IAPP CIPP-US Practice Test - Questions Answers, Page 15

The Red Flag Program Clarification Act of 2010 amended the original Red Flags rule, which required certain financial institutions and creditors to develop and implement a written identity theft prevention program.The Clarification Act narrowed the definition of creditor to include only those who regularly and in the ordinary course of business advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person12.This excludes creditors who advance funds for expenses incidental to a service provided by the creditor to that person3.Reference:

CIPP/US Practice Questions (Sample Questions), Question 133, Answer B, Explanation B.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.3, p. 108-109.

Red Flag Program Clarification Act of 2010, Section 2, Subsection (b).

The strongest example of excessive monitoring by the employer is C. An employer who installs video monitors in physical locations, such as a changing room, to reduce the risk of sexual harassment. This would be considered an unreasonable invasion of employees' privacy, as it would violate their legitimate expectation of privacy in a place where they change their clothes. Such monitoring would also likely violate the Electronic Communications Privacy Act (ECPA), which prohibits the interception of oral communications without consent or authorization. Moreover, such monitoring would not be justified by a legitimate business interest, as there are less intrusive ways to prevent or address sexual harassment, such as policies, training, and reporting mechanisms.Reference:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 109-110.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 1: Employee Monitoring.

IAPP CIPP/US Practice Questions, Question 134.

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys' fees and costs, and injunctive relief.Reference:U.S. Biometrics Laws Part I: An Overview of 2020,Is Biometric Information Protected by Privacy Laws?,Biometric Data Privacy Laws

Celeste has a misconception regarding the consent requirements for conducting credit checks of potential employees in California. She thinks that verbal consent from the applicants is sufficient, and that they only need to be offered access to the results.However, under the California Consumer Credit Reporting Agencies Act (CCRAA), employers who want to obtain a consumer credit report for employment purposes must comply with the following consent and disclosure requirements12: Before requesting a consumer credit report, the employer must provide the applicant with a clear and conspicuous written disclosure that informs them of the following: The specific purpose for obtaining the report. The source of the report. The applicant's right to obtain a free copy of the report from the source within 60 days. The applicant's right to dispute the accuracy or completeness of any information in the report. The employer must also obtain the applicant's written authorization to obtain the report. If the employer intends to take an adverse action based on the report, such as denying employment, the employer must provide the applicant with a copy of the report and a summary of their rights under the CCRAA before taking the action. After taking the adverse action, the employer must provide the applicant with a notice that includes the following: The name, address, and telephone number of the source of the report. A statement that the source of the report did not make the decision and cannot explain why the decision was made. A statement that the applicant has the right to obtain another free copy of the report from the source within 60 days. A statement that the applicant has the right to dispute the accuracy or completeness of any information in the report. Therefore, Celeste is wrong to assume that verbal consent and optional access to the results are enough to comply with the CCRAA. She should follow the written consent and disclosure requirements to avoid violating the law and potentially facing civil penalties or lawsuits.

One of the most significant changes introduced by Nevada Senate Bill 260 (SB 260) is the inclusion of the term ''Data Brokers'' into Nevada privacy law. The bill requires data brokers to register with the Nevada Secretary of State and comply with new privacy requirements, such as responding to consumer opt-out requests. This addition aligns Nevada's privacy framework more closely with laws like Vermont's data broker law.

Key Provisions of SB 260:

Definition of Data Brokers:

A data broker is defined as a company that collects, sells, or licenses consumer data and does not have a direct relationship with the consumer.

Registration Requirements:

Data brokers must register annually with the Nevada Secretary of State.

Consumer Rights:

Consumers are granted the right to opt out of the sale of their personal information, extending the scope of Nevada's existing privacy law.

Explanation of Options:

A . Data Ethics: While data ethics is an important concept, it is not introduced as a specific term under SB 260.

B . Data Brokers: This is correct. The inclusion of data brokers as a regulated entity is the primary addition introduced by SB 260.

C . Artificial Intelligence: SB 260 does not address artificial intelligence directly.

D . Transfer Mechanism: SB 260 focuses on regulating data brokers, not cross-border data transfer mechanisms.

Reference from CIPP/US Materials:

Nevada Senate Bill 260 (SB 260): Introduces data broker registration and opt-out rights.

IAPP CIPP/US Certification Textbook: Discusses state-specific privacy laws, including Nevada's privacy framework.

The ADA prohibits employers from discriminating against qualified individuals with disabilities in all aspects of employment, including hiring, firing, promotion, compensation, and training. The ADA also limits the types of medical inquiries and examinations that employers can make of applicants and employees. Under the ADA, a disability is defined as a physical or mental impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. The ADA covers current, past, and perceived drug addiction as a disability, unless the individual is currently engaging in the illegal use of drugs. Therefore, Felicia's plan to ask applicants about drug addiction may violate the ADA, unless she can show that the inquiry is job-related and consistent with business necessity. The other laws are not directly relevant to Felicia's plan, although they may have other implications for her business.References:ADA,IAPP CIPP/US Study Guide(p. 95-96)

Under the California Consumer Privacy Act (CCPA), businesses must verify the identity of individuals making data access requests to ensure the security of personal information. The most secure and straightforward way to verify a consumer's identity is by requiring the individual to log in to their password-protected account, as this demonstrates that the requester is the account owner.

Why Password-Protected Accounts Are Best for Verification:

Account-Based Relationship: If the consumer has a password-protected account with the business, verification can typically be achieved by having the consumer log in to the account. This is considered a sufficient method of verifying identity under CCPA guidelines.

Minimizing Risk: Verifying identity through account login reduces the risk of fraudulent access to personal information, as only the account owner has access to the login credentials.

Explanation of Options:

A. Take a photo of herself with her driver license: While this might verify identity, it is more intrusive and poses unnecessary risks of identity theft. This is not a preferred or common method under the CCPA.

B. Provide a notarized affidavit signed by two witnesses: This is excessive and impractical for verifying identity in most cases, particularly for an online store.

C. Log in to her password-protected account with the company: This is correct. Logging into a password-protected account is a straightforward and secure way to verify the identity of a requester under the CCPA.

D. Phone the company and provide her contact details and credit card number: This method is insecure, as it could lead to identity theft or fraudulent access if someone else provides this information.

Reference from CIPP/US Materials:

CCPA Regulations (11 CCR 999.323): Specifies identity verification requirements, including the use of password-protected accounts.

IAPP CIPP/US Certification Textbook: Covers secure methods for verifying consumer identity under the CCPA.

The Illinois Biometric Information Privacy Act (BIPA) regulates the collection, storage, and use of biometric identifiers and biometric information, such as fingerprints, retina scans, and facial recognition data. However, BIPA does not regulate photographs, as they are explicitly excluded from the definition of 'biometric identifiers' under the law.

Key Definitions Under BIPA:

Biometric Identifier: Includes fingerprints, retina or iris scans, voiceprints, and scans of hand or face geometry.

Biometric Information: Refers to any information derived from biometric identifiers.

Exclusions: BIPA explicitly excludes certain types of data from regulation, such as photographs, writing samples, and physical descriptions.

Explanation of Options:

A. Photographs of local convicted felons uploaded to a news website: This is correct because photographs are explicitly excluded from BIPA's definition of biometric identifiers.

B. Fingerprint scans of elementary school students used to open their lockers: This would be regulated under BIPA, as fingerprints are considered biometric identifiers.

C. Security software designed to identify local convicted felons in retail stores via facial recognition: This would also be regulated under BIPA, as facial recognition involves scans of face geometry, which qualify as biometric identifiers.

D. Retina scans of elementary school students used to verify their identities for attendance purposes: Retina scans are biometric identifiers under BIPA and would therefore be regulated.

Reference from CIPP/US Materials:

Illinois BIPA (740 ILCS 14/10): Defines biometric identifiers and excludes photographs from regulation.

IAPP CIPP/US Certification Textbook: Discusses the scope and application of BIPA.

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects: The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited. The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data. The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs. The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction. The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR. The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue. The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices. The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits.References: IAPP CIPP/US Body of Knowledge, Section III.C.2 IAPP CIPP/US Textbook, Chapter 3, pp. 113-115 FTC Mobile Device Security