Pass the IAPP Certified Information Privacy Professional CIPP-US Questions and answers with CertsForce

The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN’s main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs. References:

Home (public) | Global Privacy Enforcement Network

Global Privacy Enforcement Network - International Association of Privacy Professionals

International Partnerships - Office of the Privacy Commissioner of Canada

Specialised networks – Global Privacy Assembly

Action Plan for the Global Privacy Enforcement Network (GPEN)

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company’s privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws. References:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights

Social security numbers (SSNs) are one of the most sensitive types of personally identifiable information (PII) and are subject to comprehensive data security and privacy laws at both the federal and state levels. Banks, as financial institutions, are subject to strict regulations under laws like the Gramm-Leach-Bliley Act (GLBA) and state privacy laws regarding the safeguarding of sensitive data like SSNs.

Why Social Security Numbers are Most Likely to Be Covered:

SSNs are a high-value target for identity theft, making their protection a focus of numerous privacy and data security laws.

Federal laws like GLBA and the Fair Credit Reporting Act (FCRA) impose strict data security requirements on financial institutions.

State laws, such as those in California, often require businesses to protect SSNs and notify individuals in the event of a breach involving sensitive information.

Explanation of Options:

A. Account holders' social security numbers, maintained by a bank:This is correct because SSNs are consistently protected under comprehensive laws at both the federal and state levels.

B. Users' sexual orientations, maintained by a social media website:While sexual orientation may be considered sensitive data under certain laws (e.g., GDPR in the EU), U.S. privacy laws do not consistently regulate this information.

C. Individual drivers' license numbers, maintained by a state agency:While some states regulate drivers' license data, this information is not comprehensively covered under state privacy laws.

D. Contact details of individuals who report emergencies, maintained by local authorities:This information is regulated in limited circumstances (e.g., Freedom of Information Act or public records laws) but is not subject to comprehensive state privacy laws.

References from CIPP/US Materials:

GLBA and FCRA: Highlight the importance of safeguarding sensitive financial information such as SSNs.

State Data Breach Notification Laws: Many states explicitly list SSNs as a protected data element.

The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon. It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power1 The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation23 FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of U.S. persons4 References:  https://www.intelligence.gov/foreign-intelligence-surveillance-act

https://www.intelligence.gov/foreign-intelligence-surveillance-act/1234-categories-of-fisa

 According to the IAPP CIPP/US Study Guide, more than half of U.S. states require telemarketers to register with the state before conducting business within the state. This registration requirement may involve paying a fee, posting a bond, or providing information about the telemarketer’s identity, location, and business practices. The purpose of this requirement is to protect consumers from fraudulent or deceptive telemarketing calls and to facilitate the enforcement of state laws and regulations. The other options are not required by most states, although some states may have additional rules or guidelines for telemarketers regarding identification, consent, or contracts. References:

IAPP CIPP/US Study Guide, Chapter 7: Marketing and Advertising

State Telemarketing Registration Requirements

The Colorado Privacy Act (CPA) grants consumers the right to access, correct, or delete their personal data, including sensitive data, that is processed by a controller1. Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child2. The CPA also grants consumers the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or certain kinds of profiling3. However, the CPA does not grant consumers the right to limit the use of sensitive data for other purposes, such as providing a product or service requested by the consumer, complying with legal obligations, or protecting the vital interests of the consumer or another person. Therefore, option D is the correct answer, as it is not a privacy right available under the CPA. References: 1: Colorado Privacy Act (CPA) - Colorado Attorney General 2: Protect Personal Data Privacy | Colorado General Assembly 3: SENATE BILL 21-190 Woodward, Garcia; PRIVACY. COLORADO PRIVACY ACT … : Colorado Privacy Act: What You Need to Know | OneTrust DataGuidance

 The U.S. Constitution plays a limited role in the area of workplace privacy, because it mainly applies to the actions of the government, not private employers. The Fourth Amendment protects the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures1. The Supreme Court has interpreted this right to include a reasonable expectation of privacy in certain situations, such as in one’s home, car, or personal belongings2. However, this right does not extend to private-sector employees, who are not protected by the Constitution from the actions of their employers, unless the employer is acting as an agent of the government3. Private-sector employees may have some privacy rights under state laws, common law, or contractual agreements, but these vary depending on the jurisdiction and the circumstances4.

Public-sector employees, on the other hand, are protected by the Constitution from unreasonable searches and seizures by their employers, who are considered part of the government. Public-sector employees have a reasonable expectation of privacy in their workplace, unless there is a legitimate work-related reason for the search or seizure, such as to ensure safety, security, or efficiency. Public-sector employers must also comply with the due process and equal protection clauses of the Fifth and Fourteenth Amendments, which prohibit the government from depriving any person of life, liberty, or property without due process of law, or from denying any person the equal protection of the laws. These clauses protect public-sector employees from arbitrary or discriminatory actions by their employers that affect their employment status or benefits.

Therefore, the U.S. Constitution plays a significant role in the area of workplace privacy for federal and state governments, but not for private-sector employment, because it only regulates the actions of the government, not private actors. References:

1: Cornell Law School, Fourth Amendment, https://www.law.cornell.edu/constitution/fourth_amendment

2: FindLaw, What Is a Reasonable Expectation of Privacy?, https://www.findlaw.com/criminal/criminal-rights/what-is-a-reasonable-expectation-of-privacy.html

3: FindLaw, Workplace Privacy, https://www.findlaw.com/smallbusiness/employment-law-and-human-resources/workplace-privacy.html

4: Nolo, Privacy Rights of Employees, https://www.nolo.com/legal-encyclopedia/privacy-rights-employees-29849.html

: OPM, Employee Relations, https://www.opm.gov/policy-data-oversight/employee-relations/reference-materials/employee-privacy/

: Cornell Law School, Fifth Amendment, https://www.law.cornell.edu/constitution/fifth_amendment

: FindLaw, Public Employees and the Constitution, https://www.findlaw.com/employment/employment-rights/public-employees-and-the-constitution.html

 The Virginia Consumer Data Protection Act (VCDPA) is a state law that provides comprehensive privacy rights and obligations for consumers and businesses in Virginia. The VCDPA applies to any entity that conducts business in Virginia or produces products or services that are targeted to residents of Virginia and that either: (a) controls or processes personal data of at least 100,000 consumers; or (b) controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. However, the VCDPA also provides several exemptions for certain types of entities and data, including an entity exemption for financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA). This means that organizations that are regulated by the GLBA are not subject to the VCDPA, regardless of the type or source of data they collect or process. The GLBA is a federal law that regulates the collection, use, and disclosure of personal financial information by financial institutions and their affiliates. The GLBA applies to any business that is significantly engaged in financial activities, such as banks, credit unions, securities firms, insurance companies, and certain fintech companies. The GLBA requires financial institutions to provide notice and choice to consumers about their privacy practices, to safeguard the security and confidentiality of consumer information, and to limit the sharing of consumer information with third parties. The GLBA also preempts state laws only to the extent that they are inconsistent with the GLBA, unless the state law provides greater protection to consumers.

The other state laws listed in the question do not have an entity exemption for organizations subject to the GLBA, but they may have partial or data exemptions for certain types of information that are regulated by the GLBA. For example, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are state laws that provide comprehensive privacy rights and obligations for consumers and businesses in California. The CCPA and the CPRA apply to any business that collects or sells the personal information of California residents and that meets one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or © derives 50% or more of its annual revenues from selling consumers’ personal information. However, the CCPA and the CPRA also provide several exemptions for certain types of entities and data, including a data exemption for personal information collected, processed, sold, or disclosed pursuant to the GLBA, if it is in conflict with the GLBA. This means that information that is subject to the GLBA is exempt from the privacy requirements of the CCPA and the CPRA, but not from the data breach liability provisions. The CCPA and the CPRA do not exempt financial institutions or other entities that are regulated by the GLBA from their scope, unless they only collect or process information that is subject to the GLBA.

The Nevada Privacy Law is a state law that provides privacy rights and obligations for consumers and operators of websites or online services in Nevada. The Nevada Privacy Law applies to any person who owns or operates an Internet website or online service for commercial purposes that collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service. Covered information includes any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: (a) a first and last name; (b) a home or other physical address which includes the name of a street and the name of a city or town; © an electronic mail address; (d) a telephone number; (e) a social security number; (f) an identifier that allows a specific person to be contacted either physically or online; or (g) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. However, the Nevada Privacy Law also provides several exemptions for certain types of entities and data, including a data exemption for any data that is subject to the GLBA. This means that information that is regulated by the GLBA is exempt from the Nevada Privacy Law, regardless of the type or source of data. The Nevada Privacy Law does not exempt financial institutions or other entities that are subject to the GLBA from its scope, unless they only collect or process information that is subject to the GLBA. References:

VCDPA, Section 59.1-572 (A) (1)

GLBA, 15 U.S.C. § 6801 et seq.

CCPA, Section 1798.145 (e)

CPRA, Section 1798.121 ©

Nevada Privacy Law, Section 603A.340 (1) (a)

The California Consumer Privacy Act (CCPA) defines a ‘sale’ of personal information as any transfer or disclosure of personal information to another business or third party for monetary or other valuable consideration. However, the CCPA also provides some exceptions to this definition, such as:

If the consumer has directed the business to intentionally disclose the personal information or use the personal information to interact with a third party, provided the third party does not also sell the personal information.

If the business transfers the personal information to a service provider that is contractually prohibited from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract with the business.

If the business transfers the personal information to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided the information is used or shared consistently with the CCPA.

The use of cookies on a website by a service provider is generally not deemed a sale of personal information by the CCPA, as long as the information collected by the service provider is necessary to perform the services specified in the contract with the business, and the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. One of the examples of a valid business purpose is to perform debugging to identify and repair errors that impair existing intended functionality.

Therefore, option D is the correct answer, as it describes a scenario where the use of cookies by a service provider is not a sale of personal information under the CCPA, assuming the service provider complies with the contractual obligations and does not further use or disclose the information.

Option A is incorrect, as it does not describe a valid exception to the definition of a sale. The third party that stores personal information to trigger a response to a consumer’s request to opt in is not acting as a service provider, but as a separate entity that may have its own interest in the personal information. The consumer’s request to opt in does not necessarily imply that the consumer has directed the business to disclose the personal information to the third party.

Option B is incorrect, as it does not describe a valid exception to the definition of a sale. The analytics cookies placed by the service provider may still constitute a sale of personal information, even if they cannot be linked to a particular consumer of that business. The CCPA defines personal information broadly to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Therefore, the analytics cookies may still fall within the scope of personal information, and their use by the service provider may still be a sale, unless one of the exceptions applies.

Option C is incorrect, as it does not describe a valid exception to the definition of a sale. The service provider that retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors is not acting as a service provider to the business, but as a separate entity that may have its own interest in the personal information. The agreement with the subcontractors does not necessarily imply that the business has authorized the service provider to retain, use, or disclose the personal information for any purpose other than performing the services specified in the contract with the business.

References:

[IAPP CIPP/US Study Guide], Chapter 10: California Consumer Privacy Act, pp. 223-226.

CIPP/US Practice Questions (Sample Questions), Question 30.

 According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:

Registered Data Brokers in the United States: 2021 | Privacy Rights …

Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft