Visit here for our full IAPP CIPP-US exam dumps and practice test questions.
Question 101
Under the Children’s Online Privacy Protection Act (COPPA), what is the age threshold below which parental consent is required for collecting personal information?
A) 10 years
B) 13 years
C) 16 years
D) 18 years
Answer: B
Explanation:
COPPA is a federal law specifically designed to protect children’s privacy online by regulating how websites and online services collect, use, and disclose personal information from children. Understanding COPPA’s scope and requirements is essential for organizations operating child-directed services. COPPA requires parental consent for collecting personal information from children under 13 years of age. The statute applies to operators of commercial websites and online services directed to children, operators with actual knowledge they’re collecting information from children under 13, and operators of general audience sites with separate child-directed sections. Covered operators must post clear privacy policies describing information practices, provide notice to parents about collection practices, obtain verifiable parental consent before collecting personal information, give parents access to their child’s information, allow parents to revoke consent and delete information, limit collection to what’s reasonably necessary for participation, and maintain reasonable security procedures. Personal information under COPPA includes traditional identifiers like name, address, email, telephone number, and Social Security number, as well as online identifiers like screen names, IP addresses, persistent identifiers in cookies, photographs with identifiable children, and geolocation information. Parental consent methods must be reasonably designed to ensure the person providing consent is the child’s parent, with acceptable methods varying based on how information will be used. For internal use only, email plus confirmation provides sufficient verification, while broader disclosures require more robust methods like credit card verification, video conferencing, or government-issued ID submission. COPPA includes safe harbor provisions allowing industry groups to develop self-regulatory programs approved by the FTC. Violations can result in civil penalties and enforcement actions. Organizations should implement age-screening mechanisms, obtain and document verifiable parental consent, provide parents with access and deletion capabilities, and train staff on COPPA requirements. Option A sets age too low missing COPPA’s actual threshold. Option C confuses COPPA with some state laws that have different age thresholds for specific protections. Option D represents general age of majority but not COPPA’s specific threshold.
Question 102
Which federal law primarily regulates the privacy and security of health information?
A) GLBA
B) FCRA
C) HIPAA
D) FERPA
Answer: C
Explanation:
The United States has sectoral privacy legislation addressing specific industries and data types. Understanding which laws apply to health information is fundamental for healthcare privacy professionals. The Health Insurance Portability and Accountability Act (HIPAA) primarily regulates the privacy and security of health information through its Privacy Rule, Security Rule, and Breach Notification Rule. HIPAA applies to covered entities including health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically, as well as business associates that perform functions or services involving protected health information (PHI) on behalf of covered entities. The Privacy Rule establishes standards for protecting PHI including permitted uses and disclosures, individual rights to access and control information, and administrative requirements. PHI includes individually identifiable health information relating to past, present, or future physical or mental health, provision of healthcare, or payment for healthcare. Permitted disclosures without authorization include treatment, payment, and healthcare operations, though minimum necessary standards apply except for treatment. Individual rights include access to records, amendment requests, accounting of disclosures, restriction requests, and confidential communications. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI), including risk assessments, workforce training, access controls, encryption, and audit controls. The Breach Notification Rule requires notification to affected individuals, HHS, and potentially media when unsecured PHI is breached. Business associate agreements must govern relationships with vendors handling PHI. HIPAA enforcement involves HHS Office for Civil Rights conducting investigations and imposing civil monetary penalties, with criminal penalties available for willful violations. State laws may provide additional protections beyond HIPAA’s federal floor. Organizations should implement comprehensive compliance programs including policies and procedures, privacy and security officers, workforce training, risk assessments, and breach response plans. Option A (GLBA) applies to financial institutions. Option B (FCRA) regulates consumer reporting agencies. Option D (FERPA) protects student education records.
Question 103
What is the primary purpose of the Fair Credit Reporting Act (FCRA)?
A) Regulate health insurance
B) Ensure accuracy and privacy of consumer information held by credit reporting agencies
C) Protect children’s online privacy
D) Secure financial transactions
Answer: B
Explanation:
The FCRA is foundational privacy legislation governing consumer reporting and background screening. Understanding FCRA requirements is essential for organizations using consumer reports for employment, credit, or other decisions. The FCRA ensures accuracy and privacy of consumer information held by consumer reporting agencies (CRAs) and regulates how consumer reports are obtained and used. The statute applies to CRAs that assemble or evaluate consumer information for third parties and users of consumer reports for credit, employment, insurance, or other permissible purposes. Consumer reports include credit reports, background checks, tenant screening reports, and other communications about creditworthiness, character, or general reputation. Key FCRA provisions include permissible purposes limiting report access to legitimate business needs like credit applications, employment screening with consent, insurance underwriting, or court orders. Adverse action requirements mandate that users notify consumers when taking negative actions based on reports, providing report source, CRA contact information, and dispute rights. Accuracy obligations require CRAs to follow reasonable procedures ensuring maximum possible accuracy, investigate disputes within 30 days, and correct or delete inaccurate information. Consumer rights include free annual credit reports from each nationwide CRA, dispute rights for inaccurate information, fraud alerts, security freezes, and opt-out rights for prescreened offers. Employment screening has specific requirements including written disclosure and authorization, pre-adverse action process providing copy of report and summary of rights, and post-adverse action notice. Furnisher responsibilities require those providing information to CRAs to ensure accuracy and investigate disputes. FCRA establishes limitations on reporting negative information (typically seven years for most items, ten for bankruptcies), restricts information included in reports, and provides civil and criminal liability for violations. Organizations should implement FCRA compliance programs including proper authorization procedures, adverse action processes, and training for staff involved in consumer report usage. Option A describes HIPAA’s domain. Option C describes COPPA. Option D describes various financial security regulations but not FCRA’s specific focus.
Question 104
Under the Gramm-Leach-Bliley Act (GLBA), what are “financial institutions” required to provide to customers?
A) Free credit reports annually
B) Privacy notices explaining information sharing practices
C) Identity theft insurance
D) Encryption for all communications
Answer: B
Explanation:
The GLBA establishes privacy and security requirements for financial institutions, forming a critical component of U.S. financial services regulation. Understanding GLBA obligations is essential for privacy professionals in the financial sector. GLBA requires financial institutions to provide customers with privacy notices explaining information sharing practices and offering opt-out rights for certain disclosures. The statute applies broadly to financial institutions offering financial products or services including banks, credit unions, securities firms, insurance companies, mortgage lenders, collection agencies, and others significantly engaged in financial activities. GLBA has three principal sections: the Financial Privacy Rule requiring privacy notices and opt-out rights, the Safeguards Rule mandating security programs for customer information, and the Pretexting Provisions prohibiting obtaining financial information through false pretenses. Privacy notices must be provided initially when customer relationships are established and annually thereafter, describing categories of information collected, categories shared, parties with whom information is shared, security measures, and opt-out rights. The opt-out right allows customers to prevent sharing of nonpublic personal information with nonaffiliated third parties for certain purposes, though exceptions exist for processing transactions, servicing accounts, or complying with legal requirements. Notices must be clear, conspicuous, and accurate. The Safeguards Rule requires written information security programs including designating responsible employees, conducting risk assessments, implementing safeguards addressing identified risks, overseeing service providers through contracts, and regularly monitoring and testing programs. Interagency guidelines provide specific security standards for covered institutions. Enforcement is divided among federal functional regulators (banking agencies, SEC, CFTC, FTC) based on institution type, with state attorneys general also having enforcement authority. Institutions should develop comprehensive GLBA compliance programs including privacy notice development and distribution, opt-out processing, information security programs, vendor management, and workforce training. Option A describes FCRA requirements. Option C is not a GLBA requirement though some institutions offer such protection. Option D overstates requirements as GLBA requires appropriate security but doesn’t mandate universal encryption.
Question 105
What is the primary focus of the Family Educational Rights and Privacy Act (FERPA)?
A) Healthcare privacy
B) Financial privacy
C) Privacy of student education records
D) Employment records privacy
Answer: C
Explanation:
FERPA is the primary federal law protecting student education records, applying to educational institutions receiving federal funding. Understanding FERPA is essential for privacy professionals working in educational contexts. FERPA focuses on privacy of student education records maintained by educational agencies and institutions receiving federal funding from the Department of Education. The statute applies to public and private schools from elementary through postsecondary levels that receive federal education funds. Education records include records directly related to students maintained by educational institutions or parties acting for them, encompassing grades, transcripts, class schedules, disciplinary records, and contact information. FERPA grants parents rights regarding minor students’ records, with rights transferring to students when they reach 18 or attend postsecondary institutions. Key rights include inspecting and reviewing education records, requesting amendments to inaccurate records, and consenting to most disclosures of personally identifiable information. Schools must generally obtain written consent before disclosing education records, though numerous exceptions permit disclosure without consent including to school officials with legitimate educational interests, other schools to which students transfer, for financial aid purposes, to accrediting organizations, to comply with judicial orders or subpoenas, in health or safety emergencies, and for directory information if proper notice is provided. Directory information (name, address, telephone, email, date and place of birth, honors, dates of attendance, etc.) may be disclosed without consent if schools provide annual notice and opt-out opportunity. Schools must maintain disclosure records showing who accessed education records (except for school officials and directory information). FERPA is enforced by the Family Policy Compliance Office which can terminate federal funding for violations, though the statute doesn’t provide private right of action. Educational institutions should implement policies governing record access, disclosure procedures, amendment processes, and directory information handling, along with training for staff with record access. Option A describes HIPAA. Option B describes GLBA. Option D isn’t covered by specific federal privacy legislation comparable to FERPA.
Question 106
Which U.S. federal agency primarily enforces privacy laws against unfair or deceptive trade practices?
A) Department of Health and Human Services
B) Federal Trade Commission
C) Securities and Exchange Commission
D) Department of Education
Answer: B
Explanation:
Understanding the U.S. privacy enforcement landscape requires knowing which agencies have authority over different sectors and violations. The FTC plays a central role in privacy enforcement. The Federal Trade Commission primarily enforces privacy laws against unfair or deceptive trade practices under Section 5 of the FTC Act, giving it broad authority over commercial privacy practices across sectors. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, providing the foundation for FTC privacy enforcement. Deceptive practices include misrepresentations or omissions likely to mislead reasonable consumers, while unfair practices cause or are likely to cause substantial consumer injury not reasonably avoidable and not outweighed by benefits. The FTC applies these standards to privacy and data security, finding violations when companies make false or misleading privacy claims, fail to provide promised privacy protections, or implement inadequate security causing consumer harm. The FTC enforces specific privacy statutes including COPPA for children’s online privacy, portions of GLBA for non-bank financial institutions, CAN-SPAM for commercial email, Telemarketing Sales Rule for telephone solicitations, and FCRA for certain entities. Beyond specific statutes, the FTC pursues general privacy and security enforcement through Section 5 authority, addressing issues like inadequate data security, privacy policy violations, unfair information practices, and deceptive marketing. FTC enforcement actions typically result in consent orders requiring companies to establish comprehensive privacy programs, obtain biennial security audits for 20 years, pay civil penalties for violations, and implement specific remedial measures. The FTC also issues guidance, reports, and workshops educating businesses and consumers about privacy. FTC jurisdiction excludes certain regulated entities like banks (overseen by banking regulators), common carriers (overseen by FCC), and nonprofit organizations. The FTC increasingly coordinates with state attorneys general who have concurrent authority over unfair and deceptive practices. Companies should monitor FTC guidance, implement representations in privacy policies, maintain reasonable security, and prepare for potential FTC scrutiny. Options A, C, and D describe agencies with sector-specific enforcement authority but not the broad privacy enforcement role of the FTC.
Question 107
What is the primary requirement of state data breach notification laws?
A) Prevent all data breaches
B) Notify affected individuals when their personal information is compromised
C) Establish federal data security standards
D) Provide free credit monitoring indefinitely
Answer: B
Explanation:
State data breach notification laws create obligations for organizations experiencing security incidents involving personal information. Understanding these requirements is essential as all 50 U.S. states have enacted such laws. The primary requirement of state data breach notification laws is notifying affected individuals when their personal information is compromised in a security breach. These laws began with California’s groundbreaking statute in 2003 and now exist in every state, though requirements vary. Common elements include triggers based on unauthorized acquisition or access to personal information, risk of harm thresholds in many states requiring notification only when breach creates risk, personal information definitions typically including name combined with sensitive data like Social Security numbers, financial account information, or driver’s license numbers, timing requirements ranging from “without unreasonable delay” to specific timeframes like 30-90 days, notification content requirements describing the breach, affected information types, steps individuals should take, company contact information, and available assistance, and notification methods typically including written notice with alternatives for large breaches or unknown addresses. Many states require notification to state attorneys general, consumer protection agencies, or other regulators, particularly for breaches affecting specified numbers of residents. Some states require credit reporting agency notification for large breaches. Substitute notice provisions allow email, website posting, or media notification when direct notice is impractical. Many laws include exceptions for encrypted data (if encryption keys weren’t compromised), risk assessments determining no reasonable likelihood of harm, or law enforcement delays. Penalties for non-compliance include civil penalties, attorney general enforcement, and private rights of action in some states. Organizations should develop breach response plans addressing detection, investigation, notification decision-making, notification execution, documentation, and post-incident review. Multi-state breaches require compliance with laws of all affected states, often necessitating meeting the strictest requirements. Option A describes prevention which is good practice but not notification law’s focus. Option C mischaracterizes state laws as federal standards. Option D describes a remedy some states or settlements require but not universal primary requirement.
Question 108
Which constitutional amendment is most frequently cited as providing a foundation for privacy rights in the United States?
A) First Amendment
B) Fourth Amendment
C) Fifth Amendment
D) Tenth Amendment
Answer: B
Explanation:
The U.S. Constitution doesn’t explicitly mention privacy rights, but courts have interpreted various provisions as providing privacy protections. Understanding constitutional privacy foundations helps contextualize modern privacy law. The Fourth Amendment is most frequently cited as providing a foundation for privacy rights, protecting against unreasonable searches and seizures by government. The Fourth Amendment states “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” This protection establishes reasonable expectation of privacy test where individuals must have actual subjective expectation of privacy, and that expectation must be one society is prepared to recognize as reasonable. The Fourth Amendment applies to government action, not private conduct, though the third-party doctrine holds that information voluntarily provided to third parties receives reduced protection. Modern Fourth Amendment jurisprudence addresses digital privacy including whether cell phone searches require warrants (generally yes per Riley v. California), whether cell site location information requires warrants (yes per Carpenter v. United States), and whether email stored by providers is protected (complex depending on circumstances). While the Fourth Amendment is most frequently cited, other constitutional provisions also support privacy including the First Amendment protecting associational privacy and anonymous speech, the Fifth Amendment protecting against self-incrimination, the Ninth Amendment suggesting unenumerated rights including privacy, and the Fourteenth Amendment Due Process Clause recognized as protecting certain fundamental privacy interests like reproductive decisions in cases like Griswold v. Connecticut and Roe v. Wade (now overturned by Dobbs v. Jackson Women’s Health Organization). Constitutional privacy protections apply primarily against government, not private sector actors, though government can regulate private sector through legislation. Understanding constitutional foundations helps privacy professionals appreciate the public-private distinction in U.S. privacy law and limits on government surveillance. Options A, C, and D provide some privacy-related protections but less directly and frequently than the Fourth Amendment.
Question 109
What is the primary enforcement mechanism for HIPAA Privacy Rule violations?
A) Only criminal prosecution
B) Civil monetary penalties imposed by HHS Office for Civil Rights
C) Private lawsuits by affected individuals
D) State medical board discipline
Answer: B
Explanation:
Understanding HIPAA enforcement mechanisms is important for healthcare privacy professionals to appreciate compliance risks and regulatory relationships. HIPAA provides specific enforcement pathways distinct from other privacy laws. Civil monetary penalties imposed by HHS Office for Civil Rights (OCR) are the primary enforcement mechanism for HIPAA Privacy Rule violations. The HIPAA Omnibus Rule established a tiered penalty structure based on culpability level: unknowing violations ($100-$50,000 per violation), reasonable cause violations ($1,000-$50,000 per violation), willful neglect corrected within 30 days ($10,000-$50,000 per violation), and willful neglect not corrected ($50,000 per violation). Annual maximum penalties cap at $1.5 million per violation type per year. OCR investigates complaints, conducts compliance reviews, and initiates enforcement actions. The enforcement process typically begins with investigation following complaints or breach reports, OCR requesting information and documents, findings determining violation occurrence, resolution through voluntary compliance, corrective action plans, or resolution agreements, or formal enforcement through civil monetary penalties. Most cases resolve through corrective action and technical assistance rather than penalties. However, OCR increasingly pursues penalties for serious violations, inadequate security measures, or patterns of non-compliance. State attorneys general also have authority to enforce HIPAA on behalf of state residents, seeking damages and injunctive relief. Criminal penalties exist for knowing HIPAA violations, prosecuted by Department of Justice, with penalties including fines up to $50,000 and imprisonment up to one year for knowing violations, up to $100,000 and five years for obtaining information under false pretenses, and up to $250,000 and ten years for violations with intent to sell or use information for commercial advantage, personal gain, or malicious harm. Importantly, HIPAA does not provide private right of action, meaning individuals cannot sue entities directly for HIPAA violations in federal court, though state laws may provide additional remedies. Organizations should implement compliance programs, conduct risk assessments, maintain policies and procedures, provide training, and promptly address identified issues. Options A, C, and D describe mechanisms that either don’t apply or are not primary HIPAA enforcement paths.
Question 110
Which of the following is considered “nonpublic personal information” under GLBA?
A) Information publicly available in government records
B) Personally identifiable financial information not publicly available
C) De-identified aggregate data
D) Public company stock prices
Answer: B
Explanation:
GLBA’s protections apply specifically to nonpublic personal information, making the definition of this term critical for understanding compliance scope. The GLBA definition determines what information receives statutory protection. Nonpublic personal information under GLBA is personally identifiable financial information not publicly available, encompassing information individuals provide to obtain financial products or services, information resulting from transactions or services, and information otherwise obtained about consumers in connection with financial services. Personally identifiable financial information includes any information an individual provides on applications or forms (name, address, income, Social Security number, credit history), information about transactions with or through the financial institution (account balances, payment history), and information obtained in providing financial services (the fact that an individual is a customer, credit information used for credit decisions). Information is considered “publicly available” and thus excluded from GLBA protection if it’s available from federal, state, or local government records lawfully made available to the general public, widely distributed media, or disclosures required by law. Examples of publicly available information include real estate records, business registration information, securities filings, and telephone directory listings. However, the mere fact that information could theoretically be obtained from public sources doesn’t make it publicly available if it wasn’t actually obtained that way. GLBA protections apply to information before public disclosure even if it will become public, such as during mortgage applications before recording. De-identified or aggregate information not linked to specific individuals is not considered nonpublic personal information. Understanding what constitutes nonpublic personal information is crucial because GLBA privacy notices must describe sharing practices for this information, opt-out rights apply to sharing with nonaffiliated parties, and safeguards requirements protect this information. Financial institutions should classify information appropriately, with particular attention to borderline cases and combined information that might identify individuals. Privacy policies and internal procedures should reflect accurate understanding of coverage. Option A describes information explicitly excluded from GLBA protection. Option C describes de-identified data outside GLBA scope. Option D describes public financial market information unrelated to individual customers.
Question 111
What is the primary purpose of the CAN-SPAM Act?
A) Prohibit all commercial email
B) Establish requirements for commercial email messages and provide opt-out rights
C) Require encryption of all emails
D) Prevent spam phone calls
Answer: B
Explanation:
The CAN-SPAM Act regulates commercial email, establishing requirements and consumer rights. Understanding these requirements is essential for organizations conducting email marketing. The Controlling the Assault of Non-Solicited Pornography and Marketing Act establishes requirements for commercial email messages and provides opt-out rights to recipients. CAN-SPAM applies to commercial messages primarily advertising or promoting commercial products or services, including content promoting business websites. The law preempts most state email laws but allows stricter state laws regarding falsity and deception. Key CAN-SPAM requirements include accurate header information ensuring “From,” “To,” and routing information accurately identify message originators, no deceptive subject lines that mislead recipients about message content, identification as advertisements unless prior relationship exists, inclusion of sender’s valid physical postal address, and clear conspicuous opt-out mechanisms allowing recipients to decline future messages. Opt-out mechanisms must be functional for at least 30 days after sending, opt-out requests must be honored within 10 business days, and senders cannot transfer email addresses to third parties except for compliance purposes. Additional rules apply to sexually explicit commercial messages. Each violation subjects senders to penalties up to $46,517. The FTC enforces CAN-SPAM along with other federal agencies for their regulated entities. State attorneys general may bring actions on behalf of residents. Criminal penalties apply for egregious violations like unauthorized computer access, false header information with deceptive intent, or using harvested email addresses. CAN-SPAM doesn’t require affirmative consent for commercial email (opt-in) but rather allows sending until recipients opt-out. This differs from approaches in other jurisdictions like the EU where prior consent is required. Best practices beyond legal minimums include obtaining permission before sending, making unsubscribe prominent, honoring preferences promptly, monitoring for bounce rates, and maintaining sending reputation. Organizations should implement compliance programs addressing message content, header accuracy, physical address inclusion, opt-out processing, and third-party sender monitoring. Option A mischaracterizes CAN-SPAM which regulates rather than prohibits commercial email. Option C overstates requirements as encryption isn’t mandated. Option D describes Telephone Consumer Protection Act domain rather than CAN-SPAM.
Question 112
Under the Video Privacy Protection Act (VPPA), what type of information is protected?
A) Video surveillance recordings
B) Video rental and purchase records
C) Video game preferences
D) Video conference recordings
Answer: B
Explanation:
The VPPA is sector-specific legislation protecting a narrow but clearly defined category of information. Understanding its scope and requirements is important for businesses in the entertainment and streaming sectors. The Video Privacy Protection Act protects video rental and purchase records, specifically information identifying individuals as having requested or obtained specific video materials from video tape service providers. The statute was enacted in 1988 following unauthorized disclosure of Supreme Court nominee Robert Bork’s video rental records, reflecting concerns about the sensitive nature of viewing preferences revealing personal interests, beliefs, and activities. VPPA originally applied to physical video rental stores but has been interpreted to extend to streaming services and online video providers. The law prohibits video tape service providers from knowingly disclosing personally identifiable information about consumers except with informed written consent (including electronic consent meeting specific requirements), to law enforcement pursuant to warrant, subpoena, or court order, or to consumer if information disclosed wouldn’t identify video titles. Consent must be in writing, separately signed or acknowledged, and specify clearly and conspicuously the categories of information and recipients. Opt-in consent generally required, not opt-out. VPPA provides private right of action allowing affected consumers to sue for actual damages (minimum $2,500), punitive damages, attorney’s fees, and equitable relief. This private right of action makes VPPA particularly significant compared to many privacy laws lacking such provisions. Recent litigation has addressed whether Facebook “likes” of video content, sharing viewing history on social media, or disclosures to analytics providers violate VPPA. Courts have grappled with what constitutes “video tape service provider,” “personally identifiable information,” and valid consent in the digital age. The statute’s definition of “consumer” includes not just customers but anyone who seeks services, potentially broadening coverage. Organizations providing video services should implement VPPA compliance programs including consent mechanisms meeting statutory requirements, limited disclosures only with valid consent or under exceptions, and procedures preventing unauthorized disclosure. Options A, C, and D describe other video-related information not covered by the specific statutory protections of VPPA.
Question 113
What is the primary purpose of the California Consumer Privacy Act (CCPA)?
A) Regulate only social media companies
B) Provide California consumers with rights regarding their personal information
C) Replace federal privacy laws
D) Prohibit all data collection
Answer: B
Explanation:
The CCPA represents significant state-level privacy legislation that has influenced national privacy discourse. Understanding CCPA is crucial as it affects many organizations nationwide. The California Consumer Privacy Act provides California consumers with rights regarding their personal information including rights to know, delete, opt-out, and non-discrimination. CCPA applies to for-profit businesses meeting thresholds: annual gross revenues exceeding $25 million, buying, selling, or sharing personal information of 100,000 or more California consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. Personal information is broadly defined as information identifying, relating to, describing, or capable of being associated with a particular consumer or household. Consumer rights under CCPA include right to know what personal information is collected, used, disclosed, or sold, right to delete personal information held by businesses and service providers (with exceptions), right to opt-out of sale or sharing of personal information, right to correct inaccurate information (added by CPRA), right to limit use of sensitive personal information (added by CPRA), and right to non-discrimination for exercising CCPA rights. Business obligations include providing privacy notices describing information practices at or before collection, implementing mechanisms for submitting requests, verifying consumer identities for privacy requests, responding to requests within specified timeframes (45 days, extendable to 90), maintaining records of requests and responses, training staff on privacy practices and response procedures, and providing Do Not Sell or Share My Personal Information links. CCPA introduced private right of action for data breaches involving specific categories of personal information, allowing consumers to seek statutory damages ($100-$750 per consumer per incident) plus injunctive relief. The California Privacy Protection Agency enforces CCPA with authority to conduct investigations, issue regulations, and impose administrative fines up to $2,500 per violation or $7,500 for intentional violations. The California Privacy Rights Act (CPRA), effective 2023, significantly amended CCPA by adding sensitive personal information protections, expanding consumer rights, creating CPPA, and modifying definitions. Organizations should assess CCPA applicability, implement consumer rights mechanisms, update privacy notices, establish vendor management for service providers, and maintain compliance documentation. Option A incorrectly limits CCPA to specific sector. Option C mischaracterizes state law as federal replacement. Option D misrepresents CCPA which regulates rather than prohibits collection.
Question 114
Which entity enforces the California Consumer Privacy Act?
A) Federal Trade Commission
B) California Privacy Protection Agency
C) Securities and Exchange Commission
D) Department of Justice only
Answer: B
Explanation:
Understanding CCPA enforcement structure is important for organizations assessing compliance risks and regulatory relationships. CCPA’s enforcement has evolved with the creation of a dedicated regulatory agency. The California Privacy Protection Agency enforces the California Consumer Privacy Act following the agency’s creation under the California Privacy Rights Act (CPRA) in 2020. The CPPA is an independent state agency dedicated solely to privacy regulation, representing a significant development as most state privacy laws are enforced by attorneys general. The CPPA has broad authority including conducting investigations of potential violations, issuing subpoenas for documents and testimony, implementing regulations interpreting and enforcing CCPA/CPRA, imposing administrative fines for violations, issuing guidance and opinions on privacy matters, and conducting audits of businesses’ privacy practices. The CPPA’s administrative fine authority allows penalties up to $2,500 per violation or $7,500 per intentional violation and violations involving children under 16. Enforcement typically begins with investigations triggered by complaints, audits, or agency initiative. Before imposing penalties for most violations, CPPA must provide 30-day notice and opportunity to cure, except for violations involving children’s information or failure to cure prior violations. The California Attorney General retained enforcement authority during CPPA’s establishment period (through June 2023) and maintains concurrent jurisdiction with CPPA for certain violations. Private right of action exists separately for data breaches involving specified categories of personal information (Social Security numbers, driver’s license numbers, financial account information, medical information, health insurance information, biometric information, or unique biometric data), allowing consumers to seek statutory damages directly in court without requiring agency action. The CPPA’s establishment represents recognition that dedicated privacy regulators can develop expertise and provide consistent enforcement. Organizations subject to CCPA should monitor CPPA activities including rulemaking, guidance, enforcement actions, and opinions. The CPPA’s focus on privacy creates different regulatory environment than general consumer protection enforcement. Compliance programs should address both avoiding violations and responding effectively to potential investigations. Option A is incorrect as FTC lacks authority over state law enforcement. Option C has no CCPA role. Option D is partially incorrect as DOJ had initial enforcement authority but CPPA now has primary responsibility.
Question 115
What is a key difference between HIPAA and FERPA regarding health information?
A) HIPAA applies to all health information regardless of holder
B) FERPA governs health records maintained by educational institutions while HIPAA governs health records maintained by covered entities
C) FERPA provides stronger protections than HIPAA
D) They regulate exactly the same entities and information
Answer: B
Explanation:
Understanding jurisdictional boundaries between overlapping privacy statutes prevents compliance gaps and unnecessary duplication. HIPAA and FERPA have specific but sometimes overlapping coverage of health-related information. FERPA governs health records maintained by educational institutions receiving federal education funding while HIPAA governs health records maintained by covered entities (health plans, clearinghouses, and healthcare providers). This creates potential overlap for student health information depending on who maintains it and the context. FERPA covers education records including health records maintained by schools if they’re directly related to students and maintained by educational agencies or institutions. School health records maintained by school nurses, counselors, or health centers generally fall under FERPA when maintained by school employees. However, HIPAA applies if a covered healthcare provider (like a hospital or private physician practice) treats students, even if located at school premises and operating independently. FERPA allows disclosure without consent for health and safety emergencies, while HIPAA permits emergency disclosures to prevent serious and imminent threats. A critical difference involves how statutes handle parental rights: FERPA transfers rights from parents to students at age 18 or upon attending postsecondary institution, while HIPAA generally recognizes parental rights for minors with exceptions for treatment the minor can consent to under state law. When HIPAA and FERPA potentially both apply, analysis considers whether the entity is HIPAA covered entity, whether records are education records under FERPA, and whether specific FERPA exceptions apply. University health centers operated by covered entities may be subject to HIPAA rather than FERPA through the overlap provision. Treatment records created and maintained by healthcare professionals for treatment purposes and not shared beyond treatment are excluded from FERPA education records definition, potentially subject to HIPAA if creator is covered entity. Organizations operating in educational settings should determine which statute applies through entity type analysis, record source determination, and purpose evaluation, implementing appropriate compliance measures for applicable statute. Options A and D incorrectly suggest universal application or complete overlap. Option C makes qualitative comparison that’s context-dependent rather than universally accurate.
Question 116
Under COPPA, which of the following is NOT an acceptable method of obtaining verifiable parental consent for all uses of children’s information?
A) Providing a credit card number for verification
B) Sending an email to the parent
C) Video conference with parent
D) Submission of a government-issued ID
Answer: B
Explanation:
COPPA’s verifiable parental consent requirements vary depending on how collected information will be used. Understanding acceptable consent methods ensures compliant child-directed operations. Sending an email to the parent alone is not acceptable as the sole method for obtaining verifiable parental consent for all uses of children’s information under COPPA. The FTC distinguishes between consent methods based on how information will be used. For internal use only (where information is not disclosed to third parties), email plus additional confirmatory steps (email plus) provides sufficient verification. However, when information will be disclosed to third parties or made publicly available, more robust verification methods are required. Acceptable methods for broader disclosures include providing credit card, debit card, or other online payment systems for small transaction verification, connecting with trained personnel through video conference, using government-issued identification checked against databases, or submitting forms with signature notarized or verified by other traditional means. Email plus methods for internal use include sending verification email to parent and requiring response, sending confirmation email with unique code or link to parent, requiring parent to use provided PIN in subsequent communication, or requiring parent to call toll-free number staffed by trained personnel. The rationale for different standards reflects risk assessment where internal-only uses present lower disclosure risks than public posting or third-party sharing. Email alone is insufficient even for internal use as it doesn’t adequately verify the respondent is actually the parent rather than the child pretending to be the parent. Operators should assess planned information uses, select appropriate consent methods, implement verification processes, document consent obtained, and maintain consent records. Technology advances may enable new consent methods if they meet the standard of being reasonably calculated to ensure the person providing consent is the child’s parent. The FTC updates guidance reflecting technological evolution. Organizations should monitor FTC guidance and approved safe harbor programs for acceptable practices. Option A, C, and D describe methods acceptable for all uses including broader disclosures, while email alone (Option B) is insufficient even with confirmatory steps for broader uses.
Question 117
What is the primary distinction between “consumers” and “customers” under GLBA?
A) No distinction exists
B) Consumers have one-time transactions while customers have ongoing relationships
C) Customers receive more privacy protections
D) Consumers can only be individuals while customers can be businesses
Answer: B
Explanation:
GLBA establishes different notice and opt-out requirements based on relationship type with the financial institution. Understanding the consumer-customer distinction ensures proper privacy notice delivery and compliance. Under GLBA, consumers have one-time or limited transactions while customers have ongoing relationships with financial institutions. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family, or household purposes, regardless of whether the relationship is continuing. A customer is a consumer with a continuing relationship with the financial institution. The distinction matters because privacy notice requirements differ: customers must receive initial privacy notices when relationships are established and annual privacy notices thereafter, while consumers need only receive privacy notices before information is disclosed to nonaffiliated third parties (if such disclosure occurs). Examples illustrate the distinction: a customer might be someone with a checking account, credit card, mortgage, or brokerage account representing ongoing relationships. A consumer might be someone who applies for but doesn’t receive a loan, uses an ATM at a bank where they have no account, cashes a check at a bank where they have no account, or purchases money orders. However, if that consumer later establishes an ongoing relationship, they become a customer entitled to annual notices. The continuing relationship determination considers whether the individual has a formal contractual relationship with ongoing obligations, reasonable expectations of continued interaction, or repeated transactions. Financial institutions must classify relationships appropriately to fulfill proper notice obligations. Customer relationships warrant more comprehensive notice requirements because ongoing relationships involve repeated information use and greater privacy interests. Opt-out rights apply similarly to both consumers and customers for certain disclosures to nonaffiliated third parties, though customers receive more notice opportunities given annual requirements. Financial institutions should implement systems tracking relationship types, triggering appropriate notices, managing customer list maintenance, and documenting notice delivery. Understanding this distinction ensures regulatory compliance and appropriate privacy communications. Options A and D incorrectly suggest no distinction or business eligibility differences. Option C oversimplifies as both receive protections but with different notice timing.
Question 118
Which of the following activities would generally require a company to obtain explicit opt-in consent under the Telephone Consumer Protection Act (TCPA)?
A) Sending text messages for debt collection
B) Making autodialed or prerecorded telemarketing calls to cell phones
C) Calling landlines during business hours
D) Sending transactional emails
Answer: B
Explanation:
The TCPA regulates telemarketing and certain automated communications, establishing consent requirements that significantly affect marketing practices. Understanding TCPA consent requirements prevents violations and associated liability. Making autodialed or prerecorded telemarketing calls to cell phones generally requires prior express written consent under the TCPA. The statute restricts various communications including autodialed calls, prerecorded voice calls, and text messages to cell phones without prior express consent, calls to residential lines before 8 a.m. or after 9 p.m., prerecorded telemarketing calls to residential lines without prior express written consent, and unsolicited fax advertisements without prior express invitation or permission. Prior express written consent must be in writing, signed, clearly authorize specific communications, include telephone number to be contacted, and disclose that signing isn’t required as purchase condition (when applicable). This higher consent standard applies to telemarketing communications using autodialing or prerecorded messages to cell phones. Prior express consent (without the written requirement) suffices for non-telemarketing informational calls like package delivery notifications, appointment reminders, or account alerts. Established business relationship exemptions apply in limited circumstances, though cell phone autodialed telemarketing calls still require prior express written consent even with such relationships. The TCPA includes National Do Not Call Registry provisions requiring telemarketers to scrub calling lists against the registry. Internal do-not-call lists must be maintained for consumers requesting no future calls. TCPA violations carry statutory damages of $500 per violation, trebling to $1,500 for willful violations. Private rights of action allow affected individuals to sue directly, creating significant litigation risks. Class action lawsuits are common for systemic TCPA violations. Organizations conducting telephone marketing should implement consent documentation systems, maintain do-not-call lists, scrub against National Registry, limit calling hours, train calling personnel, and monitor calling practices. Recent regulatory and judicial decisions have addressed autodialer definitions, consent scope, and revocation mechanisms, creating evolving compliance landscape. Option A describes debt collection communications subject to Fair Debt Collection Practices Act and potentially TCPA but not the clearest example. Option C describes landline calls with fewer restrictions. Option D describes email communications governed by CAN-SPAM rather than TCPA.
Question 119
What is the primary purpose of the Driver’s Privacy Protection Act (DPPA)?
A) Regulate automobile insurance
B) Restrict disclosure of personal information from state motor vehicle records
C) Establish driver’s license standards
D) Control vehicle safety standards
Answer: B
Explanation:
The DPPA is sector-specific federal legislation addressing privacy concerns with government-held motor vehicle records. Understanding DPPA is important for entities accessing such records and state motor vehicle departments. The Driver’s Privacy Protection Act restricts disclosure of personal information from state motor vehicle records, establishing federal privacy standards for state-maintained DMV records. The statute was enacted in 1994 following the murder of actress Rebecca Schaeffer by a stalker who obtained her address from DMV records, highlighting risks of unrestricted access to such information. The DPPA applies to state motor vehicle departments and their employees, and to persons who receive information from motor vehicle records, including subsequent recipients. Personal information under DPPA includes name, address, telephone number, Social Security number, driver identification number, photograph, height, weight, gender, age, disability status, and medical information. The statute prohibits disclosure of personal information except under specified permissible uses including uses by government agencies in carrying out functions, motor vehicle or driver safety purposes, emission or mechanical inspection/recall, insurance purposes, research activities, court orders, use in matters of motor vehicle or driver safety and theft, consumer fraud in connection with motor vehicle/driver safety, identity verification for non-motor vehicle purposes when express consent obtained, private toll facilities operation, law enforcement purposes, litigation involving motor vehicle or driver safety, personal information requested by individual about themselves, any other use if express consent obtained, bulk distribution for surveys, marketing, or solicitations if state allows and individual hasn’t opted out, and use by employers or prospective employers for employment screening. State motor vehicle departments must provide opt-out opportunity for marketing-related disclosures. DPPA enforcement includes civil penalties up to $5,000 per violation, criminal penalties for knowing violations, and private right of action for aggrieved persons seeking actual damages (minimum $2,500), punitive damages, and attorney’s fees. Organizations accessing motor vehicle records should verify permissible use applicability, implement use restrictions, obtain express consent when required, respect opt-out requests, and maintain access documentation. Options A, C, and D describe other automotive regulatory areas not related to DMV record privacy.
Question 120
Under the Fair and Accurate Credit Transactions Act (FACTA), what is the “Red Flags Rule”?
A) Requirement to flag all credit report errors
B) Requirement for financial institutions and creditors to implement identity theft prevention programs
C) Mandate to use red ink for declined transactions
D) Requirement to flag international transactions
Answer: B
Explanation:
FACTA amended the FCRA adding provisions addressing identity theft prevention. The Red Flags Rule represents significant regulatory requirement for financial institutions and creditors. The Red Flags Rule requires financial institutions and creditors to implement identity theft prevention programs designed to detect, prevent, and mitigate identity theft in connection with covered accounts. The rule applies to financial institutions and creditors that offer or maintain covered accounts, which include accounts primarily for personal, family, or household purposes involving multiple payments or transactions, and any other accounts with reasonably foreseeable risk of identity theft. Examples include credit card accounts, checking and savings accounts, mortgages, automobile loans, utility accounts, cell phone accounts, and healthcare accounts. Required identity theft prevention programs must include reasonable policies and procedures for identifying relevant patterns, practices, and specific forms of activity that are red flags of identity theft, detecting red flags in program operation, responding appropriately to detected red flags to prevent and mitigate identity theft, and ensuring program updates to reflect changes in risks. Red flags are patterns, practices, or specific activities indicating possible identity theft including alerts from consumer reporting agencies, suspicious documents or information, unusual account activity, or notices from customers, victims, law enforcement, or others about possible identity theft. Programs must be approved by board of directors or senior management, assign specific responsibility for program oversight, provide staff training, and ensure service provider oversight. The rule aims to prevent identity theft through proactive detection of warning signs rather than merely responding after theft occurs. Enforcement is divided among federal functional regulators (banking agencies, NCUA, FTC, SEC, CFTC) based on entity type. Organizations should conduct risk assessments to identify relevant red flags, develop written programs addressing regulatory requirements, implement detection processes, establish response procedures, train appropriate personnel, and periodically review program effectiveness. Red flag identification should be tailored to entity-specific risks based on account types, methods of opening accounts, and access methods. Appropriate responses to detected red flags might include additional identity verification, contacting customers, changing passwords, closing accounts, or notifying law enforcement. Documentation of red flag incidents and responses supports program effectiveness demonstration. Options A, C, and D mischaracterize the rule’s actual requirements regarding identity theft prevention programs.
