Section 5

Question 1

Which city banned employment based on credit history in 2015?

Answer 1

New York City

Question 2

When was the California Financial Information Privacy Act passed and what is the other name by which it is known?

Answer 2

2004 and known as SB-1

Question 3

How does the CFIPA (CA Financial Info Privacy Act) add to GLBA?

Answer 3

1. Shifts the requirement for financial institution data sharing from an opt-out under GLBA to an OPT-IN under CFIPA.
2. requires that financial institutions provide a SEPARATE DOCUMENT that is prominently titled “Important Privacy Choices for Consumers.”

Question 4

In what two days does the Cal ECPA (Electronic Communications Privacy Act) restrict law enforcement in access to electronic comms?

Answer 4

1. Service Provider Records
   - criminal: search warrant or court order
   - non-criminal: subpoena
2. Electronic Devices
   - search warrant, wiretap order, consent of the customer or certification of an emergency situation

Question 5

What rights does the CCPA (CA Consumer Privacy Act) of 2018 provide?

Answer 5

Right to: KKHOORD
- know what information is collected
- know how the information is shared
- opt out of information sharing
- review information
- request deletion of information

Question 6

Does the CCPA include a private right of action?

Answer 6

Yes

Question 7

How does the CA Privacy Rights Act update the CCPA?

Answer 7

1. Creates a new category of information: Sensitive PI
2. Adds new rights like:
   - correct inaccurate information
   - limit use and disclosure of SPI
   - access information on automated decision-making
   - to opt out of that automated decision-making

Question 8

What law created the California Privacy Protection Agency?

Answer 8

CPRA (2023)

Question 9

When did CA pass the CA Data Broker Law?

Answer 9

2019

Question 10

What does the CA Data Broker Law require?

Answer 10

• annual registration with the AG
• AG publishes list of registered broker on its website

Question 11

When does the CA Age Appropriate Design Code go into effect?

Answer 11

was set to go into effect July 2024 but was litigated

Question 12

What does the CAADCA (California Age Appropriate Design Code Act) require that companies do?

Answer 12

1. Annual Data Protection Impact Assessment (DPIA)
2. Document risks and develop remediation plans
3. Comply with AG requests
4. Estimate age of child visitors
5. Use strong default privacy settings
6. Write privacy notices that children can understand
7. Notify children they may be tracked
8. Provide tools + info that parents and children can use to enforce privacy rights

Question 13

What websites does the CAADCA apply to?

Answer 13

Those that are already subject to the CCPA AND
- are directed at children (as defined by COPPA)
- are routinely accessed by children
- are similar to another website directed at children
- have advertisements marketed to children
- have design elements interesting to children
- a significant amount of the audience is children

Question 14

What are the possible fines under the CAADCA?

Answer 14

Negligent: $2500 per child
Intentional: $7500 per child

Question 15

Is there a private right of action under the CAADCA?

Answer 15

No

Question 16

What entities does the Colorado Privacy Act apply to?

Answer 16

If the business handles PI of 100K or more CO residents or handles PI of 25K or more residents and earns revenue from sharing that info
Does not apply to PI for your own employees

Question 17

Does the CO law apply to non-profits?

Answer 17

Yes. CA does not.

Question 18

Does CO Privacy Law have a private right of action?

Answer 18

No

Question 19

What companies does the Connecticut Data Privacy Act (CTDPA) apply to?

Answer 19

If the business handles PI of 100K or more CT residents or derives over 25% of revenue from selling data AND control or process data of 25K or more CT residents annually

Question 20

What does the CTDPA not apply to?

Answer 20

governments, non-profits, higher education or entities regulated by GLBA, HIPAA and FCRA

Question 21

What rights does the CTDPA provide?

Answer 21

access, correction and deletion of data
data portability
opt out
appeal denial of requests
designate an authorized agent

Question 22

Does the CTDPA have a private right of action?

Answer 22

No

Question 23

When did the Delaware Online Privacy and Protection Act (DOPPA) go into effect?

Answer 23

2016

Question 24

What are the three main categories of DOPPA?

Answer 24

Privacy policies
Protections for children (expands to under 18)
Protections for the privacy of users’ reading habits

Question 25

How does the DOPPA definition of website operators affect a service like Amazon Web Servies?

Answer 25

It does not include web hosting services that have nothing to do with operating the actual site so AWS would be excluded

Question 26

What are the Nevada SB 538 requirements?

Answer 26

Disclose clear privacy policies

Question 27

What is the subject matter of the New Jersey Personal Information and Privacy Protection Act?

Answer 27

Customer identity/customer ID cards

Question 28

What are the eight purposes that the NJ law allows retailers to collect customer IDs?

Answer 28

Validate customer identities for refunds
Verify customer age if needed
Prevent fraud in product returns
Prevent identity fraud in retain credit accounts
Creating and continuing customer contracts
Comply with laws that compel collection or disclosure
Disclose records to financial regulation
Compliance with HIPAA

Question 29

What kinds of data does the WA Biometric law exclude?

Answer 29

Photographs, videos and audio recordings

Question 30

What does the WA Biometric law require for biometric data?

Answer 30

Notice and consent before data can be “enrolled” in a database for commercial purposes with an exception for data needed to complete a transaction or to comply with other legal obligations

Question 31

What does the NYDFS Cybersecurity Regulation do?

Answer 31

Makes financial institutions operating in NY follow cybersecurity infrastructure under NIST

Question 32

What does WA HB 1149 do?

Answer 32

Requires businesses that manage electronic payment transactions liable to help cover the costs involved in issuing new bank cards if their negligence causes a breach

Question 33

What are the DOPPA conspicuous privacy policy posting options?

Answer 33

1. On the homepage or first significant page of a site
2. Accesible through a textl ink or icon containing the word “privacy”
3. For non-websites, reasonably accessible

Question 34

IL Student Online Personal Protection Act (SOPPA)

Answer 34

Grants parents rights to control student info
Data breach notification
Applies to govt agencies and educational technology companies

Question 35

What must be in a Privacy Policy under DOPPA?

Answer 35

PII collected
Third parties that get the PII
How it handles “do not track” requests
Policy change notification procedures

Question 36

What must be included on a privacy policy under NV SB 538?

Answer 36

Categories of PII
Process to review and correct
Notification process for policy changes
Use of third party tracking
Effective date

Question 37

What did NV SB 260 do?

Answer 37

Expanded 538 to included data brokers

Question 38

What are the cybersecurity controls that NY requires?

Answer 38

Penetration testing
vulnerability assessment
Audit trail
Access privileges
Application security
Risk assessments
Multifactor authentication
Encryption
Incident response plan
Secure disposal

Question 39

What companies are subject to the Utah Consumer Privacy Act?

Answer 39

• Over 25M in annual revenue
• Process data of 100K or more Utah residents
• Process data of 25K or more Utah residents and sell it

Question 40

How does CalECPA differ from federal telecoms laws?

Answer 40

Cal ECPA requires Cal state law enforcement get a warrant when requesting electronic data

Question 41

Which states have an explicit right to privacy in their Constitution?

Answer 41

Alaska
Arizona
California
Florida
Hawaii
Illinois
Louisiana
Montana
New Hampshire
South Carolina
Washington

Question 42

What types of personal information are omitted from the CCPA?

Answer 42

PHI and personal financial information regulated by GLBA

Question 43

What is BIPA? Does it include a private right of action?

Answer 43

Illinois Biometric Information Privacy Act
Requires that companies get consent before collecting and using biometric data
YES - includes private right of action

Question 44

What are the rights granted under the CCPA?

Answer 44

KADON
Know
Access
Delete
Opt out
Nondiscrimination

Question 45

What rights does the CPRA add to the CCPA?

Answer 45

CKOR
Correction
Know about automated decision making
Opt out of automated decision making
Restrict sensitive personal information

Question 46

What businesses are subject to the Virginia Consumer Data Protection Act (VCDPA) (2021)?

Answer 46

1. Controls or processes the PI of 100K or more VA residents OR
2. Controls or process the PI of 25K if the business earns of HALF ITS REVENUE from selling that PI

Question 47

What are the five major exemptions from the VCDPA?

Answer 47

1. Virginia government agencies
2. Financial institutions regulated under GLBA
3. Healthcare organizations regulated under HIPAA
4. Non-profit organizations
5. Institutions of higher education

Question 48

Does the VCDPA have a private right of action?

Answer 48

No

Question 49

Does the Colorado Privacy Act have a private right of action?

Answer 49

No

Question 50

What entities does the Colorado Privacy Act apply to?

Answer 50

1. 100K or more residents
2. 25K or more if they earn ANY revenue from selling the PI

Question 51

Does the Colorado Privacy Act apply to non-profits?

Answer 51

Yes (while CA and VA laws leave non-profits exempt from their Privacy Acts)

There is also an exception for businesses handling information about their employees or other businesses

Question 52

What does Nevada’s SB 538 do?

Answer 52

Requires that websites post clear privacy policies (similar to DOPPA)

Question 53

What is a Nevada SB 538 exception?

Answer 53

Website operators in NV with fewer than 20K unique visitors if their revenue is derived primarily from a source other than the sale or lease of goods, services or credit online

Question 54

How does Nevada SB 260 amend Nevada SB 538?

Answer 54

Expands the regulation to cover data brokers who purchase information about NV residents

Question 55

Is there a private right of action under the Connecticut Data Privacy Act?

Answer 55

No

Question 56

What businesses does the Connecticut Data Privacy Act (CTDPA) apply to?

Answer 56

1. 100K or more
2. Derive 25% of gross revenue from selling PI and control or process the data of at least 25K CT residents

Question 57

What does the CTDPA do?

Answer 57

Rights to: access, correction, deletion, data portability, and opt-out, appeals and authorized agent designation

Also controls geofencing around health facilities

Question 58

What entities does the Utah Consumer Privacy Act (UCPA) apply to?

Answer 58

1. Annual gross revenue over 5M OR
2. 100K Utah residents OR
3. 15K residents if they SELL AT ALL

Question 59

How does the UCPA (Utah) differ from the Virginia and Colorado laws?

Answer 59

NO: (1) right to appeal denials
(2) opt-out of profiling

Question 60

Does the UCPA have a private right of action?

Answer 60

No

Question 61

Which state law makes businesses that manage electronic payment transactions liable for the costs associated with data breaches due to the negligence?

Answer 61

Washington HB 1149

Question 62

What does the California Age-Appropriate Design Code Act (CAADCA) require?

Answer 62

Websites directed at children under the age of 18 must conduct protection impact assessments and take other measures to protect the privacy rights of children

NO private right of action

Question 63

Which state law is similar to FERPA?

Answer 63

Illinois Student Online Personal Protection Act

Question 64

What does Massachusetts 201 CMR 17.00 do?

Answer 64

Requires that all companies with info on MA residents have a written information security plan

Question 65

What types of data are omitted from the Washington Biometric Privacy Law (HB1493)?

Answer 65

Photographs
Videos
Audio recordings

Question 66

How did Illinois HB 1260 update data breach notification laws?

Answer 66

Expanded the definition of personal information to include usernames or email addresses combined with a password that would provide access to an account

Question 67

How did Massachusetts HB 4806 update data breach notification laws?

Answer 67

Added requirements for allowing individuals to place security freezes on their credit reports AND required that companies suffering data breaches offer affected users free credit monitoring

Question 68

Most states trigger breach notification when a business knowns there was a breach. Which do so when there is a reasonable belief of a breach?

Answer 68

Alaska and Kentucky

Question 69

Which state does not require notification to regulators upon the event of a breach?

Answer 69

Indiana

Question 70

How did Tennessee SB 2005 update prevailing state breach notification laws?

Answer 70

It updated to include even encrypted data

Question 71

How did Illinois HB 1260 update prevailing state breach notification laws?

Answer 71

It made usernames or email addresses count as PI if they are disclosed in combination with any information, like a password, that would allow an unauthorized party to get access to someone’s account

Question 72

How did California AB 2828 update prevailing state breach notification laws?

Answer 72

Added encrypted data if there is reason to believe the encryption keys were also compromised

Question 73

How did New Mexico HB 15 update prevailing state breach notification laws?

Answer 73

Requires notification if encryption keys are compromised and also includes biometric information

Question 74

What are the notice and choice rules under the CFIPA?

Answer 74

1. Must be notified in advance
2. Provided with time to opt-out

When sharing with unaffiliated third parties, there must be written consent

Question 75

What entities does the CFIPA apply to?

Answer 75

Any financial institution doing business in California

Question 76

What right does CAN SPAM grant to states?

Answer 76

Enforcement by state AGs

Question 77

Which state’s privacy law applies to non-profits?

Answer 77

CO

Question 78

What businesses are exempt from Nevada SB 538?

Answer 78

• Located in Nevada
• Revenue derived outside online
• Small business (less than 20K)

AND websites must have minimum contacts