Pass the IAPP Certified Information Privacy Professional CIPP-US Questions and answers with CertsForce

 The Office for Civil Rights (OCR) within the HHS is the primary enforcer of the HIPAA Privacy Rule, which establishes national standards for the protection of individually identifiable health information by covered entities and business associates. The OCR investigates complaints, conducts compliance reviews, and provides technical assistance and guidance to ensure compliance with the Privacy Rule. The OCR can also impose civil monetary penalties for violations of the Privacy Rule, ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for the same violation. References: HIPAA Enforcement, IAPP CIPP/US Study Guide, Chapter 3, Section 3.1.1

 Federal preemption is a doctrine in law that allows a federal law to take precedence over or to displace a state law in certain matters of national importance (such as interstate commerce). The doctrine is based on the Supremacy Clause of the Constitution, which declares that federal law is the “supreme law of the land” and that state judges are bound by it. There are two types of federal preemption: express and implied. Express preemption occurs when Congress expressly states that a federal law is intended to preempt certain types of state legislation. Implied preemption occurs when a state law conflicts with federal law because it is impossible to comply with both at the same time, or because it interferes with the objectives of the federal law, or because the federal government has fully occupied the field of regulation.

The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is an example of express preemption. The Act regulates commercial email messages and establishes requirements for senders and penalties for violations. The Act also explicitly preempts any state law that “expressly regulates the use of electronic mail to send commercial messages”, except for state laws that prohibit falsity or deception. This means that states cannot pass laws that impose greater obligations on senders of email marketing than the federal law, such as requiring opt-in consent or providing additional opt-out mechanisms. Therefore, the CAN-SPAM Act is the correct answer to the question.

The other options are not examples of federal preemption. The Payment Card Industry’s (PCI) ability to self-regulate and enforce data security standards for payment card data is not a federal law, but a private sector initiative. The U.S. Federal Trade Commission’s (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries is not a preemption of state law, but a concurrent power that can coexist with state consumer protection laws. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there, is not preempted by any federal law, but is a state law that applies to entities that meet certain criteria of collecting or selling personal information of California residents. References: Federal preemption, What is Federal Preemption?, Federal preemption Definition & Meaning, preemption, Preemption legal definition of Preemption, CAN-SPAM Act, IAPP CIPP/US Study Guide, Chapter 2.

The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer’s informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:

Video Privacy Protection Act - Wikipedia

18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include the violation of collecting information from a child under the age of thirteen without obtaining verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The COPPA Rule also applies to websites or online services that are directed to children under 13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child’s personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child’s personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data. References:

Children’s Privacy | Federal Trade Commission

Kids’ Privacy (COPPA) | Federal Trade Commission

FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy

FTC to Crack Down on Companies that Illegally Surveil Children Learning Online

FTC Takes Action Against Company for Collecting Children’s Personal Information Without Parental Permission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 165-168.

The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program. The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12. This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3. References:

CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p. 108-109.

Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

Federal anti-discrimination laws, such as Title VII of the Civil Rights Act of 1964, the Equal Pay Act of 1963, the Age Discrimination in Employment Act of 1967, and the Americans with Disabilities Act of 1990, prohibit employers from discriminating against employees or applicants based on certain protected characteristics, such as race, color, religion, sex, national origin, age, disability, and genetic information. These laws also limit the types of information that employers can collect, use, disclose, or retain about employees or applicants, in order to prevent discrimination or invasion of privacy. For example, employers cannot ask about an applicant’s medical history, disability status, genetic information, or religious beliefs, unless they are relevant to the job or a bona fide occupational qualification. Employers also cannot use such information to make adverse employment decisions, such as hiring, firing, promotion, or compensation, unless they are justified by a legitimate business necessity or a reasonable accommodation. Employers must also safeguard the confidentiality of such information and dispose of it properly when it is no longer needed. References:

Federal Laws Prohibiting Job Discrimination Questions And Answers

Laws Enforced by EEOC

Employment and Anti-Discrimination Laws in the Workplace

Protections Against Discrimination and Other Prohibited Practices

3. Who is protected from employment discrimination?

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:

CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.

California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).

CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).

Data flow diagrams are graphical representations of how data moves within an organization or between different entities. They can help identify the sources, destinations, and processing of personal data, as well as the legal basis, retention periods, and security measures for each data flow. Reviewing the available data flow diagrams can help the data privacy leader to quickly and accurately respond to the urgent request from the EU-based retail partner, as well as to assess the potential risks and compliance gaps in the data transfer process. Data flow diagrams are also a key component of data protection impact assessments (DPIAs), which are required by the GDPR for high-risk processing activities. References:

IAPP CIPP/US Body of Knowledge, Section II, A, 2

[IAPP CIPP/US Study Guide, Chapter 2, Section 2.3]

[GDPR, Article 35]

The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), created the California Privacy Protection Agency (CPPA). This agency has been granted significant authority to regulate and enforce California privacy laws, but it does not have the authority to override decisions made by the California Attorney General regarding CCPA enforcement.

Powers Granted to the CPPA by the CPRA:

Adopting and Updating CCPA Regulations:

The CPPA has rulemaking authority, meaning it can adopt, amend, and update CCPA regulations to clarify obligations under the law.

This is explicitly stated in the CPRA.

Investigating Violations:

The CPPA can independently investigate potential violations of the CCPA, even without a complaint from a consumer.

Imposing Administrative Fines:

The CPPA has the authority to impose administrative fines for violations of the CCPA, which is critical for enforcing compliance.

Explanation of Option C:

While the CPPA has broad regulatory and enforcement powers, it cannot override decisions made by the Attorney General. The Attorney General retains certain oversight functions, particularly in transitioning enforcement authority to the CPPA. The CPPA's role is independent and complementary to that of the Attorney General, not one of supremacy.

References from CIPP/US Materials:

California Privacy Rights Act (CPRA): Specifies the creation, powers, and responsibilities of the CPPA.

IAPP CIPP/US Certification Textbook: Discusses the CPPA's rulemaking and enforcement authority.