IAPP CIPP-US Practice Test - Questions Answers, Page 13

Under the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), California residents have the right to request access to their personal information collected by a business. However, the CPRA provides an exception for inferences made about an individual for internal purposes, meaning businesses are not obligated to disclose inferences generated solely for internal use.

Key Points Under the CPRA:

Access to Personal Information:

Businesses must provide consumers with access to personal information they have collected, which includes data submitted by the consumer and other information directly associated with the consumer.

Exception for Inferences:

Inferences made about a consumer, particularly when used for internal purposes (e.g., improving services, analytics, or predicting preferences), are not explicitly required to be disclosed under the CPRA unless they are part of the consumer's profile or used for decision-making purposes that affect the consumer.

Examples of Data to Be Provided:

Information provided by the consumer (e.g., email address, account information).

Automatically collected information (e.g., timestamps, purchase history).

Identifiers (e.g., loyalty account numbers).

Explanation of Options:

A . Inferences made about the individual for the company's internal purposes: This is correct. Inferences generated for internal use are not considered part of the data set that must be disclosed in response to a CPRA data access request.

B . The loyalty account number assigned through the individual's use of the services: Loyalty account numbers are directly associated with the consumer and must be provided in response to an access request under the CPRA.

C. The time stamp for the creation of the individual's account in the platform's database: This information is part of the consumer's account data and must be disclosed under the CPRA.

D . The email address submitted by the individual as part of the account registration process: This is personal information directly provided by the consumer and must be disclosed under the CPRA.

Reference from CIPP/US Materials:

CPRA (Civil Code 1798.140): Defines personal information and exceptions for internal use, including inferences.

IAPP CIPP/US Certification Textbook: Discusses consumer rights under the CPRA, including access rights and the treatment of inferences.

The marketer could be prosecuted for violating the Unfair and Deceptive Acts and Practices (UDAP) laws, which are enforced by the Federal Trade Commission (FTC) and state attorneys general. UDAP laws prohibit businesses from engaging in unfair or deceptive practices that harm consumers, such as false advertising, misleading claims, or hidden fees. In this scenario, the marketer could be accused of deceiving children into providing personal information and preferences under the guise of a survey and a contest, without obtaining verifiable parental consent or disclosing how the information will be used or shared. This could also violate the Children's Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection and use of personal information from children under 13 years of age.Reference:

[IAPP CIPP/US Study Guide], Chapter 5: Enforcement of Privacy and Security, pp. 177-178.

IAPP CIPP/US Body of Knowledge, Section II: Limits on Private-sector Collection and Use of Data, Subsection A: Government and Court Access to Private-sector Information, Topic 2: Unfair and Deceptive Trade Practices.

IAPP CIPP/US Practice Questions, Question 27.

An injunction is a court order that requires a party to stop or refrain from doing something. In a case of civil litigation, a defendant who is being sued for distributing an employee's private information might face an injunction that prohibits them from further disclosing or using the employee's private information. An injunction is a form of equitable relief that aims to prevent or remedy harm that cannot be adequately compensated by monetary damages. Probation, criminal fines, and jail sentences are forms of criminal sanctions that are not applicable in civil litigation, unless the defendant is also charged with a criminal offense related to the distribution of the employee's private information.Reference:Standing issues in U.S. privacy class actions,US Private-Sector Privacy (CIPP/US Exam Prep),IAPP CIPP/US

The U.S. Supreme Court has recognized an individual's right to privacy over personal issues, such as contraception, by acknowledging a ''penumbra'' of unenumerated constitutional rights as well as more general protections of due process of law. This means that the right to privacy is not explicitly stated in the Constitution, but it is implied from other rights that are explicitly stated, such as the First Amendment rights of speech and assembly, the Third Amendment right to be free from quartering of soldiers, the Fourth Amendment right to be secure from unreasonable searches and seizures, the Fifth Amendment right to be free from self-incrimination, and the Ninth Amendment right to retain other rights not enumerated in the Constitution. These rights create a ''zone of privacy'' that protects individuals from undue government interference in their personal affairs. The Supreme Court first articulated this concept of privacy in Griswold v. Connecticut (1965), where it struck down a state law that prohibited the use of contraceptives by married couples. The Court also relied on the due process clause of the Fourteenth Amendment, which prohibits states from depriving any person of life, liberty, or property without due process of law. The Court interpreted this clause to include a substantive component that protects certain fundamental rights from state regulation, unless there is a compelling state interest and the regulation is narrowly tailored to achieve that interest. The Court has applied this due process analysis to other privacy issues, such as abortion, marriage, and sexual orientation.Reference:

Privacy | Wex | US Law | LII / Legal Information Institute

Privacy isn't in the Constitution -- but it's everywhere in constitutional law

Privacy Rights and Personal Autonomy Legally Protected by the ... - Justia

Right to privacy | Wex | US Law | LII / Legal Information Institute

According to the FTC report, the most important directive for businesses is to adopt a ''privacy by design'' approach, which means integrating privacy protections throughout the entire product lifecycle, from initial design to disposal. This includes implementing reasonable security measures, collecting only the data needed for a specific purpose, retaining data only as long as necessary, and safely disposing of data that is no longer needed. The FTC report also recommends that businesses provide clear and transparent privacy notices, offer consumers meaningful choices about how their data is used, and increase their accountability for data practices.Reference:FTC Report,IAPP CIPP/US Study Guide(p. 32-33)

The FTC's privacy report, titled ''Protecting Consumer Privacy in an Era of Rapid Change'', proposed a framework for companies that collect and use consumer data. The framework consisted of three core principles: privacy by design, simplified consumer choice, and greater transparency. Privacy by design means that companies should incorporate privacy protections into their everyday business practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Simplified consumer choice means that companies should provide consumers with clear and easy-to-understand choices about the collection and use of their data, and respect their preferences. Greater transparency means that companies should increase the visibility and accessibility of their data practices, such as providing clear and concise privacy notices, educating consumers about the commercial data practices, and providing consumers with access to their data. Enhancing security measures is not one of the core principles of the FTC's privacy framework, although it is a component of the privacy by design principle.Reference:

IAPP CIPP/US Body of Knowledge, Section I.A.1.a

IAPP CIPP/US Textbook, Chapter 1, pp. 13-15

FTC Privacy Report, Executive Summary, pp. i-vii

The GLBA prohibits financial institutions from disclosing a consumer's account number or similar form of access number or access code to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. This restriction is intended to prevent unauthorized access to a person's bank account by third parties who may use the account number to initiate fraudulent transactions or identity theft. The GLBA also requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and to notify customers and regulators in the event of a security breach involving such information.Reference:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Financial Privacy, p. 49-50

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 14

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 5

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States. The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship.The law also does not apply to non-commercial messages, such as political or charitable solicitations12

The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers' requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request.The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transfer the e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12

By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content.The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act

The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1.The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2.This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3.Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4.Reference:

CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.

California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).

CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).