with the extra risk of data interception if using an unsecured connection.

Answer 137

A self-regulating seal program to license | certified public accountants.

Answer 138

``` Employees reporting illegal or improper activity in the workplace to those above them or to an outside agency. The organization should ensure that appropriate privacy safeguards are put in place for the reporting employee. ```

Answer 139

The privacy of a person’s physical being.

Answer 140

``` A privacy framework where laws apply to individual industry sectors. ```

Answer 141

The legislative makes laws, can override vetoes, and comprises Senate and Congress; the executive enforces laws, can veto congress laws, and comprises the pres, VP, and cabinet; and the judicial interprets laws, determines whether laws are constitutional, and comprises federal courts

Answer 142

Civil wrongs sanctioned by law as the basis for lawsuits. Types include intentional (the defendant should have known); negligent (the defendant’s actions were unsafe); and strict liability (not quite carelessness but still caused damage).

Answer 143

The proposed language for entering into bargains.

Answer 144

The agreement of the person to whom the offer is made.

Answer 145

The exchange that is bargained for.

Answer 146

An entity with legal rights.

Answer 147

The court’s authority to hear a particular case.

Answer 148

``` A court case where one person sues another for the redressing of a perceived wrong. ```

Answer 149

The government is suing for a violation of a criminal law.

Answer 150

``` Legal actions pursued according to the statutes that create and empower an agency. ```

Answer 151

``` Legal: state, federal, and international law regarding use of information and sanctions; reputational: harm to reputation; operational: privacy program allows business to operate; investment: return on investments. ```

Answer 152

1. Discover 2. Build 3. Communicate 4. Evolve

Answer 153

``` A record of the information an organization collects, stores, uses, or discloses, and shares with other organizations or business affiliates. ```

Answer 154

``` Data sensitivity levels set by data element and combination of data elements. ```

Answer 155

``` Confidentiality, no further use of shared information, use of subcontractors, breach notifications, information security provisions, and end of relationship. ```

Answer 156

``` Consider the vendor’s reputation, financial condition and insurance, incident response, information security controls, audit rights, employee training, point of transfer, and disposal of information. ```

Answer 157

This rule establishes requirements for | the disposal of personal information

Answer 158

Social engineering, malware, data | transfer and access, and phishing

Answer 159

A privacy notice with sections of different lengths--a shorter version with key points and a longer, more detailed version.

Answer 160

Disclosure of personal information to another organization for any type of value, monetary or otherwise.

Answer 161

A notice should be posted before collection, be located on the website, list the rights of consumers, and include an option to opt out of sale.

Answer 162

Things like name, email, IP address, employment information, biometrics, and geolocation, but not deidentified information.

Answer 163

These include the rights to receive the information that was collected, delete, and opt out of sale of their information.

Answer 164

``` Confidentiality: access limited to authorized parties; Integrity: data authenticity; and Availability: data made accessible to authorized parties. ```

Answer 165

A type of security control using things | like locks and security cameras.

Answer 166

A type of security control using things | like incident response plans and training.

Answer 167

A type of security control using things like firewalls, access logs, and antivirus software.

Answer 168

1. Determine whether a breach has occurred 2. Contain and analyze the incident 3. Notify affected parties 4. Implement follow-up methods

Answer 169

PHI contained in electronic media.

Answer 170

Individually identifiable health information.

Answer 171

Include things like privacy notice, authorization for uses and disclosures, minimum necessary use or disclosure, safeguards, and accountability.

Answer 172

``` This requires covered entities and business associates to ensure the CIA of all ePHI obtained, including protection from reasonably anticipated threats, unpermitted use or disclosure, and noncompliance with the Security Rule. ```

Answer 173

This act expedited research for new medical devices and prescription drugs, sped up the process for drug approval, and reformed mental health treatment. It allowed researchers to view PHI remotely, prohibited information blocking, and allowed sharing mental health or substance abuse information with family and caregivers.

Answer 174

``` A rule mandating that financial institutions provide notice of information-sharing practices to customers; allow customers the right to opt out of sharing; avoid giving account numbers to third parties; and protect the confidentiality and security of customer information. ```

Answer 175

U.S. financial institutions or companies significantlyengaged in financial activities, like banks, mortgage lenders, insurance providers, and credit advisors.

Answer 176

``` A rule requiring that financial institutions create and implement an information security program with administrative, physical, and technical safeguards to protect the integrity, security and confidentiality of customer information. ```

Answer 177

A federal statute that allows students and parents control over how education records are accessed and shared.

Answer 178

The rights to review and seek amendment of their education records, to control the sharing of their education records, to receive annual notice of their rights, and to file complaints with the US Department of Education

Answer 179

All records that are directly related to the student and kept by the school or on behalf of the school. This excludes campus police records, employment records, applicant records, alumni records, and grades on peer-graded papers.

Answer 180

Student name, student or family address, parent or family member names, personal identifiers, date of birth, and other information that could be used to identify a student or information requested by a person who is believed to know the identity of a student.

Answer 181

``` Information that if disclosed would not be considered an invasion of privacy or harmful to the individual. A student should be allowed to opt out of this information being shared. ```

Answer 182

A rule issued by the FTC establishing | guidelines for making telemarketing calls.

Answer 183

Covered organizations must display caller ID, only call between 8am and 9pm, identify themselves and the product, disclose all material information, check numbers against the DNC list, respect requests to call back, retain records for at least 24 hours, and comply with automated dialer, prize, and promotion rules.

Answer 184

Telemarketers and sellers, or entities engaging in calls from consumers or providing goods and services offered, respectively.

Answer 185

A campaign, plan, or program to illicit a purchase of goods, services, or charitable contribution with one or more interstate phone calls.

Answer 186

An act that established rules for unsolicited commercial e-mail and a mechanism to allow individuals the right to opt out of undesired communications.

Answer 187

AAnyone who advertises products or | services by e-mail to or from the US.

Answer 188

``` Conspicuously display a return email and mailing address, notice of the right to opt out and a mechanism to do so, identification that the message is commercial, and a warning for any sexually oriented material. ```

Answer 189

The FCC’s registry of wireless domain names for senders to consult and check that they have authorization before sending commercial messages.

Answer 190

A commercial e-mail message sent to a wireless device used by a commercial mobile service subscriber.

Answer 191

Reshaping telecommunications markets, promoting the privacy privacy of customer information and CPNI held by telecommunications carriers, and requiring consent for telecommunications carriers to sell consumer data to third parties.

Answer 192

Information related to subscribers as | collected by telecommunications carriers.

Answer 193

``` 2007 CPNI order, which requires that customers receive the right to explicitly opt in before carriers share CPNI with contractors or joint venture partners for marketing purposes. ```

Answer 194

``` This act regulated the notice that cable television providers have to make to customers along with their ability to collect, retain, and delete personal information. ```

Answer 195

Video tape service providers, which would be anyone engaged in the business of sale, commerce, rental, or delivery of audio-visual materials, and anyone who receives personal information as part of the video tape service provider’s business.

Answer 196

An act that set destruction and retention requirements for personal information collected by videotape service providers, prohibited the disclosure of customer personal information and established a private right of action.

Answer 197

``` An act including emails and stored records in the ban on the interception of electronic communications that was passed after the Supreme Court ruled that the Fourth Amendment did not apply to phone numbers called. ```

Answer 198

An act stating that government authority may not have or obtain access to copies of information in the financial records of any financial institution customer without consent, subpoena, warrant, summons, or formal written request from an authorized government authority.

Answer 199

An act preventing criminals from using f inancial institutions to launder or hide money they obtained illegally.

Answer 200

An act allowing the federal government to share unclassified technical data network attacks and successful defenses with companies.

Answer 201

Identifying and removing or blocking information from documents relevant to a court proceeding or discover request, in this case personally identifiable information.

Answer 202

``` Enacted as part of the ECPA, an act that prohibited unauthorized acquisition, alteration, or blocking of electronic communication in electronic storage for electronic communications service. ```

Answer 203

Also called the “Digital Telephony Bill”, this act lists the responsibilities of players in the telecommunications industry to cooperate with law enforcement in interception requests for communications and other needs.

Answer 204

The ECPA allowed these kinds of orders from a judge so long as they are relevant to the investigation.

Answer 205

This act protects media and organizations from government searches or seizures in criminal investigations, requiring law enforcement to submit subpoenas or illicit voluntary cooperation for evidence.

Answer 206

These include the authorizations to share and receive cyberthreat indicators or defense measures, for the company to use monitoring and defense measures to redact personal information before it’s shared, the fact that sharing information with the government only exempts it from FOIA, restriction from using shared information for enforcement actions, and safety from liability for monitoring activities..

Answer 207

This act applies to government officers and employees and only criminal investigations.

Answer 208

A category of subpoena whose use widened with the USA PATRIOT Act. Reforms have been related to indefinite secrecy on receiving companies.

Answer 209

Controllers must appoint a DPO, implement privacy by design, report data breaches, cooperate with the DPA, identify the legal basis for processing, conduct DPIAs, maintain ROPAs, seek informed consent before collecting data, and allow data subjects with the opportunity to exercise all required rights. Processors must agree to confidentiality, data security, data breach reporting, and cooperation with the DPA.

Answer 210

Data subjects have the rights to be informed of transparent communication and information, to access their data, to rectify their data, to be forgotten, to restrict the processing of their data, to data portability, to object, and not to be subject to automated decision-making.

Answer 211

CCPA/CPRA: enforced by attorney gen; CA residents; rights to know, delete, opt out of sale, opt in to sale under 16, non-discriminatory treatment, private right of action, correct, and limit use and disclosure; applies to service providers, third parties, contractors, and businesses in California with revenue over $25 million/selling/sharing PI of 50k/50% of annual revenue from sale. ColOPPA: controllers with business/targeting CO and 100k consumer data or sells data and has 25k consumer data; rights of access, correction, deletion, data portability, opt out of targeted ads, sale, and profiling; DPIAs. Nevada: applies to owners/data brokers with a website, PI from Nevada consumers, and directs activity toward Nevada; no PRA; 30 day cure period; no guidance on how notice should be given. OPPA: businesses with $25 million revenue in OH or controlling/processing large data sets; rights to delete and to opt out of sale; notice requirements; 30 day cure period; no PRA. Vermont: applies to data brokers; opt out of sale; DPIA for processing minors’ data. VCDPA: rights to know, access, delete, correct, data portability, and opt out of targeted ads, sale, and profiling; DPIAs required; applies to entities doing business in Virginia with PI of 100k consumers or 25k while receiving 50% of revenue from sale; no PRA; 30 day cure period. UCPA: no PRA or DPIAs; Utah residents; 30 day cure period; 100k Utah consumers’ PI and $25 m

Answer 212

This is similar to VCDPA. It applies to businesses making over $25 million annual revenue and either holding the data of 100,000 Utah consumers or deriving 25% of revenue from the sale of 25,000 consumer’s data. It establishes a 30-day cure period and 45 days to respond to data subject access requests. There is no private right of action or requirement for DPIAs Enforcement will go to Utah Department of Commerce’s Consumer Protection division and the attorney general’s office.

Answer 213

GDPR considers cookies to be personal | data, so consent is required before collecting.

Answer 214

Federal laws place limits on the disclosure of SSNs; California, for example, has laws prohibiting businesses from posting or printing SSNs.

Answer 215

Some common elements between states include the scope of government and private businesses, exemptions to other laws like GLBA and HIPAA, penalties, and notice. Some differences include only paper records in AZ; private right of action in AL; and using any means to make data unreadable in CA.

Answer 216

This act requires CA law enforcement to produce a warrant before viewing electronic information about residents.

Answer 217

This act requires operators to conspicuously post privacy policies on the website stating the categories of PII collected and the categories of third parties with whom the information is shared. It also prohibits promoting alcohol, tobacco, and other substances to children under the age of 18.

Answer 218

This bill establishes provisions related to the information and services of immigrants in this state, where each regulatory body is required to create an online resource for immigrants informing them how to obtain a license or similar authorization for certain occupations.

Answer 219

This act requires websites and applications to notify Illinois customers of PII collected about them and with whom they share that PII. It does establish a private right of action.

Answer 220

This act limits the purposes for which retail establishments can scan a person’s government identifier and limits use and retention of scanned data.

Answer 221

This statute allows commercial use of biometrics only with consent, except for disclosure for specific financial transactions or at the requested of the individual.

Answer 222

A set of regulations of requirements created to assess and develop plans to address covered financial institutions’ cybersecurity risks. It applies to all entities that operate under DFS licensure, registration, or charter and all their service providers.

Answer 223

This act applies to entities doing business/ targeting Virginia residents that have the PII of 100k consumers or 25k consumers while deriving 50% of their revenue from the sale of this data. Rights include access, deleting data, and opting out of targeted advertising and sale of personal information. It also includes requirements for DPIAs and sets a 30-day cure period. Entities have 45 days to respond to DSARs

Answer 224

This act applies to businesses with $25 million revenue in OH or controlling/ processing large data sets. It provides rights to delete and opt out of sale. It sets requirements for privacy notices and a 30-day cure period.

Answer 225

This revision applies to data brokers and operators who own/operate websites for business, collect PI from Nevada consumers, and direct activities toward Nevada. It allows a 30-day cure period.

Answer 226

This act applies to data brokers selling and collecting data about consumers with whom the business doesn’t have a direct relationship. Its requirements include allowing consumers to opting out of sale of their personal information and conducting DPIAs before processing minors’ personal information.

Answer 227

This act applies to controllers with business operating in CO or targeting CO and maintaining the consumer data of 100,000 or receiving revenue from selling the consumer data of 25,000. It provides CO residents the rights of access, correction, deletion, data portability, opt out of targeted ads, sale, and profiling. Controllers have 45 days to respond to DSARs. It also requires DPIAs.

Answer 228

The federal government has the power or authority to regulate all states, and the state government has the power or authority to regulate the ongoings inside each state.

Answer 229

The practice of managing people to achieve better performance while following confidentiality requirements about management or business information.

Answer 230

An act overseen by the Dept of Labor | which regulates workplace safety.

Answer 231

``` The commission that oversees investment advisors, securities brokers and dealers, securities exchanges, and mutual funds to promote fair dealing and transparency of market information and prevent fraud. ```

Answer 232

The US law banning discrimination on the basis of religion, race, color, sex, or national origin in hires, promotions, and terminations.

Answer 233

``` A federal civil rights law banning discrimination against those with disabilities in activities including purchases, employment opportunities, and government programs. ```

Answer 234

``` This act prevents employers from making job-related decisions using genetic health information; for example, health insurers determining the eligibility, cost, coverage, or benefits of a policy. ```

Answer 235

The FCRA regulates the use of consumer reports from consumer reporting agencies to be used in background checks. The company conducting the background check should only obtain a consumer report under certain purposes including employment. They should provide written notice to the applicant, obtain written consent, obtain data only from a qualified CRA, certify their permissible purpose to the CRA, and provide pre- and postadverse- action notices if applicable

Answer 236

Examples include psychological testing, polygraphs (only allowed in certain occupations), and substance testing (needing reasonable suspicion in some states).

Answer 237

Methods include social media, video surveillance, information technology, stored communications, location-based services, monitoring mail, and bring-your-own-device.

Answer 238

ECPA establishes that employers must generally obtain consent from at least one party before monitoring or recording company calls. The interception of wire, oral, and electronic communications is typically not allowed outside of the course of business.

Answer 239

``` Be cognizant of taking allegations seriously, documenting the misconduct, treating employees with fairness during the investigation, and considering laws, policies, and employee’s rights. ```

Answer 240

``` In some jurisdictions, there should be a demonstrable business or legal reason to retain specific personal information after termination, which could be to provide references, respond in legal proceedings, or follow retention requirements. ```

Answer 241

This act requires businesses in California to disclose what personal information the business has shared with third parties and name the third parties. It applies to businesses that have established relationships with California resident-consumers and disclosed their PII to a third party company for direct marketing.

Answer 242

This act requires commercial websites and online services collecting and storing PII from CA consumers to post a conspicuous privacy policy that links from the home page. Amendments in 2013 added the requirement to disclose cookies and tracking.

Answer 243

PRIVACYREF.COM 888-470-1528 INFO@PRIVACYREF.COM