Visit here for our full IAPP CIPP-US exam dumps and practice test questions.
Question 21
A California company receives a verifiable consumer request from a California resident asking for deletion of their personal information. Under CCPA, which exception would allow the company to retain the data?
A) To complete transaction for which information was collected or detect security incidents
B) For any marketing purpose indefinitely
C) To share with unlimited third parties
D) For permanent archival regardless of purpose
Answer: A
Explanation:
The California Consumer Privacy Act grants consumers the right to request deletion of personal information businesses have collected, but this right is not absolute. CCPA Section 1798.105 establishes specific exceptions allowing businesses to retain data for legitimate purposes. Businesses may retain personal information when necessary to complete the transaction for which information was collected, provide goods or services requested by consumer, or perform contract obligations, detect security incidents and protect against malicious, deceptive, or fraudulent activity, debug to identify and repair functionality errors, exercise free speech rights or ensure another consumer’s exercise of free speech rights, comply with California Electronic Communications Privacy Act, engage in public or peer-reviewed scientific research in the public interest adhering to ethical standards, enable solely internal uses reasonably aligned with consumer expectations, comply with legal obligations including tax or audit requirements, or use information internally in lawful manner compatible with context of collection. When relying on exceptions, businesses must maintain only information necessary for the stated purpose and for no longer than reasonably necessary. Businesses cannot deny services or charge different prices for exercising deletion rights except in limited circumstances where information is necessary for transaction completion. Upon receiving deletion requests, businesses must direct service providers to delete consumer information from their records. Businesses should document which exceptions apply to retained data demonstrating compliance if challenged. Verification procedures ensure requestors are actual consumers preventing malicious deletion requests. Businesses typically have 45 days to comply with confirmed deletion requests with possible 45-day extension for complex requests.
B is incorrect because CCPA does not permit retaining deleted data indefinitely for any marketing purpose. Marketing uses are not among enumerated exceptions, and businesses must stop using and delete personal information upon verified consumer request unless specific statutory exception applies.
C is incorrect because unlimited third-party sharing is not deletion exception. After receiving deletion request, businesses must direct service providers and potentially third parties to delete consumer information. Continued broad sharing contradicts deletion obligation.
D is incorrect because permanent archival regardless of purpose does not constitute valid exception. Archival may be permissible under compliance exception for legal record-keeping requirements but only for specific purposes and durations required by law not indefinite retention.
Question 22
A health insurance company wants to use patient health information for marketing prescription drugs. Which HIPAA requirement applies to this marketing activity?
A) Authorization required except for face-to-face communications or promotional gifts of nominal value
B) No authorization needed for any marketing communications
C) Oral consent sufficient for all marketing uses
D) Automatic opt-out after single communication
Answer: A
Explanation:
HIPAA Privacy Rule Section 164.508 establishes strict requirements for using protected health information for marketing purposes reflecting sensitivity of health data and potential for exploitation. Marketing is defined as communication about product or service encouraging recipients to purchase or use it. HIPAA requires individual authorization for marketing communications with limited exceptions. Authorization is not required for face-to-face marketing communications between covered entity and individual, such as physician recommending treatment during appointment, or promotional gifts of nominal value provided by covered entity like pens or notepads. Treatment communications describing health-related products or services provided by or included in covered entity’s health plan do not constitute marketing even if encouraging use of specific provider. Communications about government-subsidized or government-sponsored health programs are not marketing. Refill reminders or communications about alternative treatments are not marketing if no financial remuneration is received by covered entity from third parties. When authorization is required, it must be written document including specific elements: description of information to be used, identification of recipients, purpose of disclosure, expiration date or event, individual’s right to revoke, statement that covered entity cannot condition treatment on authorization, and potential for redisclosure. Marketing authorizations cannot be combined with other authorizations. Covered entities receiving financial remuneration from third parties for making marketing communications must disclose this in authorization. Violations carry civil and criminal penalties including fines up to $50,000 per violation and possible imprisonment for knowing wrongful disclosures.
B is incorrect because HIPAA explicitly requires authorization for most marketing communications using protected health information. No authorization exception applies broadly; only narrow exceptions for face-to-face communications and nominal gifts exist.
C is incorrect because HIPAA specifically requires written authorization for marketing uses of PHI. Oral consent is insufficient for marketing authorizations which must be documented meeting specific regulatory requirements for valid authorization.
D is incorrect because HIPAA does not provide automatic opt-out after single communication. Instead, it requires advance authorization before marketing communications begin. Covered entities cannot send marketing then rely on opt-out; they must obtain authorization first.
Question 23
A company subject to COPPA collects email addresses from children under 13 for newsletter subscription. What parental consent mechanism is required?
A) Verifiable parental consent through methods ensuring actual parent provides permission
B) Child’s self-certification of parental permission
C) No consent required for email collection
D) Implied consent through website use
Answer: A
Explanation:
Children’s Online Privacy Protection Act requires operators of websites or online services directed to children under 13, or operators with actual knowledge they are collecting personal information from children under 13, to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information. Verifiable parental consent means reasonable effort to ensure parent or guardian provides consent considering available technology. FTC has approved several consent mechanisms meeting this standard. For email collection, “email plus” method is typically sufficient where operator sends email to parent requesting consent, and parent responds confirming consent. Initial email must include all required notice information about collection practices. Alternative methods include providing consent form to be signed and returned via fax or mail, using credit or debit card in connection with transaction, having parent call toll-free telephone number staffed by trained personnel, using video-conferencing technology allowing trained personnel to verify parent identity, checking government-issued identification against database, or using digital certificate utilizing public key technology. For internal uses only, email may suffice, but for public disclosure or external sharing, more robust verification is required. Sliding scale applies where riskier uses require stronger verification. Operators must maintain records of parental consent. Consent must be specific to the requesting operator and cannot be broadly granted across multiple unrelated services. Parents have right to review information collected from their children, direct operators to delete information, and refuse further collection. Operators must provide clear notice of information practices before collecting any personal information from children.
B is incorrect because child self-certification of parental permission does not meet verifiable parental consent standard. Children cannot provide their own consent under COPPA, and operators cannot rely on children’s representations that parents consent without independent verification.
C is incorrect because COPPA explicitly requires consent before collecting personal information including email addresses from children under 13. Email collection without parental consent violates COPPA regardless of intended use.
D is incorrect because implied consent through mere website use does not satisfy COPPA’s verifiable parental consent requirement. Operators must take affirmative steps to obtain and verify parental consent; passive use does not demonstrate parental knowledge or permission.
Question 24
A financial institution wants to share customer financial information with affiliated companies. Under GLBA, what notice and opt-out requirements apply?
A) Privacy notice required but no opt-out for sharing among affiliates
B) No notice or opt-out required for any sharing
C) Opt-in consent required for affiliate sharing
D) Oral notice sufficient without written documentation
Answer: A
Explanation:
Gramm-Leach-Bliley Act establishes different requirements for information sharing among affiliated companies versus nonaffiliated third parties. Section 503 requires financial institutions to provide clear conspicuous privacy notices describing information practices but does not require opt-out opportunity for sharing among affiliates. Privacy notices must be provided at customer relationship establishment and annually thereafter describing categories of nonpublic personal information collected, categories of information disclosed, categories of affiliates and nonaffiliates receiving information, policies for protecting information confidentiality and security, and consumer rights regarding information sharing. Affiliate sharing disclosures should explain what entities are considered affiliates and what information is shared. While GLBA does not mandate opt-out for affiliate sharing, Fair Credit Reporting Act Section 624 provides separate opt-out right for affiliate marketing uses of information received from affiliates about creditworthiness, credit capacity, or credit history. This FCRA opt-out applies specifically to marketing solicitations based on eligibility information not to all affiliate sharing. Financial institutions must implement reasonable safeguards protecting customer information regardless of sharing practices through comprehensive information security programs. State laws may impose additional restrictions on information sharing beyond federal requirements. Financial institutions should clearly differentiate in notices between affiliate sharing not requiring opt-out, third-party sharing with exceptions not requiring opt-out such as processing transactions, and third-party sharing requiring opt-out. Notices should use clear language avoiding legal jargon enabling consumers to understand practices. Delivery mechanisms include mail, electronic delivery for online customers, or in-person delivery at account opening.
B is incorrect because GLBA requires privacy notices even for affiliate sharing though opt-out is not required. Financial institutions cannot share information without providing consumers notice of practices and explaining affiliate relationships.
C is incorrect because GLBA does not require opt-in consent for affiliate sharing. Opt-out regime applies to nonaffiliated third-party sharing under certain circumstances while affiliate sharing requires only notice without opt-out opportunity.
D is incorrect because GLBA requires initial and annual privacy notices in writing or electronic format meeting specific delivery requirements. Oral notice alone does not satisfy statutory notice obligations which require durable format consumers can retain.
Question 25
A video service provider receives a subpoena requesting customer viewing records. Under Video Privacy Protection Act, what must the provider do before disclosing?
A) Provide notice and opportunity for customer to object unless informed consent obtained
B) Immediately comply without customer notification
C) Automatically disclose all viewing records
D) Ignore all legal process
Answer: A
Explanation:
Video Privacy Protection Act enacted in 1988 protects privacy of video rental and sale records responding to concerns about disclosure of viewing habits. VPPA prohibits video tape service providers from knowingly disclosing personally identifiable information about customers without informed written consent or pursuant to court order. For court orders and subpoenas, Section 2710 establishes specific procedural protections. Provider may disclose pursuant to warrant, court order, or subpoena only if consumer is given reasonable notice and opportunity to appear and contest the disclosure. Notice must be given at least 10 days before disclosure unless shorter time is ordered by court for good cause. Consumer may file motion to quash or modify legal process. This notice and opportunity to contest requirement ensures consumers know about disclosures and can assert objections such as First Amendment protections for viewing choices. Exceptions permit disclosure without consent for normal business purposes including transfers to affiliated entities, for sale or merger transactions if customers receive notice and opportunity to prohibit transfer, to law enforcement agencies investigating consumer, pursuant to court order with notice, or with informed written consent. Informed written consent must be separate from terms of service and may apply to specific disclosure or ongoing disclosures for defined period. Recent amendments modernized VPPA allowing one-time consent for ongoing disclosures during relationship rather than requiring consent for each disclosure. Violations allow civil actions for damages including actual damages or liquidated damages, punitive damages, attorneys’ fees, and other relief. VPPA applies broadly to video providers including streaming services not just physical rental stores.
B is incorrect because immediately complying without customer notification violates VPPA procedural protections. Provider must notify consumer and allow opportunity to contest disclosure except in limited circumstances like warrant or customer consent.
C is incorrect because automatic disclosure of all viewing records without legal process or customer consent violates VPPA. Providers must have valid legal basis for disclosure and comply with procedural requirements when responding to subpoenas or court orders.
D is incorrect because ignoring valid legal process is not required or advisable. VPPA permits disclosure pursuant to proper legal process with notice and opportunity for customer to object. Providers should respond appropriately to valid legal demands while protecting customer rights.
Question 26
A company conducts workplace monitoring of employee emails and computer usage. Under federal law, what is the PRIMARY limitation on this monitoring?
A) Wiretap Act prohibits real-time interception without consent or legitimate business purpose
B) Unlimited monitoring permitted without restrictions
C) Monitoring prohibited in all circumstances
D) Court order required for any monitoring
Answer: A
Explanation:
Federal Wiretap Act (Title III of Omnibus Crime Control and Safe Streets Act) as amended by Electronic Communications Privacy Act prohibits intentional interception of wire, oral, or electronic communications without consent. Workplace monitoring must navigate these restrictions while recognizing employer legitimate interests. The Act provides several exceptions relevant to workplace monitoring. Consent exception allows interception when one party consents, and many employers obtain employee consent through acceptable use policies or employment agreements. Business use exception permits employers to intercept communications in ordinary course of business using equipment furnished by provider or subscriber though this exception is narrow and does not extend to personal communications. Provider exception allows communication service providers to intercept communications for service provision or protection. For workplace monitoring, employers typically rely on consent and business use exceptions. Courts generally require employers to notify employees about monitoring making consent effective and supporting business use exception. Monitoring must be for legitimate business purposes like quality assurance, regulatory compliance, or security. Personal communications intercepted during monitoring may not fall under business use exception. Some courts apply “banner consent” where login screens notify users that systems are monitored deemed sufficient for consent. Real-time interception faces stricter scrutiny than stored communications which are addressed by Stored Communications Act with different requirements. State laws may impose additional restrictions with some requiring two-party consent for monitoring. Best practices include clear policies notifying employees about monitoring scope, purposes, and extent, limiting monitoring to business-related activities, providing separate channels for personal communications, and training supervisors on appropriate monitoring practices.
B is incorrect because unlimited monitoring without restrictions would violate Wiretap Act and ECPA. Federal law requires either consent or statutory exception like business use, and monitoring must be reasonable and for legitimate purposes not arbitrary surveillance.
C is incorrect because monitoring is not prohibited in all circumstances. Multiple exceptions including consent and ordinary course of business allow employers to monitor communications when done appropriately with proper notice and limitations.
D is incorrect because court orders are not required for workplace monitoring where consent or business use exceptions apply. Employers may monitor without judicial authorization when statutory exceptions are met and proper policies are in place.
Question 27
A social media company receives a National Security Letter requesting user information. Which characteristic distinguishes NSLs from ordinary subpoenas?
A) Recipients prohibited from disclosing receipt of NSL subject to nondisclosure requirements
B) Requires judicial approval before issuance
C) Limited to misdemeanor investigations
D) Recipients may freely publicize receipt
Answer: A
Explanation:
National Security Letters are administrative subpoenas issued by FBI and other federal agencies to obtain information relevant to national security investigations without judicial oversight. NSLs are authorized under various statutes including Electronic Communications Privacy Act Section 2709, Right to Financial Privacy Act, and Fair Credit Reporting Act. Distinctive characteristic of NSLs is mandatory nondisclosure requirement preventing recipients from revealing NSL receipt to anyone except attorneys or persons necessary for compliance. This gag order exists to protect ongoing investigations and prevent subjects from learning they are under surveillance. USA PATRIOT Act expanded NSL authority broadening scope of information obtainable and persons who may receive NSLs. NSLs can request electronic communication transaction records, financial records, credit reports, and consumer identifying information but cannot compel content of communications. Recipients are not required to obtain court order before complying making NSLs faster than traditional legal process. However, recipients may challenge NSLs in court on constitutional grounds or other objections. Freedom Act reformed NSL procedures allowing recipients to petition court for NSL modification or nondisclosure order modification. Government must show specific facts justifying nondisclosure which expires after fixed period unless renewed. Judicial review is available if recipient challenges NSL or nondisclosure requirement. USA FREEDOM Act allows greater transparency permitting companies to report NSL statistics in ranges. Recipients should carefully review NSL scope ensuring requests are properly authorized and limited to permissible information. Legal counsel should evaluate NSL validity and consider whether challenging is appropriate.
B is incorrect because NSLs do not require judicial approval before issuance distinguishing them from warrants or court orders. FBI agents authorized to investigate international terrorism or espionage may issue NSLs administratively without judge review.
C is incorrect because NSLs are limited to national security investigations not misdemeanor cases. NSLs are issued for foreign intelligence and counterintelligence investigations or international terrorism matters not ordinary criminal investigations.
D is incorrect because recipients explicitly may not freely publicize NSL receipt due to nondisclosure requirements. Gag orders prevent discussing NSL with most parties though recent reforms allow more limited disclosure and transparency reporting.
Question 28
A data broker sells personal information about consumers for marketing purposes. Under CCPA, what obligations does the data broker have?
A) Register with California Attorney General and provide opt-out mechanism
B) No registration or opt-out requirements apply
C) Register only if conducting business in California
D) Provide opt-in consent from all consumers
Answer: A
Explanation:
California Consumer Privacy Act imposes specific requirements on data brokers defined as businesses that knowingly collect and sell consumers’ personal information with which consumer does not have direct relationship. Data broker registration requirements under Civil Code Section 1798.99.82 mandate that data brokers register with California Attorney General on or before January 31 each year. Registration must include data broker name, primary physical and email addresses, and any additional information required by regulations. Failure to register subjects data brokers to civil penalties or injunctive relief in actions brought by Attorney General. CCPA also requires businesses including data brokers to honor consumer opt-out rights regarding sale of personal information. Data brokers must provide clear conspicuous “Do Not Sell My Personal Information” link on homepage directing consumers to opt-out mechanism. Upon receiving opt-out direction, data brokers must stop selling consumer information and direct service providers not to sell information. Data brokers cannot request consumer opt back in for at least 12 months. For consumers under 16, opt-in consent is required instead of opt-out with parental consent for children under 13. Data brokers must respond to verifiable consumer requests for access to personal information, deletion of personal information subject to exceptions, and information about sale or disclosure practices. Financial incentive programs offering compensation for not opting out must meet specific requirements including good-faith estimate of value. Data brokers should implement reasonable security measures protecting personal information and may not discriminate against consumers exercising CCPA rights. Registration enables Attorney General to maintain public database of registered data brokers.
B is incorrect because CCPA explicitly requires data broker registration and opt-out mechanisms. Data brokers have affirmative obligations beyond typical business requirements given their role in secondary market for personal information.
C is incorrect because registration is required for data brokers meeting CCPA definitions regardless of physical presence in California if they do business with California residents. Physical location in California is not determinative of data broker registration obligation.
D is incorrect because CCPA generally requires opt-out not opt-in for consumers over 16. Opt-in applies only to minors under 16. Requiring opt-in from all consumers would exceed CCPA requirements though businesses may choose stricter privacy protections voluntarily.
Question 29
A breach notification law requires notification to affected individuals “without unreasonable delay.” What factors typically determine reasonable notification timing?
A) Investigation needs, preventing further harm, and preparing accurate notice
B) Business convenience and marketing campaigns
C) Waiting for all investigations to completely conclude
D) Indefinite delay permitted without justification
Answer: A
Explanation:
Breach notification timing requirements balance competing interests of providing prompt notice to enable individuals to protect themselves against allowing adequate investigation to provide meaningful information. “Without unreasonable delay” is common standard in breach notification laws though some specify numeric timeframes like 30 or 60 days. Factors determining reasonableness include time needed to conduct investigation determining breach scope, affected individuals, and data compromised, measures necessary to prevent further harm or unauthorized access requiring containment before notification potentially alerts attackers, time to prepare accurate notice ensuring information provided is complete and correct avoiding successive notifications creating confusion, coordination with law enforcement which may request delayed notification if it would impede criminal investigation, and technical factors like identifying contact information for affected individuals. Unreasonable delays extend notification unnecessarily beyond what is required for these legitimate purposes. Organizations should document rationale for notification timing showing factors considered and steps taken. Investigation should focus on information needed for notification not extend indefinitely seeking comprehensive understanding of all details. Phased notification may be appropriate where some affected individuals are identified earlier than others. Most laws require notification within specific timeframe once breach is discovered defined as reasonable belief that breach occurred. Discovery triggers timeline not when investigation concludes. Organizations balancing notification timing should err toward quicker notification when in doubt as delayed notification often draws regulatory scrutiny. Contemporaneous documentation of investigation progress and timing decisions demonstrates good faith reasonable approach.
B is incorrect because business convenience and marketing campaigns are not legitimate factors for delaying breach notification. Notification timing must prioritize affected individual protection and legal compliance not business operational preferences unrelated to investigation.
C is incorrect because waiting for complete investigation conclusion before notification would cause unreasonable delay. Organizations must notify based on available information even if investigation continues, providing updates if material new information emerges.
D is incorrect because indefinite delay without justification violates breach notification requirements. While specific timing may vary based on circumstances, organizations cannot delay arbitrarily and must have legitimate reasons for any delay beyond immediate notification.
Question 30
A company implements biometric authentication using fingerprint scans. Under Illinois Biometric Information Privacy Act, what consent requirement applies?
A) Written release before collecting biometric information with disclosure of purposes and retention
B) Oral consent sufficient without documentation
C) Implied consent through continued employment
D) No consent required for any biometric collection
Answer: A
Explanation:
Illinois Biometric Information Privacy Act enacted in 2008 is among nation’s strictest biometric privacy laws providing comprehensive protections for biometric identifiers and information. BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. Section 15 establishes strict consent requirements before collecting biometric information. Private entities must inform subject in writing that biometric identifier or information is being collected or stored, inform subject in writing of specific purpose and length of term for which information is being collected, stored, and used, and receive written release from subject or subject’s legally authorized representative before collecting information. Written release must be freely given and specific to biometric collection not buried in general terms of service. Policy disclosure requirements demand detail about purposes and retention beyond generic privacy notices. Public disclosure obligation requires entities to make publicly available retention schedule and destruction guidelines. BIPA prohibits selling, leasing, trading, or otherwise profiting from biometric information and prohibits disclosure absent consent or specific statutory exceptions like warrant or subpoena. Information must be stored using reasonable standard of care at least same as entity uses for other confidential information. Biometric information must be destroyed within reasonable timeframe when initial purpose for collection is satisfied or within three years of last interaction whichever occurs first. BIPA provides private right of action allowing individuals to sue for violations with liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation plus attorneys’ fees creating significant liability exposure. Class action litigation under BIPA has resulted in substantial settlements.
B is incorrect because BIPA explicitly requires written release not oral consent. Oral consent does not satisfy statutory requirements which mandate written documentation showing informed voluntary consent specific to biometric collection.
C is incorrect because BIPA requires affirmative written consent and does not recognize implied consent through continued employment. Employment relationship does not eliminate need for specific written authorization before biometric collection.
D is incorrect because BIPA establishes consent as prerequisite for biometric collection. Entities cannot collect biometric identifiers or information without first obtaining written release meeting statutory requirements regardless of collection purpose.
Question 31
A healthcare provider wants to use patient data for research. Under HIPAA, which option allows using PHI without individual authorization?
A) De-identification removing elements that could identify individuals per specified method
B) Using identified data freely without restrictions
C) Sharing data publicly without limitations
D) Selling identifiable data to any purchaser
Answer: A
Explanation:
HIPAA Privacy Rule permits use of protected health information for research purposes through several mechanisms with de-identification being one pathway avoiding authorization requirement. De-identification under Section 164.514 removes personal identifiers from health information so that information is no longer individually identifiable. HIPAA recognizes two de-identification methods. Expert determination method relies on person with appropriate knowledge and experience applying statistical and scientific principles determining that risk of re-identification is very small and documenting methods and results. Safe harbor method removes 18 specific identifiers including names, geographic subdivisions smaller than state, dates except year, telephone and fax numbers, email addresses, social security numbers, medical record numbers, health plan numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers and serial numbers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying characteristics. Additionally, covered entity must have no actual knowledge that remaining information could be used alone or in combination to identify individual. De-identified information is not protected health information and may be used without authorization or other HIPAA restrictions though state laws may impose additional requirements. Alternative pathways for research include individual authorization meeting regulatory specifications, IRB or privacy board waiver of authorization when research meets criteria including minimal risk to privacy, no adverse effects on rights and welfare, impracticability of research without waiver, and plan to destroy identifiers when appropriate, reviews preparatory to research with data review but no removal from entity, or research on decedents’ information. Limited data sets removing specific identifiers may be shared pursuant to data use agreement for research.
B is incorrect because using identified data freely without restrictions violates HIPAA which requires authorization, de-identification, or other specific exception for research uses. Protected health information cannot be used for research without proper legal basis and safeguards.
C is incorrect because sharing data publicly without limitations would violate HIPAA minimum necessary requirements and authorization provisions. Research data must be protected appropriately with access limited to necessary persons and uses.
D is incorrect because selling identifiable patient data violates HIPAA provisions prohibiting sale of protected health information except in limited circumstances none of which include general commercial sale for research purposes.
Question 32
A company discovers that a rogue employee accessed customer personal information without authorization. What factor determines if this constitutes a “breach” requiring notification under most state laws?
A) Whether unauthorized access poses significant risk of harm to individuals
B) Number of records accessed regardless of risk
C) Whether media has reported the incident
D) Employee’s intent regardless of actual access
Answer: A
Explanation:
Most state breach notification laws define breach as unauthorized acquisition of personal information that compromises security, confidentiality, or integrity of information. However, many states include risk of harm threshold determining whether notification is required. Risk-based approach recognizes that not all unauthorized access creates meaningful harm risk. Harm risk assessment considers factors including type of information accessed with Social Security numbers and financial account information posing higher risk than contact information alone, whether information was encrypted or otherwise secured making it unusable to unauthorized person, nature of unauthorized access including whether data was viewed, copied, or transferred, likelihood of actual harm resulting from access, and any evidence of actual identity theft or fraud. Some states explicitly incorporate risk thresholds requiring notification only when breach creates reasonable likelihood of harm, significant risk to individuals, or material risk of unauthorized use. Other states require notification unless business determines that misuse is not reasonably likely. Burden often falls on business to demonstrate lack of notification requirement through documented risk assessment. Even when state law does not require notification, businesses may choose to notify out of abundance of caution or to maintain customer trust. Risk assessment should be documented showing analysis of factors and conclusion. Some states require rogue employee access to be reported even absent risk if certain thresholds are met. FTC Act may create notification obligation based on unfairness or deception principles. Businesses should consult legal counsel when determining notification obligations for unauthorized internal access.
B is incorrect because number of records alone does not determine notification requirement in most jurisdictions. Risk-based analysis considers nature of information, likelihood of harm, and protective measures not just volume of affected records.
C is incorrect because media reporting does not determine legal notification obligations which depend on statutory requirements and risk assessment. Publicity may increase harm but does not substitute for legal analysis of notification triggers.
D is incorrect because employee intent is generally less relevant than actual access and risk of harm. Even well-intentioned unauthorized access may trigger notification if it creates risk while malicious intent without actual access may not.
Question 33
A company operates a mobile app that collects location data. Under California law, what privacy requirement applies specifically to mobile applications?
A) California Online Privacy Protection Act requires conspicuous privacy policy disclosure
B) No privacy policy required for mobile applications
C) Privacy policies optional based on business preference
D) Privacy policies only in app store not in application itself
Answer: A
Explanation:
California Online Privacy Protection Act requires operators of commercial websites and online services including mobile applications that collect personally identifiable information from California consumers to conspicuously post privacy policy meeting specific content requirements. CalOPPA applies broadly to any operator collecting PII from California residents regardless of where operator is located. Mobile applications clearly fall within “online service” definition triggering CalOPPA obligations. Privacy policy must be conspicuously posted meaning readily accessible to consumers through prominent link on homepage or app landing page. For mobile apps, conspicuous posting typically means privacy policy link prominently displayed in app interface and in app store listing. Required privacy policy content includes identification of categories of personally identifiable information collected, identification of categories of third parties with whom operator may share information, description of process for notifying consumers of material changes to privacy policy, effective date of policy, and description of consumer rights regarding personal information. CalOPPA specifically requires privacy policy to describe how operator responds to Do Not Track signals or similar mechanisms though most operators state they do not respond to DNT. Location data clearly constitutes personally identifiable information requiring disclosure in privacy policy of collection, use, and sharing practices. California Attorney General has enforcement authority with violations constituting unfair business practice. Recent amendments require privacy policies to be accessible to individuals with disabilities. Mobile application privacy raises additional concerns under California Consumer Privacy Act which imposes broader obligations including consumer access rights, deletion rights, and opt-out for sale of information. App developers should ensure compliance with both CalOPPA and CCPA requirements.
B is incorrect because CalOPPA explicitly requires privacy policies for commercial websites and online services including mobile applications that collect PII from California consumers. Lack of privacy policy violates California law.
C is incorrect because privacy policies are mandatory not optional under CalOPPA when collecting personally identifiable information from California residents. Businesses cannot choose whether to provide privacy policies based on preference.
D is incorrect because privacy policy must be conspicuously posted in the application itself not only in app store. App users must be able to easily access privacy policy while using application to understand data practices.
Question 34
A subscription service wants to automatically renew customer memberships and charge credit cards. Under federal law, what disclosure is required?
A) ROSCA requires clear prominent disclosure of terms before consumer provides payment information
B) No disclosure required for automatic renewal
C) Oral disclosure sufficient without written terms
D) Disclosure after charging credit card acceptable
Answer: A
Explanation:
Restore Online Shoppers’ Confidence Act enacted in 2010 establishes requirements for online subscription services and negative option marketing protecting consumers from unauthorized charges. ROSCA Section 2 requires sellers using automatic renewal or continuous service offers to clearly and conspicuously disclose material terms before obtaining consumer billing information. Material terms include that consumer will be charged unless cancellation occurs, deadline to cancel to avoid charges, amount or range of charges that will be assessed, and length of automatic renewal or continuous service period. Disclosures must be clear and conspicuous meaning in immediate proximity to request for consumer consent presented in manner that consumer cannot miss. For online subscriptions, disclosure should appear adjacent to payment information fields and purchase button not buried in terms of service. After obtaining consumer billing information, seller must obtain consumer’s express informed consent to charge. Express consent must be separate from general terms and conditions and obtained after disclosures are provided. Sellers must provide acknowledgment after transaction including terms of transaction and clear conspicuous procedure for cancellation. Cancellation mechanisms must be simple not requiring consumers to navigate complex processes or contact customer service when online signup was available. ROSCA violations constitute unfair or deceptive practices under FTC Act subjecting sellers to FTC enforcement actions and civil penalties. Many states have adopted similar or stricter automatic renewal laws. California’s automatic renewal law requires additional confirmations and explicit acceptance. Sellers should ensure recurring charge programs comply with federal ROSCA and applicable state laws. Clear transparent automatic renewal practices build customer trust and reduce disputes and chargebacks.
B is incorrect because ROSCA explicitly requires disclosure before obtaining consumer billing information. No disclosure violates federal law and constitutes unfair or deceptive practice subject to FTC enforcement.
C is incorrect because ROSCA requires clear conspicuous disclosure which necessitates written format for online transactions. Oral disclosure is insufficient for online subscription services where written disclosure ensures consumers have access to terms.
D is incorrect because disclosure must occur before consumer provides payment information not after charging occurs. Post-charge disclosure defeats consumer protection purpose of enabling informed decision before financial commitment.
Question 35
A company receives a government request for customer information accompanied by court order requiring nondisclosure. What obligation does the company have to customers?
A) Comply with valid court order including nondisclosure provision subject to constitutional challenge
B) Immediately notify customers despite nondisclosure order
C) Refuse all government requests unconditionally
D) Ignore valid court orders
Answer: A
Explanation:
Government requests for customer information accompanied by valid court orders including nondisclosure provisions create tension between customer notification values and legal compliance obligations. Companies must comply with lawfully issued court orders including associated nondisclosure requirements. 18 USC Section 2705 authorizes courts to issue nondisclosure orders preventing providers from notifying customers about legal process when notification would endanger life or physical safety, result in flight from prosecution, destruction of evidence, intimidation of witnesses, or otherwise seriously jeopardize investigation. Nondisclosure orders must be narrowly tailored with specified duration. Companies should verify court order validity ensuring proper court issuance, appropriate scope, and compliance with legal requirements. If order appears improper, company may move to quash or modify seeking order lifting or narrowing nondisclosure requirement. Constitutional challenges to nondisclosure provisions have been successful in some cases particularly when orders lack adequate judicial oversight or fixed duration. USA FREEDOM Act reformed procedures requiring government show specific facts justifying nondisclosure and limiting duration with periodic review. Companies may seek court permission to notify customers after fixed period expires. While nondisclosure prevents immediate notification, companies may notify customers after nondisclosure period ends if legally permissible. Some companies publish transparency reports disclosing aggregate numbers of legal demands received though cannot disclose specific cases under nondisclosure.
Companies should document legal process received, maintain records of compliance, and have procedures for evaluating and challenging problematic orders. Legal counsel should review government requests to ensure validity and determine appropriate response balancing legal obligations with customer interests.
B is incorrect because immediately notifying customers despite nondisclosure order violates court mandate and subjects company to contempt of court penalties. Companies must comply with valid judicial orders while pursuing legal challenges to improper orders.
C is incorrect because refusing all government requests unconditionally is not legally permissible when valid court orders or other lawful process compel compliance. Companies must respond to proper legal demands while protecting customer interests through appropriate legal mechanisms.
D is incorrect because ignoring valid court orders subjects companies to contempt sanctions, penalties, and potential criminal liability. Companies must comply with lawful orders while pursuing legal avenues to challenge or modify orders believed to be improper or overbroad.
Question 36
A company wants to text marketing messages to consumers who previously purchased products. Under TCPA, what consent requirement applies?
A) Prior express written consent required for marketing texts to wireless numbers
B) Implied consent through purchase sufficient
C) No consent required for existing customers
D) Oral consent adequate for all text marketing
Answer: A
Explanation:
Telephone Consumer Protection Act regulates telemarketing calls and text messages to protect consumers from unwanted communications. TCPA Section 227 as amended requires prior express written consent before making marketing calls or sending marketing text messages using automatic telephone dialing systems or prerecorded voices to wireless telephone numbers. Prior express written consent must be in writing signed by consumer, clearly authorize receipt of marketing messages, and include consumer’s telephone number. Consent cannot be required as condition of purchase or service unless consumer is purchasing service enabling marketing messages. Consent must clearly disclose that purpose is marketing, identify business receiving consent, and include opt-out instructions. Electronic signatures satisfy written consent requirement when complying with E-Sign Act. Established business relationship does not waive written consent requirement for marketing texts to wireless numbers distinguishing TCPA from telemarketing rules that allow EBR exception. Informational non-marketing texts like appointment reminders, delivery notifications, or fraud alerts may not require prior express written consent if they do not include marketing content. Marketing texts must provide clear simple opt-out mechanism typically reply STOP. Telemarketers must honor opt-out requests immediately ceasing messages within reasonable time. TCPA violations carry statutory damages of $500 per violation with treble damages up to $1,500 for willful violations. Private right of action allows consumers to sue for violations. FCC regulations implementing TCPA provide additional requirements and safe harbors. Companies should maintain detailed records of consent demonstrating compliance. Consent should be obtained through separate clear mechanisms not hidden in lengthy terms of service.
B is incorrect because implied consent through purchase does not satisfy TCPA’s prior express written consent requirement for marketing texts to wireless numbers. Purchase establishes business relationship but does not constitute written consent to marketing communications.
C is incorrect because TCPA requires consent even for existing customers when sending marketing texts to wireless numbers. Customer status does not eliminate consent requirement distinguishing wireless marketing from some landline telemarketing exceptions.
D is incorrect because TCPA specifically requires written consent not oral consent for marketing texts to wireless numbers. Written consent standard ensures clear proof of authorization and enables consumers to understand scope of consent granted.
Question 37
A website operator uses cookies for targeted advertising. What disclosure obligation exists under California law?
A) California Online Privacy Protection Act requires privacy policy describing tracking technologies and purposes
B) No disclosure required for cookie use
C) Cookies may be used without any notice
D) Disclosure only after one year of use
Answer: A
Explanation:
California Online Privacy Protection Act requires operators of commercial websites and online services collecting personally identifiable information from California consumers to post conspicuous privacy policy. CalOPPA’s reach extends to tracking technologies like cookies because they collect information enabling identification of consumers. Privacy policy content requirements include categories of personally identifiable information collected which encompasses data collected through cookies and similar technologies, categories of third parties with whom information may be shared including advertising networks and analytics providers, process for notifying consumers of material privacy policy changes, and effective date. CalOPPA specifically requires privacy policy to describe how operator responds to web browser do not track signals or other mechanisms allowing consumers to exercise choice regarding collection for online behavioral advertising. Most operators state they do not honor DNT signals though must disclose this practice. Cookies used for targeted advertising collect browsing behavior across sites constituting personally identifiable information under California law. Privacy policies should clearly explain cookie use including what information cookies collect, purposes for collection like personalization or advertising, third-party cookie use by advertising networks, and consumer choices for managing cookies. California’s broader privacy framework through CCPA imposes additional requirements including right to know what personal information is collected and sold, right to opt out of sale of personal information, and right to delete personal information. Cookie data likely constitutes personal information under CCPA triggering these consumer rights. Website operators should ensure privacy policies accurately describe all tracking technologies and provide required opt-out mechanisms. Clear cookie disclosures with easy-to-understand explanations build consumer trust beyond mere legal compliance.
B is incorrect because CalOPPA requires privacy policy when collecting personally identifiable information including through cookies. No disclosure violates California law requirements for conspicuous privacy policy describing information practices.
C is incorrect because cookies collecting personally identifiable information trigger CalOPPA privacy policy requirements. Operators cannot use tracking technologies without providing required privacy notice describing collection practices and purposes.
D is incorrect because privacy policy must be posted when operator begins collecting personally identifiable information not after one year. Disclosure obligations begin immediately when collection starts ensuring consumers understand practices before engaging with services.
Question 38
A company suffers a breach compromising Social Security numbers of employees. Under federal law, which agency has enforcement authority for employment-related privacy violations?
A) Federal Trade Commission for unfair or deceptive practices affecting employment relationships
B) No federal agency has employment privacy authority
C) State agencies exclusively handle all employment matters
D) Only criminal courts have jurisdiction
Answer: A
Explanation:
Federal Trade Commission exercises broad authority under Section 5 of FTC Act prohibiting unfair or deceptive acts or practices in or affecting commerce. While FTC jurisdiction focuses primarily on consumer protection, employment relationships can fall within FTC purview when unfair or deceptive practices affect employees. FTC has brought enforcement actions against companies for inadequate data security resulting in employee information breaches arguing that failure to implement reasonable security measures constitutes unfair practice. Unfairness standard under Section 5 requires practice causing or likely to cause substantial injury to consumers not reasonably avoidable by consumers and not outweighed by countervailing benefits. Employees suffering identity theft or financial harm from breached Social Security numbers experience substantial injury. Deception standard requires material representation, omission, or practice likely to mislead consumers acting reasonably. If company represented it would protect employee information but failed to implement promised safeguards, this could constitute deceptive practice. FTC enforcement remedies include consent orders requiring specific security measures, civil penalties for violations, consumer redress, and injunctive relief. FTC has issued data security guidance applicable to employment contexts. Equal Employment Opportunity Commission has limited privacy jurisdiction over employee information under Americans with Disabilities Act and Genetic Information Nondiscrimination Act. Department of Labor oversees certain employee benefit information under ERISA. State attorneys general also have enforcement authority under state consumer protection and breach notification laws. While no single comprehensive federal employment privacy law exists, multiple agencies can address employment privacy violations through existing authorities.
B is incorrect because FTC and other federal agencies do have authority over certain employment-related privacy practices. FTC Section 5 authority extends to unfair or deceptive practices affecting employment when substantial consumer injury results.
C is incorrect because both federal and state agencies have authority over employment privacy. Federal agencies like FTC and EEOC can enforce applicable federal laws while state agencies enforce state-specific employment privacy requirements creating concurrent jurisdiction.
D is incorrect because civil enforcement through administrative agencies like FTC is primary mechanism for addressing privacy violations. Criminal prosecution is available for intentional unauthorized access under Computer Fraud and Abuse Act but civil enforcement handles most breach scenarios.
Question 39
A financial services company wants to comply with New York DFS Cybersecurity Regulation. What is a key requirement of this regulation?
A) Chief Information Security Officer and annual cybersecurity risk assessment
B) No security requirements for financial institutions
C) Voluntary guidelines without enforcement
D) Security measures optional based on preference
Answer: A
Explanation:
New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) establishes comprehensive cybersecurity requirements for financial institutions operating under DFS supervision including banks, insurance companies, and other covered entities. Regulation requires covered entities to maintain cybersecurity program designed to protect confidentiality, integrity, and availability of information systems and nonpublic information. Key requirements include appointing Chief Information Security Officer responsible for overseeing cybersecurity program and reporting to board or senior officer, conducting periodic risk assessment identifying reasonably foreseeable internal and external cybersecurity threats evaluating likelihood and potential harm, implementing penetration testing and vulnerability assessments appropriate to risk, maintaining cybersecurity policies and procedures approved by senior officer or board, implementing multi-factor authentication or equivalent controls for critical systems, maintaining audit trail systems tracking user activities on information systems, limiting data retention to necessary timeframe, implementing encryption for nonpublic information in transit and at rest unless CISO determines it would be infeasible, training personnel on cybersecurity risks and procedures, requiring third-party service providers to implement appropriate security measures, and implementing incident response plan including notification procedures. Covered entities must file annual certification of compliance with regulation by February 15 each year. Board of directors or equivalent governing body must receive cybersecurity reports from CISO at least annually. Material cybersecurity events must be reported to Superintendent within 72 hours. Regulation includes limited exemptions for smaller institutions with specific asset thresholds. Non-compliance can result in enforcement actions, penalties, and regulatory sanctions.
B is incorrect because DFS Cybersecurity Regulation establishes mandatory security requirements for covered financial institutions. Regulation is not optional but legally required with enforcement mechanisms for non-compliance.
C is incorrect because DFS Cybersecurity Regulation creates enforceable legal requirements not voluntary guidelines. Department has enforcement authority to ensure compliance and can impose penalties for violations.
D is incorrect because security measures are mandatory not optional under DFS Cybersecurity Regulation. Covered entities must implement required controls appropriate to their risk profile and business operations.
Question 40
A company provides credit monitoring services following a data breach. Under which federal law must consumer reporting agencies provide one free credit report annually?
A) Fair Credit Reporting Act Section 612 establishing AnnualCreditReport.com mechanism
B) Credit monitoring automatically included with all services
C) Free credit reports only available after identity theft
D) No federal law requires free credit reports
Answer: A
Explanation:
Fair Credit Reporting Act as amended by Fair and Accurate Credit Transactions Act (FACT Act) Section 612 requires nationwide consumer reporting agencies to provide consumers with free annual credit reports. Three major credit bureaus Equifax, Experian, and TransUnion must provide free reports through centralized request mechanism at AnnualCreditReport.com or via toll-free telephone number. Consumers entitled to one free report from each bureau per 12-month period. This free annual report right is separate from and in addition to free reports available under other FCRA provisions including after adverse action based on credit report, when unemployed and seeking employment within 60 days, when receiving public assistance, when believing file contains inaccuracies due to fraud, or when victim of identity theft entitled to free reports and fraud alerts. Credit monitoring services offered after breaches provide ongoing monitoring beyond annual free reports alerting consumers to new activity on credit reports. While annual free reports satisfy statutory minimum, breach-affected consumers benefit from more frequent monitoring detecting fraudulent accounts quickly. Free credit reports from AnnualCreditReport.com do not include credit scores which may be purchased separately though some states require free credit scores. Consumers should obtain free reports from each bureau periodically throughout year rather than requesting all three simultaneously enabling continuous monitoring with four-month intervals. Credit report reviews enable consumers to identify unauthorized accounts, inaccurate information, or identity theft indicators. FCRA provides dispute procedures allowing consumers to challenge inaccurate information with credit bureaus required to investigate disputes and correct or delete unverified information. Consumer Financial Protection Bureau has enforcement authority over FCRA including annual free report requirements.
B is incorrect because credit monitoring is separate service beyond annual free credit reports. While some services include monitoring features, FCRA requirement specifically mandates annual free credit report access not ongoing monitoring services.
C is incorrect because annual free credit reports are available to all consumers regardless of whether identity theft has occurred. Additional free reports are available after identity theft but annual entitlement exists for all consumers preventatively.
D is incorrect because FCRA as amended by FACT Act explicitly requires nationwide consumer reporting agencies to provide annual free credit reports to consumers. Federal law established this consumer right through legislation.
