IAPP CIPP-US Practice Test - Questions Answers, Page 16

U S. federal laws protect individuals from employment discrimination based on a number of protected characteristics, such as age, pregnancy, and genetic information. However, marital status is not one of them. There is no federal law that prohibits employment discrimination based on marital status, although some states and localities have enacted such laws. The other statements are incorrect because: A .Age is a protected characteristic under the Age Discrimination in Employment Act of 1967 (ADEA), which protects people who are 40 or older from discrimination because of age1. B .Pregnancy is a protected characteristic under the Pregnancy Discrimination Act, which amended Title VII of the Civil Rights Act of 1964 to make it illegal to discriminate against a woman because of pregnancy, childbirth, or a medical condition related to pregnancy or childbirth2. D .Genetic information is a protected characteristic under the Genetic Information Nondiscrimination Act of 2008 (GINA), which makes it illegal to discriminate against employees or applicants because of genetic information, such as family medical history, genetic tests, or participation in genetic research2.Reference:Prohibited Employment Policies/Practices,Employment discrimination law in the United States,Civil Rights Requirements- Federal Employment Discrimination Laws

The Fair Credit Reporting Act (FCRA) is considered part of U.S. federal privacy law because it regulates the collection, use, and disclosure of personal information by consumer reporting agencies, such as credit bureaus, background check companies, and tenant screening services. The FCRA aims to protect the privacy, accuracy, and fairness of consumer credit information, and to ensure that consumers have access to and control over their own credit reports. The FCRA also imposes obligations on users and furnishers of consumer reports, such as creditors, employers, insurers, and landlords, to obtain consent, provide notice, and correct errors when using consumer reports for various purposes. The FCRA is enforced by the Federal Trade Commission (FTC) and other federal agencies, as well as by private lawsuits and state attorneys general. The FCRA was enacted in 1970 and has been amended several times, most notably by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which added provisions on identity theft prevention, fraud alerts, free credit reports, and disposal of consumer information.Reference:

Fair Credit Reporting Act - Wikipedia

Fair Credit Reporting Act | Federal Trade Commission

Fair Credit Reporting Act (FCRA) - Consumer Information

Fair Credit Reporting Act (FCRA) | Privacy Rights Clearinghouse

In 2012, the White House released a report titled ''Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy'', which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled ''Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers'', which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach.Reference:White House Report,FTC Report,IAPP CIPP/US Study Guide(p. 31-32)

A consent decree is a settlement agreement between the FTC and a company that has engaged in unfair or deceptive privacy practices. A consent decree typically requires the company to stop the unlawful conduct, implement remedial measures, pay a civil penalty, and submit to ongoing monitoring and reporting. A consent decree benefits both parties involved because it spares the expense of going to trial, which can be costly, time-consuming, and uncertain. A consent decree also allows the parties to negotiate the terms of the settlement, rather than having a court impose a judgment. A consent decree does not admit liability or wrongdoing by the company, but it has the force of law and can be enforced by the FTC or the courts if the company violates its terms.Reference:

IAPP CIPP/US Body of Knowledge, Section I.A.1.a

IAPP CIPP/US Textbook, Chapter 1, pp. 10-11

FTC Consent Decrees

When developing a company privacy program, a privacy professional needs to understand the business objectives, processes, and risks of the organization, as well as the legal and regulatory requirements and best practices for privacy. To achieve this, a privacy professional should establish and maintain relationships with individuals across company departments and at different levels in the organization's hierarchy, such as IT, marketing, human resources, legal, compliance, security, and senior management. These relationships will help the privacy professional to gather relevant information, identify privacy issues and gaps, communicate privacy policies and procedures, provide training and awareness, monitor compliance, and resolve conflicts. The other relationships listed are also important, but not as essential as the internal relationships for developing a company privacy program.Reference:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Developing a Privacy Program, Section 5.1: Privacy Program Framework, p. 145-146

IAPP CIPP/US Body of Knowledge, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 23

IAPP CIPP/US Exam Blueprint, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 7

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records and gives parents or eligible students the right to access, amend, and control the disclosure of their records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S.Department of Education12

FERPA requires schools to do all of the following:

Verify the identity of students who make requests for access to their records.Schools must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom they disclose education records12

Provide students with access to their records within a specified amount of time. Schools must provide parents or eligible students with an opportunity to inspect and review the student's education records within 45 days of receiving a request.Schools are not required to provide copies of records unless it is impossible for parents or eligible students to review the records at the school12

Respond to all reasonable student requests regarding explanation of their records. Schools must provide parents or eligible students with an opportunity to request the amendment of the student's education records that they believe are inaccurate, misleading, or otherwise in violation of the student's privacy rights. Schools must consider the request and decide whether to amend the records within a reasonable time.If the school decides not to amend the records, it must inform the parent or eligible student of their right to a hearing on the matter12

FERPA does not require schools to do the following:

Obtain student authorization before releasing directory information in their records. Directory information is information contained in a student's education record that would not generally be considered harmful or an invasion of privacy if disclosed. Examples of directory information include the student's name, address, phone number, e-mail address, date and place of birth, major field of study, participation in sports and activities, dates of attendance, degrees and awards received, and most recent school attended. Schools may disclose directory information without consent unless the parent or eligible student has opted out of such disclosure.Schools must notify parents and eligible students of the types of information they designate as directory information and of their right to opt out of directory information disclosure12

Therefore, the correct answer is D. Obtain student authorization before releasing directory information in their records.

Family Educational Rights and Privacy Act (FERPA)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.3: The Family Educational Rights and Privacy Act (FERPA)

The biggest potential privacy concern related to Chanel's use of this new software is scanning a client's social media accounts to use in a client profile without notice to the client. This could violate the client's reasonable expectation of privacy and consent, as well as the privacy policies of the social media platforms. The client may not be aware that their social media posts are being used for this purpose, and may not have given their permission or opt-in consent for such data collection and processing. This could also expose the client to potential discrimination or harm based on their social media activity, such as losing their appointment or being charged a cancellation fee.Furthermore, this practice could conflict with the Fair Information Practice Principles (FIPPs), such as transparency, purpose specification, and data minimization12.Reference:

CIPP/US Practice Questions (Sample Questions), Question 149, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1, Section 1.1, p. 9-10.

The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA's notice and opt-out requirements, as well as the FCRA's requirements for using consumer reports.Reference:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.

IAPP CIPP/US Practice Questions, Question 150.

The FTC alleged that Google violated its own privacy policies, engaged in deceptive trade practices, and failed to comply with Safe Harbor principles when it launched Google Buzz, a social networking service that automatically enrolled Gmail users and exposed their email contacts and other personal information without their consent or control. The FTC did not allege that Google failed to employ sufficient security safeguards, although it did require Google to implement a comprehensive privacy program and submit to regular privacy audits as part of the settlement. The other statements are incorrect because:

A . Violated its own privacy policies: The FTC alleged that Google violated its own privacy policies by using information collected from Gmail users for a purpose that was incompatible with the purpose for which the information was collected, without obtaining their affirmative consent. Google's privacy policy stated that 'When you sign up for a particular service that requires registration, we ask you to provide personal information.If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.'1

B . Engaged in deceptive trade practices: The FTC alleged that Google engaged in deceptive trade practices by misrepresenting the extent to which consumers could exercise control over the collection, use, and sharing of their personal information through Google Buzz. For example, Google offered consumers the option to decline or turn off Google Buzz, but the option was ineffective and did not fully remove the consumer from the social network.Google also misled consumers about how their email contacts would be treated on Google Buzz, and failed to disclose that certain information, such as the user's frequent email contacts, would be made public by default.1

C . Failed to comply with Safe Harbor principles: The FTC alleged that Google failed to comply with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data from the European Union to the United States in a way that meets EU data protection requirements. Google had self-certified to the Department of Commerce that it adhered to the Safe Harbor Privacy Principles, which include notice, choice, access, and enforcement.The FTC alleged that Google's conduct violated the notice and choice principles, as well as the requirement to adhere to the Safe Harbor FAQs.1Reference:FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network,Google, Inc., In the Matter of,Google settles with FTC over Buzz; Privacy policies to be audited for two decades,Google Settles FTC Complaint over Google Buzz Privacy