Visit here for our full IAPP CIPP-US exam dumps and practice test questions.
Question 1
Under the Fair Credit Reporting Act (FCRA), which of the following constitutes a “consumer report”?
A) Any information collected by a business about an individual
B) Information bearing on a consumer’s creditworthiness used for eligibility determinations
C) Only credit scores provided by the three major credit bureaus
D) Information used solely for marketing purposes
Answer: B
Explanation:
The Fair Credit Reporting Act establishes a comprehensive framework governing the collection, dissemination, and use of consumer information by consumer reporting agencies. Understanding what qualifies as a consumer report is fundamental to determining when FCRA obligations apply to information gathering and sharing activities. The statutory definition has specific requirements that distinguish consumer reports from general business information.
Information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used for eligibility determinations constitutes a consumer report under FCRA. The definition requires that information be collected or used for specific permissible purposes including credit transactions, employment decisions, insurance underwriting, government licensing, or other legitimate business needs involving the consumer. Consumer reports can include not just credit history but also employment history, criminal records, driving records, and other information bearing on consumer characteristics when used for covered purposes. The report must be furnished by a consumer reporting agency, meaning an entity that regularly engages in assembling or evaluating consumer information for third parties. The use or expected use for eligibility determinations is crucial to the definition, distinguishing consumer reports from general business records or information collected for other purposes.
A is incorrect because not all information collected about individuals constitutes a consumer report; the information must bear on specific consumer characteristics and be used for eligibility determinations as defined by FCRA. C is incorrect because consumer reports encompass much more than credit scores and can include employment history, tenant screening reports, and other information from various sources beyond the major credit bureaus. D is incorrect because information used solely for marketing purposes generally does not constitute a consumer report under FCRA, though marketing based on prescreened consumer reports may trigger different FCRA requirements.
Question 2
A company wants to send marketing emails to customers who have not explicitly opted in to receive them. Under the CAN-SPAM Act, what is required for these emails to be compliant?
A) Prior express written consent from each recipient
B) Clear identification as an advertisement and functioning opt-out mechanism
C) Approval from the Federal Trade Commission before sending
D) Use of double opt-in confirmation process
Answer: B
Explanation:
The CAN-SPAM Act establishes requirements for commercial email messages, taking a different regulatory approach than opt-in consent models by allowing commercial emails unless recipients opt out. Understanding CAN-SPAM’s requirements helps organizations send compliant marketing communications while respecting recipient preferences and avoiding significant penalties for violations.
Commercial emails under CAN-SPAM must clearly identify themselves as advertisements and provide recipients with functioning opt-out mechanisms that allow them to decline future emails. The Act imposes several specific requirements including accurate header information showing the actual sender, non-deceptive subject lines reflecting email content, clear identification that the message is an advertisement unless the recipient has an existing business relationship, inclusion of sender’s valid physical postal address, and an opt-out method that is clear, conspicuous, and easy to use. Recipients must be able to opt out using email addresses or internet-based mechanisms that remain functional for at least 30 days after message transmission. Organizations must honor opt-out requests within 10 business days and cannot charge fees, require personal information beyond email address, or make recipients take steps other than sending a reply email or visiting a single webpage. CAN-SPAM operates on an opt-out rather than opt-in model, meaning organizations can send initial commercial emails without prior consent as long as they comply with these requirements.
A is incorrect because CAN-SPAM does not require prior express written consent for commercial emails; it uses an opt-out model allowing commercial emails unless recipients decline them, unlike stricter consent models in some state laws or international regulations. C is incorrect because CAN-SPAM does not require FTC approval before sending commercial emails; it establishes requirements organizations must follow but does not implement pre-approval systems. D is incorrect because double opt-in confirmation is not required by CAN-SPAM, though it represents a best practice that provides additional documentation of consent and can help ensure deliverability.
Question 3
Under the Health Insurance Portability and Accountability Act (HIPAA), which of the following is considered a “covered entity”?
A) Any organization that collects health information
B) Health plans, healthcare providers, and healthcare clearinghouses
C) Only hospitals and physician practices
D) Pharmaceutical companies and medical device manufacturers
Answer: B
Explanation:
HIPAA Privacy and Security Rules establish comprehensive protections for individually identifiable health information, but these rules apply only to specific categories of organizations defined as covered entities. Understanding which organizations are subject to HIPAA helps determine when health information is protected by these federal standards versus other privacy frameworks.
Covered entities under HIPAA include health plans such as health insurance companies and HMOs, healthcare providers that conduct certain transactions electronically including hospitals, physicians, pharmacies, and other providers, and healthcare clearinghouses that process health information. Health plans encompass individual and group health insurance, HMOs, Medicare, Medicaid, and other entities providing or paying for medical care. Healthcare providers become covered entities when they transmit health information electronically in connection with standard transactions like claims, eligibility inquiries, or payment activities. Healthcare clearinghouses process health information from nonstandard to standard formats or vice versa. These three categories represent the exclusive set of organizations directly subject to HIPAA rules, though business associates of covered entities also have HIPAA obligations through contractual relationships. The covered entity definition is intentionally limited to organizations directly involved in providing, paying for, or processing healthcare services and claims rather than extending to all organizations handling health information.
A is incorrect because HIPAA covered entity status is limited to specific categories of healthcare organizations, not all entities collecting health information; employers, life insurance companies, and many other organizations collect health data without being HIPAA covered entities. C is incorrect because covered entities include much more than hospitals and physicians, encompassing health plans, clearinghouses, and various provider types including dentists, pharmacies, psychologists, and others. D is incorrect because pharmaceutical and medical device manufacturers are generally not HIPAA covered entities unless they also operate as health plans, providers, or clearinghouses; they may handle health information but not under HIPAA covered entity obligations.
Question 4
A state attorney general is investigating a company for potential privacy violations. Which federal law grants state attorneys general the authority to enforce certain privacy provisions?
A) Federal Trade Commission Act Section 5
B) CAN-SPAM Act
C) Gramm-Leach-Bliley Act
D) Fair Credit Reporting Act
Answer: B
Explanation:
Privacy enforcement in the United States involves multiple regulators at federal and state levels with varying authorities depending on the specific statute. Understanding which laws grant state attorneys general enforcement authority helps organizations recognize the range of potential enforcers and the importance of multi-jurisdictional compliance.
The CAN-SPAM Act explicitly grants state attorneys general authority to enforce its provisions, allowing them to bring civil actions on behalf of state residents to enjoin violations, obtain damages, or pursue other relief. This enforcement authority represents a deliberate policy choice to supplement federal FTC enforcement with state-level actions, recognizing that spam affects residents statewide and that state AGs have interest in protecting their citizens from deceptive commercial emails. State AGs must provide notice to the FTC before filing actions and the FTC can intervene in these proceedings. The CAN-SPAM Act specifies that state AGs can recover damages calculated per violation or based on actual monetary loss, whichever is greater, with additional civil penalties possible. This dual enforcement model allows more comprehensive enforcement than FTC action alone could provide, particularly for violations affecting specific states or regions. Several state AGs have pursued CAN-SPAM enforcement actions, demonstrating active use of this authority.
A is incorrect because FTC Act Section 5 enforcement authority resides with the Federal Trade Commission, not state attorneys general, though states have their own unfair and deceptive practices statutes modeled on Section 5. C is incorrect because Gramm-Leach-Bliley Act enforcement is primarily conducted by financial regulators and the FTC depending on institution type, with no general state AG enforcement authority for federal GLBA provisions. D is incorrect because FCRA enforcement authority lies primarily with the FTC, CFPB, and federal banking agencies, not state attorneys general, though states have separate state-level fair credit reporting laws they can enforce.
Question 5
Under the Children’s Online Privacy Protection Act (COPPA), what constitutes “verifiable parental consent” for collecting personal information from children?
A) Email confirmation from a parent
B) A method that ensures the person providing consent is the child’s parent
C) Checkbox acknowledging the child’s age
D) Privacy policy disclosing collection practices
Answer: B
Explanation:
COPPA establishes special protections for children’s online privacy by requiring parental consent before collecting personal information from children under 13. The verifiable parental consent requirement is central to COPPA compliance but requires understanding what verification methods satisfy statutory requirements in different contexts.
Verifiable parental consent means using methods reasonably calculated to ensure that the person providing consent is the child’s parent, with the FTC recognizing various methods depending on whether consent is for internal use only or for public disclosure or third-party sharing. For information used internally or with limited sharing to service providers, acceptable methods include email plus additional steps like emailed confirmation or follow-up communication, or other mechanisms providing reasonable assurance of parental identity. For information publicly disclosed or shared with third parties beyond service providers, operators must use more robust verification methods such as credit card verification, government-issued ID verification with face recognition, video conference with trained personnel, or answering knowledge-based authentication questions. The reasonableness standard recognizes that absolute certainty about parental identity is impossible but requires methods that significantly reduce fraud risk and provide meaningful verification. The method must suit the specific collection and use context, with higher-risk activities requiring stronger verification.
A is incorrect because simple email confirmation alone does not satisfy verifiable parental consent requirements; email plus additional steps may suffice for internal use but not for public disclosure or third-party transfers. C is incorrect because checkbox acknowledgments without verification of parental status do not constitute verifiable consent; they merely indicate awareness without confirming the person clicking is actually a parent. D is incorrect because privacy policy disclosures inform parents about practices but do not provide consent or verify parental identity; disclosure is required but separate from consent mechanisms.
Question 6
A financial institution wants to share customer information with its marketing affiliates. Under the Gramm-Leach-Bliley Act (GLBA), what must the institution do?
A) Obtain explicit opt-in consent from customers before sharing
B) Provide opt-out notice before sharing with affiliates
C) Notify customers of the sharing but no opt-out right is required
D) No notice is required for affiliate sharing
Answer: C
Explanation:
The Gramm-Leach-Bliley Act regulates financial institutions’ collection, use, and sharing of customer information through privacy notice requirements and sharing restrictions. Understanding how GLBA treats different types of information sharing helps financial institutions comply with appropriate notice and choice requirements based on recipient relationships and information uses.
GLBA requires financial institutions to provide privacy notices informing customers about information sharing practices, including sharing with affiliates, but does not require providing opt-out rights for affiliate sharing. The statute distinguishes between affiliate sharing where no opt-out is required, nonaffiliated third-party sharing for marketing where opt-out is required, and certain third-party sharing for operational purposes where neither notice nor opt-out may be needed. For affiliate sharing, institutions must include in their privacy notices disclosures about what information is shared with affiliates and the categories of affiliates receiving information, but customers cannot opt out of this sharing under GLBA. This distinction reflects Congress’s judgment that affiliate sharing within a corporate family presents lower privacy risks than sharing with unrelated third parties. However, the Fair Credit Reporting Act separately provides affiliate marketing opt-out rights for information sharing that could be used for marketing, requiring financial institutions to also consider FCRA affiliate marketing restrictions which do provide opt-out rights.
A is incorrect because GLBA uses an opt-out model rather than opt-in consent for covered sharing, and even the opt-out right does not apply to affiliate sharing. B is incorrect because while opt-out notice is required for certain nonaffiliated third-party sharing, affiliate sharing requires disclosure but not an opt-out right under GLBA. D is incorrect because GLBA does require privacy notices that disclose affiliate sharing practices even though no opt-out right is provided for such sharing.
Question 7
Under the Video Privacy Protection Act (VPPA), what type of consumer consent is required before a video service provider can disclose personally identifiable information about video viewing?
A) Implied consent through continued use of service
B) Informed, written consent for each specific disclosure
C) One-time consent covering all future disclosures
D) Verbal consent documented by the provider
Answer: B
Explanation:
The Video Privacy Protection Act protects the privacy of consumers’ video viewing information by restricting video service providers from disclosing personally identifiable information about videos individuals rent or purchase. VPPA establishes one of the strictest consent requirements in U.S. privacy law, requiring specific consent procedures for disclosure beyond narrow statutory exceptions.
VPPA requires informed, written consent from consumers before video service providers can disclose personally identifiable information about video viewing, with the consent covering only a specific disclosure or limited category of disclosures over a defined period. The statute specifies that consent must be in writing, informed (meaning consumers understand what they’re consenting to), and specific to particular disclosures or defined disclosure categories. Congress enacted VPPA after a reporter obtained Supreme Court nominee Robert Bork’s video rental history, recognizing that video viewing preferences reveal sensitive information about political views, religious beliefs, personal interests, and other private matters. The strict consent requirement reflects this sensitivity. For ongoing disclosures such as sharing with social media platforms, consent must specify the period during which disclosures may occur, which cannot exceed two years. The writing requirement has been interpreted to include electronic writings like clickwrap agreements. The informed requirement means consumers must understand what information will be disclosed, to whom, and for what purposes before consenting.
A is incorrect because VPPA does not recognize implied consent through service use; express written consent is required. C is incorrect because VPPA prohibits blanket consent for all future disclosures; consent must be specific to particular disclosures or defined categories over a specific limited period. D is incorrect because VPPA specifically requires written consent, not verbal consent; documentation of verbal consent would not satisfy statutory requirements.
Question 8
A data broker sells consumer information to third parties. Under which federal law does the FTC have primary authority to regulate this activity?
A) Fair Credit Reporting Act
B) Privacy Act of 1974
C) FTC Act Section 5
D) Electronic Communications Privacy Act
Answer: C
Explanation:
Data brokers compile and sell consumer information but often operate outside sector-specific privacy statutes that cover particular industries or information types. Understanding which legal framework governs general data broker activities helps recognize the FTC’s role in privacy enforcement and the limitations of federal privacy regulation.
FTC Act Section 5 provides the primary federal authority for regulating data broker activities through its prohibition on unfair or deceptive acts or practices. The FTC has jurisdiction over most commercial entities except banks, insurers, telecommunications carriers, and certain other regulated industries. Section 5 enables the FTC to challenge privacy practices that are unfair (causing substantial injury that consumers cannot reasonably avoid and that is not outweighed by benefits) or deceptive (material misrepresentations or omissions likely to mislead consumers acting reasonably). The FTC has used Section 5 authority to pursue data brokers and other privacy cases involving inadequate security, broken privacy promises, and unfair information practices. However, Section 5 is a general consumer protection statute, not a comprehensive privacy law, meaning FTC action is generally enforcement-driven rather than establishing ex ante privacy requirements. The FTC has advocated for comprehensive federal privacy legislation to supplement its Section 5 authority with clearer privacy requirements for data brokers and other entities collecting consumer information.
A is incorrect because FCRA covers consumer reporting agencies compiling consumer reports for eligibility determinations, which is narrower than general data broker activities; many data brokers fall outside FCRA because they sell information for marketing or other purposes not covered by FCRA’s consumer report definition. B is incorrect because the Privacy Act governs federal agency records systems, not private sector data brokers. D is incorrect because ECPA regulates wiretapping and electronic communications interception, not data broker sale of compiled consumer information.
Question 9
Under the California Consumer Privacy Act (CCPA), which of the following is NOT considered a valid reason for a business to deny a consumer’s deletion request?
A) Completing the transaction for which information was collected
B) The business finds deleting the information inconvenient
C) Complying with a legal obligation
D) Using information internally in ways consumers would reasonably expect
Answer: B
Explanation:
The California Consumer Privacy Act grants consumers the right to request deletion of their personal information, but this right is not absolute. Understanding the statutory exceptions to deletion obligations helps businesses determine when they must honor deletion requests versus when legitimate business or legal needs justify retaining information.
Business inconvenience is not a valid statutory exception for denying deletion requests under CCPA. The statute provides specific enumerated exceptions where businesses may retain personal information despite deletion requests, but general business convenience is not among them. Valid exceptions include completing transactions for which information was collected, detecting security incidents or protecting against fraud, debugging to identify and repair functionality errors, exercising free speech rights or ensuring others can exercise theirs, complying with legal obligations including California Electronic Communications Privacy Act protections, using information internally in lawful ways consumers would reasonably expect, or using information internally and lawfully in ways compatible with the context of information collection. These exceptions balance consumer privacy rights against legitimate business needs and other legal obligations. Businesses denying deletion requests must inform consumers of the denial with explanations for why the exception applies. The statutory framework intentionally limits exceptions to prevent businesses from evading deletion obligations through overly broad interpretations.
A is incorrect because completing transactions for which information was collected is a valid CCPA exception allowing businesses to retain information necessary to fulfill the purpose of the transaction consumers initiated. C is incorrect because complying with legal obligations is a valid exception recognizing that businesses may be required to retain information under other laws. D is incorrect because using information internally in ways consumers would reasonably expect based on their relationship with the business is a valid exception allowing continued use for purposes consumers would anticipate.
Question 10
A company experiences a data breach affecting 600 residents of different states. Under which circumstance would federal law require the company to notify affected individuals?
A) Any breach affecting more than 500 individuals
B) Only if the breach involved HIPAA-protected health information
C) Any breach involving personally identifiable information
D) Federal law does not mandate breach notification
Answer: B
Explanation:
Data breach notification requirements in the United States are primarily established through state laws rather than comprehensive federal legislation, with federal requirements limited to specific sectors. Understanding which breaches trigger federal notification obligations versus state law requirements helps organizations determine applicable notification frameworks.
Federal breach notification requirements apply when breaches involve HIPAA-protected health information, with HIPAA’s breach notification rule requiring covered entities and business associates to notify affected individuals, the Department of Health and Human Services, and in some cases the media about breaches of unsecured protected health information. HIPAA requires notification to individuals without unreasonable delay and no later than 60 days after breach discovery. Breaches affecting 500 or more individuals in a state or jurisdiction require media notification in addition to individual notification. Breaches affecting fewer than 500 individuals can be reported to HHS annually rather than immediately. The notification must include breach description, information types involved, steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate harm, and contact information. Beyond HIPAA, there is no comprehensive federal breach notification law covering all sectors, though other specific federal statutes cover particular entities or information types. Most breach notification requirements come from state laws which vary in trigger events, timing, and content requirements.
A is incorrect because the 500-individual threshold applies specifically to HIPAA-covered breaches for triggering media notification requirements, not to all breaches under federal law generally. C is incorrect because there is no comprehensive federal breach notification law covering all personally identifiable information; requirements are sector-specific or imposed by state laws. D is incorrect because while there is no comprehensive federal breach notification law, HIPAA and certain other federal statutes do impose breach notification requirements for specific information types and covered entities.
Question 11
Under the Fair and Accurate Credit Transactions Act (FACTA), what must businesses that maintain or possess consumer report information do when disposing of such information?
A) Return all information to the consumer reporting agency
B) Implement reasonable measures to protect against unauthorized access to the information
C) Obtain consumer consent before disposal
D) Notify consumers 30 days before disposal
Answer: B
Explanation:
The Fair and Accurate Credit Transactions Act amended the Fair Credit Reporting Act to address identity theft concerns and improve consumer report accuracy. FACTA’s disposal rule specifically addresses the risk that improperly discarded consumer information could be accessed by identity thieves. Understanding disposal obligations helps organizations that handle consumer report information prevent downstream privacy and security incidents.
FACTA requires any person who maintains or possesses consumer report information for a business purpose to properly dispose of such information by implementing reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The rule applies not just to consumer reporting agencies but to any business using consumer reports or information derived from consumer reports, including employers conducting background checks, car dealers obtaining credit reports, landlords screening tenants, and others. Reasonable disposal measures depend on the sensitivity of information, costs and benefits of different disposal methods, and changes in technology. Acceptable practices include burning, pulverizing, or shredding papers containing consumer report information so the information cannot be reconstructed, destroying or erasing electronic media containing information so it cannot be read or reconstructed, or conducting due diligence and hiring document destruction contractors to dispose of materials. The FTC and other agencies have issued guidance and pursued enforcement actions regarding inadequate disposal practices including disposing of intact consumer reports in accessible trash containers.
A is incorrect because FACTA does not require returning information to consumer reporting agencies; businesses must dispose of it properly but not necessarily through return to the source. C is incorrect because consumer consent is not required for disposal; the obligation is to dispose properly using reasonable measures, not to obtain prior consumer approval. D is incorrect because FACTA does not require notifying consumers before disposing of their consumer report information; the obligation is proper disposal itself, not advance notice.
Question 12
A mobile app developer wants to collect location data from users. Under which federal law would this collection most likely be regulated?
A) FTC Act Section 5
B) Electronic Communications Privacy Act
C) Location Privacy Protection Act
D) Telecommunications Act
Answer: A
Explanation:
Mobile app privacy practices including location data collection are not comprehensively regulated by sector-specific federal statutes, creating regulatory gaps addressed primarily through the FTC’s general consumer protection authority. Understanding which legal framework governs mobile app data collection helps developers recognize applicable obligations and enforcement risks.
FTC Act Section 5 provides the primary federal regulatory authority for mobile app location data collection through its prohibition on unfair or deceptive practices. The FTC has pursued numerous mobile app enforcement actions for deceptive privacy practices including misrepresenting collection or sharing of location data, failing to disclose location tracking in privacy policies, or providing inadequate security for collected information. The FTC expects mobile apps to provide clear privacy disclosures explaining what information is collected including location data, how information is used including whether it’s shared with third parties or used for tracking, and providing choices about collection when appropriate. Platform providers like Apple and Google implement their own app store privacy requirements that developers must follow including obtaining user permission for location access. While FTC authority under Section 5 does not establish detailed ex ante privacy requirements, it creates enforcement risk for apps that misrepresent practices or engage in unfair collection without adequate disclosure and choice. The lack of comprehensive federal legislation specific to location privacy means Section 5 serves as the backstop authority.
B is incorrect because ECPA primarily addresses real-time interception of communications and government access to stored communications, not commercial app collection of user location data. C is incorrect because there is no federal Location Privacy Protection Act; some states have enacted location privacy laws but no such federal statute exists. D is incorrect because the Telecommunications Act governs telecommunications carriers and certain communications services but generally does not cover mobile application developers’ data practices.
Question 13
Under COPPA, an operator of a children’s website must obtain verifiable parental consent before collecting personal information from children. Which of the following is an exception to this consent requirement?
A) Collecting email addresses to respond to a one-time request
B) Collecting information to market products to children
C) Collecting information to build user profiles
D) Collecting information to share with third parties
Answer: A
Explanation:
COPPA’s verifiable parental consent requirement is central to protecting children’s online privacy, but the rule recognizes certain limited situations where requiring consent would be impractical while privacy risks are minimal. Understanding these narrow exceptions helps operators provide basic services to children while maintaining COPPA compliance.
COPPA permits collecting email addresses to respond to a one-time request from a child without obtaining parental consent, provided the operator deletes the email address immediately after responding and does not use it to recontact the child beyond responding to the specific request. This exception recognizes that requiring parental consent before answering simple questions would be impractical and that single-use email collection for limited purpose presents minimal privacy risk. Other limited exceptions include collecting email addresses to respond to a specific request and immediately deleting them, collecting information reasonably necessary to protect child safety or website security, and collecting persistent identifiers solely for website support operations like maintaining user sessions. These exceptions are narrow and specifically defined, reflecting careful balance between enabling basic website functionality and protecting children’s privacy. Operators relying on exceptions must still comply with other COPPA requirements including posting privacy policies and implementing reasonable security. Any use of collected information beyond the narrow exception scope requires full COPPA compliance including parental consent.
B is incorrect because using collected information to market to children is specifically prohibited without verifiable parental consent; marketing represents exactly the kind of commercial use COPPA restricts. C is incorrect because building user profiles involves ongoing collection and retention of personal information for commercial purposes requiring full COPPA compliance including parental consent. D is incorrect because sharing personal information with third parties requires parental consent except in very limited circumstances like sharing with service providers performing support functions under strict limitations.
Question 14
A company receives a National Security Letter (NSL) requesting customer information. Under the USA PATRIOT Act, which of the following is correct regarding the company’s obligations?
A) The company must obtain court approval before complying
B) The company must notify affected customers before complying
C) The company is prohibited from disclosing receipt of the NSL
D) The company can refuse to comply without consequences
Answer: C
Explanation:
National Security Letters are administrative subpoenas issued by federal agencies, primarily the FBI, to obtain certain records related to national security investigations. Understanding NSL requirements and restrictions helps companies recognize their obligations and limitations when receiving these demands.
Companies receiving National Security Letters are subject to nondisclosure requirements prohibiting them from revealing the NSL’s existence to anyone other than those necessary to comply with the request or to obtain legal advice. The nondisclosure provision prevents alerting investigation subjects or the public to ongoing national security investigations. However, NSL nondisclosure has been subject to constitutional challenges, and revisions now allow recipients to challenge nondisclosure orders in court and provide for periodic government review of whether continued nondisclosure is justified. Recipients can disclose NSLs to attorneys for legal advice and to personnel necessary for compliance. The PATRIOT Act expanded NSL authority allowing agencies to obtain subscriber information, toll billing records, and electronic communication transactional records without requiring specific ties to foreign powers or agents. NSLs do not require judicial approval before issuance, distinguishing them from traditional warrants or court orders. The combination of broad authority and secrecy has made NSLs controversial, with reforms aimed at increasing oversight while maintaining investigative utility.
A is incorrect because NSLs do not require court approval before issuance or compliance; they are administrative subpoenas issued by agencies, not judicial orders, though recipients can seek court review. B is incorrect because NSL recipients are prohibited from notifying affected customers or others about the NSL, though nondisclosure can be challenged. D is incorrect because recipients must comply with valid NSLs though they may challenge them in court; refusing without legal basis could result in contempt proceedings and other consequences.
Question 15
Under the Telephone Consumer Protection Act (TCPA), what type of consent is required before sending automated text messages to consumers for marketing purposes?
A) Implied consent from prior business relationship
B) Express written consent containing specific disclosures
C) Verbal consent documented by the sender
D) Opt-out opportunity provided in each message
Answer: B
Explanation:
The Telephone Consumer Protection Act restricts telemarketing calls and automated messages to protect consumers from unwanted solicitations. Understanding TCPA consent requirements helps organizations avoid significant statutory damages from non-compliance.
TCPA requires prior express written consent before making marketing calls or sending marketing text messages using automatic telephone dialing systems or artificial or prerecorded voices to mobile phones. The express written consent must be in writing, signed by the consumer (including electronic signatures), clearly authorize receiving marketing messages, identify the seller, indicate consent is not a purchase condition (when that is true), and include the phone number to which consent applies. This strict standard was established through FCC regulations implementing TCPA following the statute’s prohibition on automated marketing calls to mobile phones without prior express consent, with “express consent” being interpreted to require written consent for marketing messages. The written consent requirement aims to ensure consumers clearly understand and agree to receive automated marketing messages before businesses can send them. TCPA establishes statutory damages of $500 to $1,500 per violation, creating significant exposure for companies sending messages without proper consent. The courts have recognized consumer standing to pursue TCPA claims, resulting in substantial class action litigation.
A is incorrect because prior business relationship alone does not provide sufficient consent under TCPA for automated marketing messages to mobile phones; express written consent is specifically required. C is incorrect because TCPA requires written consent, not verbal consent, for automated marketing messages even if documented by the sender. D is incorrect because providing opt-out opportunities in messages does not substitute for obtaining prior express written consent before sending initial marketing messages; opt-out is required in addition to obtaining proper prior consent.
Question 16
A company wants to implement employee email monitoring. Under federal law, which of the following is generally true?
A) Employers must obtain employee consent before monitoring
B) Employers may generally monitor business email on company systems
C) The Privacy Act prohibits all employee monitoring
D) ECPA prohibits employer monitoring of email
Answer: B
Explanation:
Workplace privacy rights are significantly limited compared to consumer privacy protections, with federal law generally permitting employer monitoring of employee communications on company systems. Understanding the scope of federal restrictions on employee monitoring helps organizations implement monitoring programs while recognizing limited employee privacy expectations.
Federal law generally permits employers to monitor employee business email on company systems through several legal theories. The Electronic Communications Privacy Act contains exceptions allowing service providers (employers providing email systems to employees) to monitor communications where one party to the communication consents (employer consent to monitoring its own systems), or for business purposes including monitoring employee productivity and preventing misuse of company resources. Courts have recognized that employees have limited privacy expectations in email on employer-provided systems, particularly when employers have policies notifying employees of monitoring practices. Many employers implement email monitoring policies explicitly informing employees that company email systems are monitored and may not be used for personal communications or that personal communications have no privacy expectation. These policies further reduce employee privacy expectations and provide additional legal support for monitoring. While federal law permits monitoring, some states impose additional notice or consent requirements, and employers should implement clear policies explaining monitoring practices.
A is incorrect because federal law generally does not require employee consent for monitoring business communications on employer-provided systems, though notice through clear policies is advisable. C is incorrect because the Privacy Act applies to federal government records systems, not private employer monitoring of employees. D is incorrect because while ECPA generally prohibits unauthorized interception, it contains exceptions permitting employer monitoring including the business purpose exception and service provider exception allowing employers to monitor their own systems.
Question 17
Under the Driver’s Privacy Protection Act (DPPA), which of the following is a permissible use of personal information from motor vehicle records?
A) Marketing automobile accessories to licensed drivers
B) Use by employers for any employment purpose
C) Use by insurance companies for underwriting purposes
D) Sale to data brokers for resale to third parties
Answer: C
Explanation:
The Driver’s Privacy Protection Act restricts state motor vehicle departments from disclosing personal information from driver’s license and motor vehicle registration records except for specific permissible purposes. Understanding DPPA’s permitted uses helps organizations determine when they can lawfully access and use motor vehicle record information.
DPPA permits insurance companies to use motor vehicle record personal information for activities related to motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations or recalls, performance monitoring of vehicles or dealers, and removal of non-owner records from original owner records. Insurance underwriting falls within these permissible purposes as it relates to driver safety and risk assessment for motor vehicle insurance. Other DPPA permissible uses include use by government agencies for official functions, motor vehicle recalls, market research activities if consent is obtained, use in court proceedings, serving process, investigations by law enforcement, and fraud prevention. The statute establishes both circumstances where disclosure without consent is permitted (these enumerated purposes) and circumstances requiring driver consent for disclosure (such as bulk distribution for certain commercial purposes). DPPA was enacted after address information from motor vehicle records was used to locate and stalk individuals, leading to tragic outcomes. The law aims to balance public safety and privacy by restricting disclosure while recognizing legitimate uses of motor vehicle information.
A is incorrect because marketing uses generally require driver consent under DPPA unless the marketing relates to motor vehicle safety or recalls; generic automobile accessory marketing does not fall within statutory exceptions. B is incorrect because employment purposes are not among DPPA’s permissible uses without consent, though employers may use information for limited purposes like commercial driver verification. D is incorrect because sale to data brokers for unrestricted resale is not a permissible use; DPPA restricts disclosure for commercial purposes except specific enumerated exceptions.
Question 18
A company operates both in the United States and Europe. When harmonizing privacy practices, which principle represents the most significant difference between U.S. and EU approaches?
A)S. law relies more on sector-specific regulation while EU uses comprehensive framework
B)S. law provides stronger individual rights than EU law
C) EU law permits more extensive data sharing than U.S. law
D)S. and EU approaches are essentially identical
Answer: A
Explanation:
Understanding fundamental differences between U.S. and EU privacy regulatory approaches is essential for multinational organizations developing privacy programs that must comply with both regimes. These differences reflect distinct policy philosophies, regulatory structures, and cultural attitudes toward privacy protection. Recognizing these differences helps organizations navigate compliance challenges when operating across jurisdictions.
U.S. privacy law relies primarily on sector-specific regulation with different laws covering specific industries or information types such as healthcare under HIPAA, financial services under GLBA, children’s information under COPPA, and credit information under FCRA, while EU law employs a comprehensive framework through the General Data Protection Regulation that applies broadly across sectors and information types. The U.S. sectoral approach creates a patchwork of requirements with significant gaps where no federal privacy law governs certain activities, relying instead on FTC Section 5 enforcement and state laws to fill gaps. In contrast, GDPR establishes comprehensive obligations applying to most personal data processing regardless of sector, creating more consistent requirements across activities. The U.S. approach evolved incrementally in response to specific concerns and industry lobbying, while the EU approach reflects fundamental rights perspectives viewing privacy as a human right requiring comprehensive protection. This structural difference affects compliance approaches, with U.S. companies often needing to evaluate which specific laws apply to particular activities, while EU operations must ensure all processing complies with GDPR’s comprehensive requirements.
B is incorrect because EU law generally provides stronger individual rights than U.S. law, including comprehensive access rights, rectification, erasure, data portability, and objection rights that exceed rights under most U.S. privacy laws. C is incorrect because EU law generally restricts data sharing more than U.S. law, requiring lawful bases for processing, limiting purpose, and restricting international transfers, while U.S. law permits broader sharing subject to notice and some opt-out rights. D is incorrect because U.S. and EU approaches differ significantly in structure, scope, individual rights, enforcement mechanisms, and philosophical foundations.
Question 19
Under the California Consumer Privacy Act (CCPA), what is the threshold for when a business must provide a “Do Not Sell My Personal Information” link on its website?
A) Only if the business sells personal information to third parties
B) All businesses regardless of whether they sell personal information
C) Only businesses that sell personal information of more than 1,000 consumers
D) Only businesses that derive more than 50% of revenue from selling personal information
Answer: A
Explanation:
CCPA establishes consumer rights including the right to opt out of the sale of personal information, but understanding when businesses must provide opt-out mechanisms depends on recognizing which activities constitute selling under the statute. The “Do Not Sell” requirement applies specifically to businesses engaged in selling activities as defined by CCPA.
CCPA requires businesses that sell personal information to provide a “Do Not Sell My Personal Information” link on their homepage enabling consumers to opt out of sales of their personal information. The requirement applies only to businesses actually engaged in selling personal information, meaning businesses that do not sell information are not required to provide the link. CCPA defines “sell” broadly as transferring personal information to another business or third party for monetary or other valuable consideration, capturing many data sharing practices that might not traditionally be considered sales including data sharing that provides value through reciprocal data exchanges or other benefits beyond direct payment. However, the definition includes exceptions for sharing with service providers under written contracts, sharing for specific business purposes like mergers, or sharing as required by law. Businesses must evaluate whether their data sharing practices constitute sales under CCPA’s broad definition. If they sell information, they must provide the opt-out link and honor consumer opt-out requests without discrimination. The link must be clearly labeled and easily accessible on the business homepage.
B is incorrect because the “Do Not Sell” link requirement applies only to businesses that actually sell personal information as defined by CCPA, not to all businesses regardless of sales activities. C is incorrect because there is no 1,000-consumer threshold for the “Do Not Sell” link; if a business sells any consumer personal information, it must provide the link. D is incorrect because the requirement to provide opt-out mechanisms does not depend on the percentage of revenue derived from sales; even businesses deriving minimal revenue from sales must provide opt-out if they engage in selling.
Question 20
A healthcare provider wants to use patient health information for research purposes. Under HIPAA, which of the following is a valid basis for using protected health information for research?
A) Any legitimate research purpose without patient authorization
B) Research use is never permitted under HIPAA
C) Patient authorization, IRB waiver, or limited data set with data use agreement
D) Research is permitted only with verbal patient consent
Answer: C
Explanation:
HIPAA recognizes the importance of health research while protecting patient privacy through requirements that balance research needs with privacy protections. Understanding the mechanisms HIPAA provides for research use of protected health information helps healthcare organizations support valuable research while maintaining compliance.
HIPAA permits using protected health information for research through several mechanisms including individual authorization where patients provide written authorization specifically for research use, Institutional Review Board or Privacy Board waiver or alteration of authorization when the IRB determines specific criteria are met including minimal privacy risk and research impracticability without the waiver, or de-identified information that has been stripped of identifiers according to HIPAA standards. Additionally, HIPAA permits creating limited data sets that remove certain direct identifiers while retaining other potentially useful information like dates and ZIP codes, provided researchers sign data use agreements restricting how information can be used and requiring appropriate safeguards. These mechanisms recognize different scenarios from research requiring identifiable information to research possible with partially de-identified data. The Privacy Rule’s research provisions aim to support important medical research that benefits public health while protecting patient privacy through proportionate requirements based on privacy risks. Organizations conducting research must evaluate which mechanism best suits their research needs while providing appropriate privacy protections.
A is incorrect because research cannot use protected health information without authorization or another valid HIPAA basis such as IRB waiver or de-identification; legitimate purpose alone does not satisfy HIPAA requirements. B is incorrect because HIPAA explicitly permits research uses through several defined mechanisms; the rule balances research importance with privacy protection rather than prohibiting research use. D is incorrect because HIPAA requires written authorization for research use when authorization is the chosen mechanism; verbal consent does not satisfy HIPAA’s documentation requirements for authorization.
