Visit here for our full IAPP CIPP-US exam dumps and practice test questions.
Question 181:
Which federal law primarily regulates the privacy of student education records?
A) Family Educational Rights and Privacy Act (FERPA)
B) Health Insurance Portability and Accountability Act (HIPAA)
C) Gramm-Leach-Bliley Act (GLBA)
D) Fair Credit Reporting Act (FCRA)
Answer: A
Explanation:
This question addresses FERPA, which is the primary federal law governing student education record privacy in the United States. Privacy professionals must understand FERPA’s requirements when working with educational institutions or handling student information.
Option A is correct because FERPA protects the privacy of student education records maintained by educational institutions receiving federal funding, granting parents rights to access their children’s records, request amendments, and control disclosure to third parties, with rights transferring to students at age 18 or upon attending postsecondary institutions. FERPA defines education records broadly to include records directly related to students maintained by educational agencies or institutions, excluding certain categories like law enforcement records and employment records. FERPA permits disclosure without consent in specific circumstances including to school officials with legitimate educational interests, to other schools where students seek enrollment, in health or safety emergencies, and pursuant to valid subpoenas. Violations can result in withdrawal of federal funding, making compliance critical for educational institutions.
Option B describes HIPAA, which protects health information but generally doesn’t apply to student health records maintained by educational institutions. FERPA typically governs these records unless they’re maintained by covered healthcare providers affiliated with schools.
Option C refers to GLBA, which regulates financial institutions’ handling of consumer financial information. While some educational institutions may have GLBA obligations for financial services, GLBA doesn’t govern general student education records.
Option D mentions FCRA, which regulates consumer reporting agencies and use of consumer reports. While educational institutions using background checks must comply with FCRA, it doesn’t govern student education records.
Privacy professionals should understand FERPA’s definition of education records, recognize permissible disclosures without consent, implement appropriate access controls for student records, establish procedures for parental and student access requests, train staff on FERPA requirements, obtain proper consent for non-permitted disclosures, maintain disclosure logs as required, understand directory information provisions, coordinate FERPA compliance with other privacy laws, and recognize FERPA’s unique enforcement mechanism through Department of Education investigations.
Question 182:
Under the California Consumer Privacy Act (CCPA), which of the following rights do California residents have?
A) The right to know what personal information is collected and request deletion
B) The right to unlimited data collection without consent
C) The right to prevent all business operations
D) The right to avoid all privacy notices
Answer: A
Explanation:
This question examines CCPA’s consumer rights provisions, which establish comprehensive privacy protections for California residents. Privacy professionals must understand these rights to implement compliant processes for businesses subject to CCPA.
Option A is correct because CCPA grants California consumers several rights including the right to know what personal information businesses collect, use, share, and sell, the right to request deletion of personal information with certain exceptions, the right to opt out of sale or sharing of personal information, the right to correct inaccurate personal information under CPRA amendments, and the right to limit use and disclosure of sensitive personal information. CCPA requires businesses to provide mechanisms for exercising these rights including online request forms, toll-free numbers for deletion and opt-out requests, and “Do Not Sell or Share My Personal Information” links on homepages. Businesses must verify consumer identities before fulfilling requests, respond within 45 days with possible 45-day extensions, and cannot discriminate against consumers for exercising rights.
Option B contradicts CCPA’s fundamental purpose of limiting business collection and use. CCPA restricts rather than enables unlimited collection, requiring purpose disclosure, deletion rights, and opt-out mechanisms constraining business data practices.
Option C incorrectly suggests consumers can prevent all operations. While CCPA grants significant rights, businesses can continue lawful operations subject to privacy requirements, with consumer rights providing control over personal information rather than business cessation.
Option D contradicts transparency requirements. CCPA mandates comprehensive privacy notices at collection and in privacy policies, with notices essential for enabling informed consumer decisions and rights exercise.
Privacy professionals should implement compliant processes for all CCPA rights, establish identity verification procedures, create user-friendly request mechanisms, train staff on request handling, respond within statutory timeframes, understand exemptions limiting rights, avoid discriminatory practices, maintain request logs, update privacy notices describing rights, implement Do Not Sell mechanisms, and monitor California privacy law developments including CPRA amendments expanding consumer rights and enforcement.
Question 183:
Which federal agency enforces Section 5 of the FTC Act prohibiting unfair or deceptive practices?
A) Federal Trade Commission (FTC)
B) Department of Health and Human Services (HHS)
C) Securities and Exchange Commission (SEC)
D) Federal Communications Commission (FCC)
Answer: A
Explanation:
This question addresses FTC enforcement authority under Section 5, which serves as broad federal privacy and data security authority in the United States. Privacy professionals must understand FTC enforcement approaches and consent decree requirements affecting many organizations.
Option A is correct because the FTC enforces Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in or affecting commerce, with the FTC interpreting this authority to cover privacy and data security practices. The FTC considers practices deceptive if they involve material misrepresentations or omissions likely to mislead reasonable consumers, and unfair if they cause or are likely to cause substantial injury not reasonably avoidable by consumers and not outweighed by benefits. The FTC has brought numerous privacy and security enforcement actions under Section 5 for violations including misrepresenting privacy practices in policies, failing to implement reasonable security measures, and violating privacy promises to consumers. FTC consent decrees often require comprehensive privacy programs, regular assessments, and long-term compliance monitoring.
Option B describes HHS, which enforces HIPAA privacy and security rules for covered entities and business associates in healthcare. While HHS has significant privacy enforcement authority, it doesn’t enforce FTC Act Section 5.
Option C refers to SEC, which regulates securities markets and enforces financial disclosure requirements. While SEC addresses cybersecurity disclosure issues, it doesn’t enforce FTC Act provisions regarding unfair or deceptive practices.
Option D mentions FCC, which regulates communications industries and has authority over telecommunications privacy through statutes like TCPA. FCC doesn’t enforce FTC Act Section 5, though both agencies sometimes coordinate on privacy matters.
Privacy professionals should understand FTC’s broad Section 5 authority, ensure privacy policies accurately reflect practices, implement reasonable security measures, avoid deceptive privacy statements, maintain documented privacy and security programs, monitor FTC enforcement actions for guidance, understand consent decree implications, implement compliance monitoring if subject to FTC orders, recognize FTC’s focus on children’s privacy, data security, and emerging technologies, and coordinate with legal counsel on FTC compliance strategies.
Question 184:
What is the primary purpose of the Children’s Online Privacy Protection Act (COPPA)?
A) To protect the online privacy of children under 13 by requiring parental consent for data collection
B) To allow unlimited data collection from children without restrictions
C) To prevent children from accessing the internet entirely
D) To eliminate all educational websites for children
Answer: A
Explanation:
This question examines COPPA, which establishes strict requirements for websites and online services directed to children under 13. Privacy professionals working with child-directed services must understand COPPA’s consent, notice, and data handling requirements.
Option A is correct because COPPA requires operators of websites and online services directed to children under 13, or with actual knowledge of collecting information from children under 13, to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information, with limited exceptions for support for internal operations. COPPA mandates comprehensive privacy notices describing collection practices, requires reasonable security for children’s information, limits retention to fulfill collection purposes, and provides parents with rights to review collected information, direct deletion, and refuse further collection or use. The FTC enforces COPPA with significant civil penalties for violations. COPPA’s requirements reflect heightened concerns about children’s vulnerability to privacy harms and limited capacity to understand data collection implications.
Option B contradicts COPPA’s protective purpose. COPPA specifically restricts rather than enables unlimited collection from children, requiring parental consent and imposing data minimization, security, and deletion obligations.
Option C mischaracterizes COPPA’s approach. COPPA regulates data collection from children rather than preventing internet access, enabling child-appropriate online experiences with privacy protections rather than blocking all access.
Option D incorrectly suggests COPPA eliminates educational sites. COPPA applies to educational sites but doesn’t prohibit them, with schools able to provide consent for educational contexts under certain conditions.
Privacy professionals should determine whether services are directed to children under 13, implement verifiable parental consent mechanisms appropriate for information sensitivity, provide clear privacy notices to parents, establish processes for parental rights exercise, implement data minimization for children’s information, apply appropriate security measures, understand COPPA’s safe harbor provisions, monitor child-directed content or features, train staff on COPPA requirements, stay current with FTC guidance, and consider age-gating or neutral services to avoid child-directed classification.
Question 185:
Under HIPAA, which of the following is considered a covered entity?
A) Healthcare providers, health plans, and healthcare clearinghouses
B) All companies collecting any personal information
C) Retail stores selling health products
D) Social media platforms
Answer: A
Explanation:
This question addresses HIPAA’s applicability, which is limited to specific entities in the healthcare ecosystem. Privacy professionals must correctly identify covered entities to determine when HIPAA obligations apply versus other privacy frameworks.
Option A is correct because HIPAA defines covered entities as healthcare providers conducting certain transactions electronically (like doctors, hospitals, pharmacies, and health clinics), health plans (including insurance companies, HMOs, and Medicare/Medicaid programs), and healthcare clearinghouses that process health information between formats. Covered entities must comply with HIPAA Privacy Rule governing protected health information use and disclosure, Security Rule requiring safeguards for electronic protected health information, and Breach Notification Rule mandating notification of breaches. Business associates performing functions or services for covered entities involving protected health information access must also comply with specified HIPAA requirements. HIPAA’s limited scope means many organizations handling health information aren’t subject to HIPAA if they don’t meet covered entity or business associate definitions.
Option B incorrectly suggests HIPAA applies to all companies collecting personal information. HIPAA has limited scope to healthcare sector entities, with other organizations handling health information subject to different privacy laws like state regulations or FTC Act Section 5.
Option C incorrectly includes retail stores. While pharmacies are covered entities, general retail stores selling health products aren’t covered entities unless they provide healthcare services or function as health plans.
Option D incorrectly suggests social media platforms are covered entities. Platforms aren’t covered entities unless they provide healthcare services, though they may be business associates if providing services to covered entities.
Privacy professionals should accurately determine covered entity status, understand business associate relationships, implement appropriate HIPAA compliance programs for covered entities and business associates, recognize when health information falls outside HIPAA protection, apply alternative privacy frameworks when HIPAA doesn’t apply, understand limited HIPAA applicability compared to broader privacy laws, coordinate HIPAA compliance with other requirements, and distinguish between HIPAA-protected health information and health information governed by other laws.
Question 186:
Which principle of the Fair Information Practice Principles (FIPPs) requires organizations to maintain accurate data?
A) Data Quality and Integrity
B) Notice and Transparency
C) Choice and Consent
D) Security and Safeguards
Answer: A
Explanation:
This question examines FIPPs, which form the foundation of modern privacy frameworks in the United States and internationally. Privacy professionals should understand FIPPs to apply privacy principles across various regulatory contexts.
Option A is correct because the Data Quality and Integrity principle requires organizations to maintain personal information that is accurate, complete, and current as necessary for the stated purposes, implementing processes for data correction and validation. This principle recognizes that inaccurate data can harm individuals through incorrect decisions, unfair treatment, or damaged reputations while undermining organizational operations through flawed analytics. Data quality obligations appear across privacy laws including HIPAA’s accuracy requirements, FCRA’s reasonable procedures for maximum accuracy, and GDPR’s accuracy principle. Implementing data quality involves verification at collection, periodic reviews, enabling individuals to correct information, training staff, and establishing data governance ensuring accuracy throughout lifecycles.
Option B describes Notice and Transparency, which requires clear information about data practices provided to individuals. While important for privacy, notice principles address disclosure rather than data accuracy.
Option C refers to Choice and Consent, which requires providing individuals with options regarding data collection and use. Choice principles empower control rather than specifically addressing data accuracy.
Option D mentions Security and Safeguards, which requires appropriate measures protecting personal information from unauthorized access or disclosure. Security protects data confidentiality and integrity but doesn’t specifically mandate accuracy maintenance.
Privacy professionals should implement data quality controls throughout data lifecycles, verify information accuracy at collection, establish review processes, provide correction mechanisms for individuals, train staff on accuracy importance, document quality procedures, balance accuracy requirements with minimization principles, understand accuracy obligations across applicable laws, implement technical validation preventing obviously incorrect data, and recognize that accuracy is ongoing obligation requiring continuous attention rather than one-time verification.
Question 187:
What is the primary enforcement mechanism for state breach notification laws?
A) State attorneys general and private rights of action in some states
B) Federal Trade Commission exclusively
C) International privacy authorities
D) There is no enforcement mechanism
Answer: A
Explanation:
This question addresses state breach notification law enforcement, which varies across jurisdictions but typically involves state-level authorities. Privacy professionals must understand enforcement approaches when developing breach response programs.
Option A is correct because state breach notification laws are primarily enforced by state attorneys general who can bring actions for violations including failure to provide timely notification, inadequate notification content, or failure to notify required parties like credit bureaus or state authorities. Some states provide private rights of action enabling individuals to sue for breach notification failures, potentially resulting in damages, injunctive relief, or attorneys’ fees. Enforcement approaches vary by state with some imposing civil penalties per violation or affected individual, while others focus on injunctive relief and corrective action. State attorneys general have become increasingly active in breach notification enforcement, often coordinating multi-state investigations for breaches affecting residents across jurisdictions.
Option B incorrectly suggests FTC exclusive enforcement. While FTC may bring actions for inadequate security or deceptive breach responses under Section 5, state breach notification laws are primarily state-enforced, with FTC lacking direct authority to enforce state statutes.
Option C incorrectly involves international authorities. State breach notification laws are enforced by state and potentially federal authorities rather than international privacy regulators, though organizations may face international requirements for breaches affecting foreign residents.
Option D incorrectly suggests no enforcement. State breach notification laws include enforcement mechanisms through attorneys general and sometimes private actions, with significant penalties for violations in many jurisdictions.
Privacy professionals should understand breach notification requirements across relevant states, implement procedures ensuring timely compliance, document breach notification decisions, coordinate with legal counsel on multi-state notifications, maintain relationships with state attorneys general offices where appropriate, monitor enforcement actions for compliance insights, understand private right of action implications, implement comprehensive breach response programs addressing federal and state requirements, and recognize that enforcement trends increasingly emphasize rapid notification and transparent communication.
Question 188:
Under the Gramm-Leach-Bliley Act (GLBA), what must financial institutions provide to customers?
A) Privacy notices explaining information collection, sharing, and protection practices
B) Unlimited access to all company financial records
C) Free financial services without any conditions
D) Exemption from all privacy protections
Answer: A
Explanation:
This question examines GLBA’s privacy notice requirements for financial institutions. Privacy professionals in financial services must understand GLBA’s notice, opt-out, and safeguard obligations.
Option A is correct because GLBA requires financial institutions to provide customers with clear, conspicuous privacy notices at account establishment and annually thereafter, explaining what nonpublic personal information the institution collects, with whom it shares that information, how it protects the information, and customers’ rights to opt out of certain sharing with nonaffiliated third parties. GLBA distinguishes between consumers (those obtaining financial products or services for personal, family, or household purposes) and customers (consumers with ongoing relationships), with different notice requirements. GLBA also mandates reasonable safeguards protecting customer information through the Safeguards Rule and limits disclosure of account numbers to nonaffiliated parties for marketing. FTC, federal banking agencies, SEC, CFTC, and state insurance authorities enforce GLBA for their respective regulated entities.
Option B incorrectly suggests unlimited record access. GLBA doesn’t grant customers access to all company records, focusing instead on notice and opt-out rights regarding personal information sharing.
Option C incorrectly involves free services. GLBA regulates information practices rather than pricing or service provision, imposing privacy obligations without mandating free services.
Option D contradicts GLBA’s purpose. GLBA establishes privacy protections for financial institution customers rather than exempting them from protections, requiring notice, choice, and security for customer information.
Privacy professionals should develop GLBA-compliant privacy notices using model forms or clear explanations, provide notices at required times, implement customer opt-out mechanisms for nonaffiliated third-party sharing, maintain safeguards programs addressing administrative, technical, and physical security, understand exceptions allowing information sharing without opt-out, distinguish between affiliated and nonaffiliated sharing, coordinate GLBA compliance with other privacy obligations, train staff on GLBA requirements, document information sharing arrangements, and recognize that GLBA establishes minimum standards that state laws may supplement.
Question 189:
Which of the following best describes the “sale” of personal information under CCPA?
A) Selling, renting, releasing, disclosing, or otherwise communicating personal information to another business for monetary or valuable consideration
B) Only transactions involving direct monetary payment
C) Sharing information with service providers
D) Internal company transfers of data
Answer: A
Explanation:
This question addresses CCPA’s broad definition of “sale,” which extends beyond traditional commercial transactions. Privacy professionals must understand this expansive definition to implement proper opt-out mechanisms and disclosures.
Option A is correct because CCPA defines “sale” broadly as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration. This definition encompasses many data sharing arrangements beyond traditional sales including advertising exchanges, data brokering, and partnerships where businesses receive value for providing access to consumer information. CCPA requires businesses that sell personal information to provide conspicuous “Do Not Sell My Personal Information” links on homepages enabling consumers to opt out, disclose sales in privacy notices, and refrain from selling minors’ information without opt-in consent. The CPRA added “sharing” as a separate concept covering cross-context behavioral advertising.
Option B incorrectly limits sale to monetary transactions. CCPA’s definition encompasses exchanges for valuable consideration beyond money, including data exchanges, service benefits, or other value received in return for personal information.
Option C incorrectly includes service provider relationships. CCPA specifically exempts disclosure to service providers meeting contractual requirements from the sale definition, recognizing that businesses need to share data with vendors for operational purposes.
Option D incorrectly encompasses internal transfers. CCPA’s sale definition applies to third-party disclosures rather than internal information transfers within the same business entity.
Privacy professionals should conduct careful analysis determining whether data sharing arrangements constitute sales under CCPA’s broad definition, implement Do Not Sell opt-out mechanisms when businesses sell personal information, update privacy notices disclosing sales and consumer rights, establish service provider contracts exempting disclosures from sale definition, understand exemptions for specific disclosure contexts, train staff on sale recognition, monitor CCPA guidance, consider sale implications for advertising and analytics, implement processes honoring opt-out requests, and review CPRA amendments addressing sharing for cross-context behavioral advertising.
Question 190:
What is the primary purpose of the Video Privacy Protection Act (VPPA)?
A) To protect the privacy of consumers’ video rental and viewing information
B) To regulate video content on social media platforms
C) To control video quality standards
D) To manage video production licensing
Answer: A
Explanation:
This question examines VPPA, a sector-specific federal privacy law addressing video rental and viewing records. Privacy professionals in media and entertainment industries must understand VPPA’s consent and disclosure requirements.
Option A is correct because VPPA prohibits video tape service providers from knowingly disclosing personally identifiable information about consumers’ video rentals or viewing without informed written consent, with limited exceptions for law enforcement with court orders, consumer service requests, or limited marketing purposes. VPPA was enacted following a Supreme Court nominee’s video rental records disclosure and reflects concerns about sensitive information revealing personal interests, beliefs, and behaviors. VPPA has been interpreted to apply to modern video streaming services beyond traditional rental stores, with courts addressing whether online viewing constitutes covered information. VPPA provides private right of action for violations, enabling consumers to sue for actual damages plus liquidated damages of $2,500, punitive damages, attorneys’ fees, and costs.
Option B incorrectly focuses on content regulation. VPPA addresses information privacy rather than video content standards, regulating disclosure of viewing information rather than controlling what videos contain.
Option **C) incorrectly involves technical standards. VPPA governs privacy of viewing records rather than video quality specifications or technical production standards.
Option D incorrectly addresses licensing. VPPA regulates information disclosure rather than production rights, intellectual property, or licensing arrangements for video content creation or distribution.
Privacy professionals should understand VPPA applicability to video services including streaming platforms, obtain proper informed written consent before disclosing viewing information, implement consent mechanisms meeting VPPA standards, understand permissible disclosures under exceptions, limit video viewing information disclosure to necessary purposes, recognize VPPA’s private right of action and potential damages, monitor court interpretations of VPPA applicability, coordinate VPPA compliance with other privacy obligations, and consider VPPA requirements when implementing analytics or advertising involving viewing information.
Question 191:
Which federal law specifically addresses the privacy of electronic communications?
A) Electronic Communications Privacy Act (ECPA)
B) Children’s Online Privacy Protection Act (COPPA)
C) Fair Credit Reporting Act (FCRA)
D) Americans with Disabilities Act (ADA)
Answer: A
Explanation:
This question addresses ECPA, which provides federal protections for electronic communications including email and electronic storage. Privacy professionals must understand ECPA when implementing monitoring programs or responding to government requests for communications.
Option A is correct because ECPA, including the Wiretap Act and Stored Communications Act, protects electronic communications from unauthorized interception and access, establishing standards for government access to communications, and limiting private entity interception or disclosure. The Wiretap Act prohibits intentional interception of electronic communications during transmission with exceptions for consent, provider operations, or law enforcement with appropriate legal process. The Stored Communications Act governs access to stored electronic communications, requiring government entities to obtain warrants or other legal process and restricting provider voluntary disclosure. ECPA has significant implications for workplace monitoring, cloud storage, law enforcement investigations, and service provider practices, though courts have struggled applying its provisions to modern technologies not contemplated when enacted in 1986.
Option B describes COPPA, which regulates children’s online privacy rather than electronic communications privacy generally. While COPPA applies to online services, it addresses data collection from children rather than communication interception or access.
Option C refers to FCRA, which regulates consumer reporting agencies and credit report use rather than electronic communications privacy. FCRA addresses consumer reports for credit, employment, or other eligibility decisions.
Option D mentions ADA, which prohibits disability discrimination and requires accommodations rather than addressing electronic communications privacy. ADA focuses on accessibility and equal opportunity rather than information privacy.
Privacy professionals should understand ECPA requirements when implementing employee monitoring programs, ensure proper consent or notification for communication monitoring, implement appropriate safeguards for stored communications, understand government access standards for communications and records, coordinate with legal counsel on law enforcement requests, recognize ECPA’s exceptions and limitations, consider modern technologies not clearly addressed by ECPA, implement policies governing employee communication privacy, and supplement ECPA compliance with state electronic privacy laws providing additional protections.
Question 192:
Under the Fair Credit Reporting Act (FCRA), what must employers do before obtaining consumer reports for employment purposes?
A) Provide clear disclosure and obtain written authorization from the applicant
B) Obtain reports without notifying applicants
C) Share reports with all employees in the company
D) Publish reports on the company website
Answer: A
Explanation:
This question examines FCRA requirements for employment background checks. Privacy professionals involved in hiring or human resources must understand FCRA’s disclosure, authorization, and adverse action requirements.
Option A is correct because FCRA requires employers to provide clear and conspicuous disclosure in a standalone document that a consumer report may be obtained for employment purposes, and obtain written authorization from the individual before procuring reports from consumer reporting agencies. If employers take adverse action based on consumer reports, they must provide pre-adverse action notice with report copies and summaries of rights, then final adverse action notice after adverse action is taken. FCRA also requires reasonable procedures ensuring maximum possible accuracy, limits permissible purposes for consumer reports, restricts retention of obsolete information, and provides consumers with rights to access reports, dispute inaccuracies, and receive notification of adverse actions. FTC and Consumer Financial Protection Bureau enforce FCRA with significant penalties for violations.
Option **B) contradicts FCRA’s disclosure requirements. FCRA specifically mandates clear notice and authorization before obtaining employment-related consumer reports, preventing secret background checks without candidate awareness.
Option C violates confidentiality requirements. FCRA limits disclosure to those with permissible purposes, prohibiting broad sharing of consumer reports with unauthorized employees beyond those involved in hiring decisions.
Option D contradicts confidentiality obligations. FCRA restricts report disclosure to permissible purposes, making public publication a serious violation exposing individuals’ sensitive background information inappropriately.
Privacy professionals should implement FCRA-compliant background check procedures including standalone disclosure documents, written authorizations, appropriate certifications to consumer reporting agencies, pre-adverse and adverse action processes when taking negative employment actions, training for HR staff on FCRA requirements, procedures ensuring only authorized personnel access reports, documentation of compliance, understanding investigative consumer report additional requirements, coordination with legal counsel on employment screening, and recognition that state laws may impose additional requirements beyond FCRA.
Question 193:
What is the main purpose of state biometric privacy laws like the Illinois Biometric Information Privacy Act (BIPA)?
A) To regulate collection, use, and retention of biometric identifiers and information
B) To eliminate all biometric technologies
C) To require universal biometric data sharing
D) To prevent any security measures using biometrics
Answer: A
Explanation:
This question addresses emerging state biometric privacy laws establishing special protections for sensitive biometric data. Privacy professionals must understand these requirements when implementing biometric technologies like facial recognition or fingerprint authentication.
Option A is correct because biometric privacy laws like Illinois BIPA, Texas CUBI, Washington’s biometric law, and similar state statutes regulate private entities’ collection, use, storage, and retention of biometric identifiers (fingerprints, facial geometry, iris scans) and biometric information (data derived from biometric identifiers). BIPA requires written policies on retention and destruction, informed written consent before collection, prohibition on selling or profiting from biometric information, and reasonable security measures. BIPA includes private right of action enabling individuals to sue for violations with statutory damages, attorneys’ fees, and costs, resulting in significant litigation and settlements. These laws reflect heightened concerns about biometric data’s uniqueness, permanence, and potential for misuse including surveillance, discrimination, or identity theft.
Option B incorrectly suggests eliminating technologies. Biometric laws regulate rather than prohibit biometric use, enabling lawful deployment with appropriate notice, consent, security, and retention limitations.
Option C contradicts privacy protections. Biometric laws restrict unauthorized sharing and prohibit profit from biometric information sales rather than requiring universal sharing violating privacy principles.
Option **D) incorrectly prevents security applications. Biometric laws regulate collection and use rather than banning security technologies, allowing legitimate biometric security applications with proper compliance.
Privacy professionals should understand biometric law requirements in jurisdictions where they collect biometric data, obtain proper informed written consent before collection, implement written biometric data retention and destruction policies, apply strong security to biometric information, avoid biometric data sales or profiteering, limit biometric collection to necessary purposes, consider alternatives to biometric data collection, understand private right of action implications, monitor biometric privacy litigation for compliance insights, and recognize that biometric regulations are expanding at state level requiring ongoing compliance attention.
Question 194:
Which provision of California’s privacy law addresses automated decision-making?
A) The right to opt out of automated decision-making technology under CPRA
B) Mandatory use of automated decisions without human review
C) Prohibition of all algorithmic processing
D) Requirement to publicly disclose all algorithms
Answer: A
Explanation:
This question examines automated decision-making rights under California privacy law as amended by CPRA. Privacy professionals must understand these provisions when implementing AI and algorithmic systems affecting California consumers.
Option A is correct because CPRA amended CCPA to provide consumers with rights regarding automated decision-making technology, including the right to opt out of the use of their personal information for profiling in furtherance of decisions producing legal or similarly significant effects. While regulations are still being developed, these provisions reflect concerns about algorithmic bias, lack of transparency, and limited human oversight in automated systems impacting employment, credit, housing, education, and other consequential areas. The provisions align with broader trends toward algorithmic accountability seen in GDPR Article 22 rights related to automated individual decision-making and global legislative attention to AI regulation.
Option B contradicts privacy protections and consumer choice. CPRA provides opt-out rights rather than mandating automated decisions, empowering consumers to limit rather than requiring algorithmic processing.
Option **C) overstates restrictions. CPRA regulates automated decision-making through disclosure and choice rather than prohibiting all algorithmic processing, enabling legitimate uses with appropriate consumer controls.
Option D incorrectly requires algorithm disclosure. While CPRA enhances transparency, it doesn’t mandate public disclosure of proprietary algorithms, focusing instead on meaningful information about automated decision-making affecting consumers.
Privacy professionals should understand CPRA’s automated decision-making provisions, implement opt-out mechanisms when required, provide meaningful information about automated decision-making in privacy notices, assess automated systems for rights-triggering characteristics, implement human review for consequential decisions where appropriate, consider algorithmic bias and fairness implications, monitor developing regulations implementing these provisions, coordinate with AI governance programs, document automated decision-making systems and purposes, and recognize that regulatory attention to AI and automated decision-making is increasing globally.
Question 195:
What is the primary purpose of health information exchanges (HIEs) under HIPAA?
A) To facilitate secure electronic sharing of health information among healthcare providers while maintaining privacy protections
B) To sell patient data to pharmaceutical companies
C) To eliminate all electronic health records
D) To prevent doctors from accessing patient information
Answer: A
Explanation:
This question addresses HIEs, which enable interoperability while maintaining HIPAA privacy and security protections. Privacy professionals in healthcare must understand HIE privacy frameworks and consent requirements.
Option A is correct because HIEs facilitate electronic sharing of health information among healthcare organizations, providers, and other authorized entities to improve care coordination, reduce duplicate testing, support public health, and enhance healthcare efficiency while implementing appropriate privacy and security safeguards. HIEs may be organized regionally, statewide, or through specific networks, operating under HIPAA requirements when involving covered entities and business associates. HIE participation typically involves data sharing agreements, technical standards for interoperability, patient consent frameworks varying by state law and HIE policies, audit controls tracking access, and security measures protecting transmitted information. HIEs must balance information availability for treatment, payment, and healthcare operations with individual privacy through appropriate access controls and consent mechanisms.
Option B contradicts HIPAA requirements and ethical principles. HIEs enable authorized healthcare sharing rather than commercial sale, with HIPAA prohibiting sale of protected health information without authorization subject to limited exceptions.
Option **C) contradicts HIE purpose. HIEs leverage electronic health records to improve information sharing rather than eliminating them, supporting digital health information exchange.
Option D contradicts treatment purposes. HIEs enable rather than prevent appropriate provider access to patient information for treatment, care coordination, and other permitted purposes under HIPAA.
Privacy professionals should understand HIE privacy frameworks, implement appropriate consent mechanisms based on state law and HIE policies, establish data sharing agreements addressing HIPAA and state requirements, apply appropriate access controls limiting information to authorized users and purposes, implement audit controls monitoring HIE access, train providers on HIE privacy practices, address patient rights including access and amendment through HIE participation, coordinate HIPAA compliance across HIE participants, and recognize that state laws may impose additional requirements beyond HIPAA for HIE participation.
Question 196:
Under the Telephone Consumer Protection Act (TCPA), what is generally required before making automated calls or sending text messages for marketing purposes?
A) Prior express written consent from the recipient
B) No consent is required for any marketing calls
C) Verbal consent obtained during previous calls
D) Implied consent from business card exchange
Answer: A
Explanation:
This question examines TCPA requirements for automated marketing communications. Privacy professionals managing marketing programs must understand TCPA consent standards to avoid significant penalties.
Option A is correct because TCPA requires prior express written consent before making autodialed or prerecorded marketing calls to cell phones or using automated systems to send marketing text messages, with consent requiring clear disclosure that the person agrees to receive marketing calls or texts, authorization for specific party to make calls, and signature which may be electronic. TCPA prohibits calls to cell phones using automatic dialing systems or artificial or prerecorded voices for marketing without prior express written consent, provides exemptions for emergency calls and calls made with prior express consent for non-marketing purposes, establishes do-not-call registry requirements, restricts calling times, and requires caller identification. FCC enforces TCPA with significant penalties, and individuals have private right of action for violations potentially resulting in $500 per violation or $1,500 for willful violations.
Option B contradicts TCPA requirements. TCPA specifically mandates consent for automated marketing calls and texts, preventing unrestricted telemarketing to cell phones without permission.
Option C falls short of written consent requirements. While verbal consent may suffice for certain landline calls, TCPA requires written consent for automated or prerecorded marketing calls to cell phones.
Business card exchange or similar contacts don’t constitute clear written consent meeting TCPA’s specific disclosure and authorization requirements for marketing communications.
Privacy professionals should obtain proper prior express written consent for automated marketing calls and texts, implement consent mechanisms with required disclosures, maintain documentation of consent, establish processes for honoring opt-out requests, train marketing and sales staff on TCPA requirements, implement systems preventing calls to numbers on do-not-call registries, respect calling time restrictions, provide required caller identification, monitor TCPA litigation and regulatory guidance, coordinate TCPA compliance with other marketing privacy requirements, and recognize that TCPA violations can result in substantial penalties given per-call damages and class action exposure.
Question 197:
What is the primary purpose of cross-border data transfer mechanisms under U.S. privacy frameworks?
A) To ensure adequate protection for personal data when transferred internationally
B) To prohibit all international data transfers
C) To eliminate privacy protections for international transfers
D) To require data storage only in the United States
Answer: A
Explanation:
This question addresses international data transfer requirements affecting U.S. organizations. Privacy professionals must understand transfer mechanisms to enable global operations while maintaining privacy protections.
Option A is correct because cross-border transfer mechanisms ensure personal data receives adequate protection when transferred from one jurisdiction to another, addressing concerns that data protection could be undermined if information moves to countries with weaker privacy frameworks. While the United States lacks comprehensive federal data transfer restrictions comparable to GDPR Chapter V, U.S. organizations must comply with transfer requirements when sending data from other jurisdictions like the EU requiring adequacy decisions, standard contractual clauses, binding corporate rules, or other approved mechanisms. Sector-specific U.S. laws like HIPAA address certain international transfers, and state laws increasingly consider cross-border implications. Transfer mechanisms like Privacy Shield (now invalidated) attempted to bridge regulatory differences between jurisdictions.
Option B incorrectly suggests prohibiting all transfers. Transfer mechanisms enable international data flows with appropriate protections rather than preventing global data sharing necessary for modern business operations.
Option C contradicts transfer mechanism purposes. Transfer frameworks maintain rather than eliminate privacy protections, ensuring individuals retain privacy rights regardless of where their data is processed.
Option D incorrectly mandates U.S. storage. While data localization requirements exist in some contexts, transfer mechanisms typically focus on protection standards rather than mandating specific geographic storage locations.
Privacy professionals should understand transfer requirements applicable to their organizations’ jurisdictions, implement appropriate transfer mechanisms when sending data from restricted jurisdictions, conduct transfer impact assessments evaluating destination country protections, establish data transfer agreements with required contractual terms, document transfer decisions and protective measures, monitor developments in international data transfer regulations, understand U.S. government access considerations affecting transfers, coordinate with legal counsel on transfer compliance, and recognize that international data transfer regulation continues evolving requiring ongoing compliance attention.
Question 198:
Which of the following best describes the purpose of de-identification under HIPAA?
A) To remove identifiers from health information so it no longer qualifies as protected health information
B) To make all health information publicly available
C) To increase the identifiability of health records
D) To prevent any use of health information for research
Answer: A
Explanation:
This question examines HIPAA de-identification standards that enable health information use for research and other purposes without privacy rule restrictions. Privacy professionals in healthcare must understand de-identification methods and standards.
Option A is correct because HIPAA de-identification removes specified identifiers from health information so it no longer qualifies as protected health information, enabling use and disclosure without HIPAA Privacy Rule restrictions. HIPAA provides two de-identification methods: Expert Determination where qualified experts apply statistical or scientific principles to render re-identification risks very small, and Safe Harbor removing 18 specified identifier categories (names, geographic subdivisions smaller than state, dates except year, phone numbers, email addresses, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, photos, and other unique identifiers) and having no actual knowledge of remaining information enabling individual identification. De-identified data supports research, analytics, and public health while protecting individual privacy.
Option B contradicts privacy protections. De-identification enables broader use without HIPAA restrictions but doesn’t require public disclosure, with organizations retaining discretion about de-identified information use and sharing.
Option C contradicts de-identification purpose. De-identification specifically reduces rather than increases identifiability, removing information that could identify individuals either directly or through combination.
Option D incorrectly prevents research. De-identification facilitates rather than prevents research by enabling health information use without individual authorizations or Privacy Rule restrictions when properly de-identified.
Privacy professionals should understand HIPAA’s two de-identification methods, implement appropriate de-identification approaches based on data uses and re-identification risks, engage qualified experts for Expert Determination, properly remove all Safe Harbor identifiers, maintain documentation of de-identification processes, understand that de-identified data under HIPAA may still constitute personal information under other laws like CCPA, implement governance for de-identified data use, consider re-identification risks from combined datasets, and recognize that de-identification is distinct from anonymization which typically requires higher standards.
Question 199:
What is the primary obligation of data brokers under Vermont’s data broker law?
A) To register annually with the Vermont Attorney General and implement security programs
B) To share all collected data publicly without restriction
C) To eliminate all data collection activities
D) To provide free services to all Vermont residents
Answer: A
Explanation:
This question addresses Vermont’s data broker regulation, which established first-in-the-nation registration requirements for data brokers. Privacy professionals working for data brokers must understand registration obligations and security requirements.
Option A is correct because Vermont’s data broker law requires data brokers that collect and sell or license third-party personal information about Vermont residents to register annually with the Attorney General, paying registration fees and providing information about their data practices. Registered data brokers must implement and maintain reasonable security measures protecting personal information, provide opt-out mechanisms for Vermont residents, and notify the Attorney General of security breaches affecting Vermont residents. The law defines data brokers as businesses knowingly collecting and selling or licensing third-party personal information to nonaffiliated third parties for monetary fees, with exemptions for consumer reporting agencies under FCRA and certain other entities. Vermont’s approach reflects concerns about data broker practices occurring largely invisibly to affected individuals.
Option B contradicts privacy and business interests. Vermont’s law regulates data brokers through registration and security requirements rather than mandating public data disclosure undermining both privacy and commercial interests.
Option C incorrectly eliminates operations. Vermont’s law regulates data broker practices through transparency and security requirements rather than prohibiting data brokerage, enabling continued operations with appropriate oversight.
Option D incorrectly requires free services. Vermont’s law addresses registration and security rather than business models or pricing, allowing data brokers to charge for services while complying with regulatory requirements.
Privacy professionals should determine whether organizations meet data broker definitions under applicable state laws, register as data brokers in Vermont and other jurisdictions requiring registration, implement required security programs, provide opt-out mechanisms for residents of regulating states, maintain security breach notification procedures, monitor expanding state data broker regulations, understand exemptions and exceptions, coordinate data broker compliance with other privacy obligations, and recognize that data broker regulation is an emerging area with additional states considering similar requirements.
Question 200:
Under federal privacy law, what is the primary difference between “opt-in” and “opt-out” consent?
A) Opt-in requires affirmative action to consent, while opt-out allows processing unless individuals object
B) Opt-in and opt-out are identical in all respects
C) Opt-out requires affirmative consent while opt-in is automatic
D) Neither approach requires any consumer action
Answer: A
Explanation:
This question examines consent mechanisms fundamental to privacy regulation. Privacy professionals must understand opt-in versus opt-out approaches to implement appropriate consent mechanisms for different data processing activities and legal requirements.
Option A is correct because opt-in consent requires individuals to take affirmative action expressing agreement before data collection or specific use occurs, providing stronger privacy protection by requiring explicit permission and preventing processing without clear authorization. Opt-out consent allows data collection or use to proceed unless individuals take action to object or prohibit processing, placing burden on individuals to prevent processing rather than granting permission. U.S. privacy laws apply both approaches depending on data sensitivity and context: COPPA requires opt-in parental consent for children’s information collection, TCPA requires opt-in for automated marketing calls to cell phones, while GLBA generally permits information sharing with opt-out rights for nonaffiliated third parties, and CCPA provides opt-out rights for personal information sales and sharing. Opt-in provides stronger individual control but may reduce participation rates compared to opt-out approaches.
Option B incorrectly suggests equivalence. Opt-in and opt-out represent fundamentally different consent models with different individual protections, burden allocations, and appropriate contexts based on sensitivity and legal requirements.
Option C reverses the definitions. Opt-in requires affirmative consent action while opt-out allows automatic processing subject to objection, making this characterization completely incorrect.
Option **D) incorrectly eliminates consumer action. Both approaches involve consumer action, with opt-in requiring action to permit processing and opt-out requiring action to prevent processing already permitted by default.
Privacy professionals should understand when opt-in versus opt-out consent is appropriate or required under applicable laws, implement consent mechanisms appropriate for data sensitivity and processing purposes, make opt-in mechanisms clear and accessible, ensure opt-out mechanisms are easy to use and honor promptly, avoid dark patterns making consent or opt-out difficult, document consent choices, respect user preferences, recognize that opt-in generally provides stronger privacy protection, balance privacy protection with business needs, and monitor evolving consent requirements across privacy regulations increasingly favoring opt-in for sensitive processing.
