IAPP CIPP-US Practice Test - Questions Answers, Page 19

Under the Fair Credit Reporting Act (FCRA), employers are required to provide a clear and conspicuous disclosure in a standalone document before obtaining a consumer report (e.g., a background check) for employment purposes. This requirement ensures that the individual is fully aware that a consumer report will be obtained and consents to the process.

Requirements for a Sufficient Consumer Disclosure:

Clear and Conspicuous Disclosure: Employers must inform the individual, in writing, that a consumer report may be obtained for employment purposes.

Standalone Document: The disclosure must be provided in a separate document not combined with other materials, such as an employment application. This ensures the individual's attention is focused on the notice.

Written Authorization: Employers must obtain written authorization from the individual before procuring the consumer report.

Explanation of Options:

A. A verbal notice provided with a conditional offer of employment: Verbal notice is insufficient under FCRA, which requires a written, standalone disclosure.

B. A notice provision in an electronic employment application: Embedding the disclosure in an employment application would not meet the FCRA requirement for a standalone document and could be legally invalid.

C. A notice provision in a mailed offer letter: Including the disclosure in an offer letter does not satisfy the requirement for a separate, standalone document.

D. A standalone notice document: This is the correct answer, as the FCRA explicitly requires the disclosure to be in a separate document to ensure clarity and compliance.

Reference from CIPP/US Materials:

FCRA Section 604(b) (15 U.S.C. 1681b(b)): Requires a clear and conspicuous standalone disclosure before obtaining a consumer report for employment purposes.

IAPP CIPP/US Certification Textbook: Explains the FCRA requirements for employment-related consumer reports, including the disclosure and authorization process.

When storing biometric data, such as fingerprints, organizations in the U.S. must comply with state-specific biometric privacy laws if they operate in states that regulate biometric information. The most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), but similar laws also exist or are developing in other states, such as Texas and Washington.

Key Considerations for Storing Biometric Data:

Illinois Biometric Information Privacy Act (BIPA): BIPA (740 ILCS 14) is a leading and highly influential state law regulating the collection, storage, and use of biometric information. It requires organizations to:

Obtain informed, written consent before collecting biometric data.

Establish a publicly available policy governing the retention and destruction of biometric data.

Use a reasonable standard of care to protect biometric data from unauthorized access or use.

Prohibit the sale or transfer of biometric data without consent.

California and Biometric Data: While California's California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide general protections for personal information, including biometric data, they do not have the specific consent and handling requirements that BIPA does. Nevertheless, California residents have rights related to access, deletion, and the sale of biometric information.

Explanation of Options:

A. The Privacy Rule of the HITECH Act: The HITECH Act applies to the protection of protected health information (PHI) under HIPAA. While the Privacy Rule regulates healthcare-related information, it does not apply to Jane's biometric data used for remote authentication unless it is tied to PHI. This scenario is unrelated to healthcare, so this answer is incorrect.

B. The California IoT Security Law (SB 327): California's IoT Security Law primarily focuses on ensuring security requirements for connected devices. It does not regulate the collection or storage of biometric information. This is not relevant to the question.

C. The applicable state law such as Illinois BIPA: This is correct. State biometric privacy laws, such as Illinois BIPA, explicitly govern the collection, storage, and use of biometric data like fingerprints. Organizations like Jones Labs must ensure compliance with such laws, including obtaining consent and properly securing and destroying biometric information.

D. The federal Genetic Information Nondiscrimination Act (GINA): GINA prohibits discrimination based on genetic information in employment and health insurance. However, it does not regulate the storage of biometric data like fingerprints. This is not applicable to this scenario.

Best Practices for Compliance:

Jones Labs should:

Understand the applicable state biometric laws: If Jane resides in Illinois or other states with biometric laws, Jones Labs must comply with those specific legal requirements.

Obtain informed consent: Ensure that employees like Jane sign a written consent form before storing their fingerprints for authentication.

Secure biometric data: Use strong encryption and other security measures to protect the biometric information.

Define retention and destruction policies: Clearly establish how long biometric data will be stored and how it will be destroyed after its purpose is fulfilled.

Reference from CIPP/US Materials:

Illinois Biometric Information Privacy Act (BIPA): Sets the standard for biometric privacy regulations in the U.S.

California Consumer Privacy Act (CCPA): Protects personal information but does not specifically regulate biometric data like fingerprints with the same rigor as BIPA.

IAPP CIPP/US Certification Textbook: Discusses the emergence of state-specific biometric privacy laws and their applicability in different scenarios.

Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), the National Security Agency (NSA) is authorized to collect and analyze communications of non-U.S. persons located outside the United States for foreign intelligence purposes. Section 702 allows the NSA to compel U.S.-based service providers, such as AWS or Microsoft, to provide access to data without requiring a warrant from the Foreign Intelligence Surveillance Court (FISC) if certain criteria are met.

Key Aspects of Section 702:

Scope of Surveillance: Section 702 applies to non-U.S. persons located outside the United States. It cannot be used to target U.S. citizens or individuals located within the United States, even if they communicate with non-U.S. persons.

Provider Obligations: The NSA can compel U.S.-based service providers (e.g., AWS, Microsoft) to disclose information about communications involving foreign individuals if the data is relevant to foreign intelligence purposes.

Explanation of the Options:

A. Compel AWS to disclose Jane's email communications with a Taiwanese national residing in Taiwan: Incorrect. Jane is a U.S. citizen, and Section 702 cannot be used to directly target U.S. persons or their communications, even if the other party in the communication is a non-U.S. person.

B. Compel AWS to disclose email communications between two Chinese nationals residing in the EU: Correct. Section 702 allows the NSA to target non-U.S. persons located outside the U.S. without a warrant, even if their communications are hosted by a U.S.-based service provider like AWS. This scenario falls directly under the scope of Section 702.

C. Compel Microsoft to disclose Patrick's Skype calls with a Brazilian national living in Peru: Incorrect. Patrick is a U.S. resident, even though he is a French citizen. Section 702 cannot be used to target individuals who are lawfully residing in the United States.

D. Compel Jane to disclose the PIN code for her corporate mobile phone: Incorrect. Section 702 applies to electronic communications data held by service providers, not to individuals. Compelling an individual to disclose a PIN code would require a different legal authority, such as a court-issued subpoena or warrant.

Legal Framework:

Section 702 of FISA: Provides the NSA with the authority to compel U.S.-based service providers to assist in collecting data on non-U.S. persons located outside the U.S. for foreign intelligence purposes.

Targeting Limitations: Section 702 cannot be used to intentionally target U.S. persons or anyone located within the United States.

Service Providers: Examples include U.S.-based companies such as Amazon AWS, Microsoft, and Google.

Practical Considerations for Jones Labs:

Jones Labs should be aware that:

Data stored with U.S.-based providers (even if located in the EU) may still be subject to Section 702 requests.

International data transfer compliance may require careful consideration of Standard Contractual Clauses (SCCs) or other safeguards to align with EU privacy regulations, such as the GDPR, in light of the extraterritorial nature of U.S. surveillance laws.

Reference from CIPP/US Materials:

FISA Section 702 (50 U.S.C. 1881a): Outlines the legal authority for targeting non-U.S. persons located outside the United States.

IAPP CIPP/US Certification Textbook: Discusses Section 702 and its implications for U.S.-based service providers handling international data.

Schrems II Decision: Highlights conflicts between U.S. surveillance laws and EU privacy laws, particularly for data stored by U.S. companies overseas.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. FERPA generally requires that schools obtain written consent from students (or their parents if the student is a minor) before disclosing personally identifiable information from education records. However, FERPA allows specific exceptions where disclosures can be made without consent.

One of these exceptions is when a school discloses education records to another school where the student seeks or intends to enroll. This allows educational institutions to share information for legitimate educational purposes, such as transferring transcripts between schools when a student moves or applies for enrollment elsewhere.

Explanation of Options:

A. If the disclosure is not to be conducted through email to the third party: FERPA does not prohibit disclosures via email as long as the recipient is authorized and the disclosure meets FERPA requirements. The medium of disclosure is not a determining factor.

B. If the disclosure would not reveal a student's student identification number: FERPA restricts the disclosure of personally identifiable information but does not specifically regulate disclosures based on whether a student ID number is included unless the number itself compromises the student's privacy.

C. If the disclosure is made to practitioners who are involved in a student's health care: FERPA does not specifically provide an exception for health care practitioners unless the disclosure falls under the 'health and safety emergency' exception, which does not apply to general health care.

D. If the disclosure is for the purpose of providing transcripts to a school where a student intends to enroll: This is correct and aligns with one of the exceptions outlined in FERPA. Schools are permitted to share student records with other educational institutions where a student seeks or intends to enroll without requiring consent.

Reference from CIPP/US Materials:

FERPA (20 U.S.C. 1232g): Governs the disclosure of student education records and details specific exceptions to the consent requirement.

IAPP CIPP/US Certification Textbook: Explains FERPA's consent requirements and exceptions, including disclosures for enrollment purposes.

Web scraping to collect personal data can pose significant legal and ethical risks, particularly when it involves professional networking sites or other platforms where terms of service (ToS) explicitly prohibit such activity. To limit liability, the software company must take proactive measures to comply with applicable laws (such as privacy laws) and contractual obligations (e.g., terms of use on the scraped websites).

Adding a notice to the company website's terms of use would be the least effective action, as it does not address the legal and ethical issues associated with scraping data from third-party websites. Simply adding a notice about the company's use of scraping does not mitigate liability for violating the ToS of professional networking websites or violating privacy rights under laws like the GDPR or CCPA.

Explanation of Options:

A. Following the terms of use posted on professional networking websites that are scraped: This is one of the most effective ways to limit legal liability. Violating ToS can result in lawsuits or legal penalties, so adhering to them is critical.

B. Adding a notice to the company website's terms of use disclosing the use of web scraping: This is the least effective action. Including this notice on the company's own website does not address potential violations of third-party website ToS or the privacy rights of affected individuals.

C. Limiting the amount of the personally identifiable information they collect: Minimizing the amount of data collected aligns with data protection principles, such as data minimization under the GDPR, and can reduce privacy risks.

D. Deidentifying the scraped data before selling it to any third parties: Deidentifying or anonymizing data is a critical step for reducing legal liability and complying with privacy laws. However, the company should also ensure that the deidentification is robust and irreversible.

Reference from CIPP/US Materials:

GDPR Article 5: Establishes principles such as data minimization and accountability for data processing.

IAPP CIPP/US Certification Textbook: Highlights the risks of web scraping and the importance of adhering to contractual obligations and privacy laws.

With the impending deprecation of third-party cookies, businesses must simplify their tracking practices and shift to more privacy-conscious technologies. Third-party cookies are being phased out by major web browsers, such as Google Chrome, to improve user privacy and reduce cross-site tracking.

One of the most critical actions businesses need to take is deleting existing data sets of third-party cookies, as they will soon become obsolete. This action ensures compliance with emerging privacy standards and helps organizations transition to alternative methods of tracking, such as first-party data collection or consent-based tracking mechanisms.

Explanation of Options:

A. Ensuring only registered users are tracked: While focusing on registered users might simplify tracking, it does not address the broader privacy concerns surrounding third-party cookies.

B. Running analytics only in dedicated sandboxes: Sandboxing analytics tools may enhance security, but it does not directly relate to the transition away from third-party cookies.

C. Purging existing IDs that identify visitors by browser: Browser IDs are not inherently tied to third-party cookies. Purging them might be part of broader privacy compliance efforts but is not the primary issue with cookie deprecation.

D. Deleting their existing data sets of any third-party cookies: This is correct. Deleting existing third-party cookie data is a necessary step to align with the move away from third-party cookies, ensuring businesses are prepared for the shift to new tracking technologies.

Reference from CIPP/US Materials:

IAPP CIPP/US Certification Textbook: Discusses cookie deprecation and the shift towards first-party data and privacy-conscious tracking.

California Consumer Privacy Act (CCPA): Regulates the use of cookies and other tracking technologies, emphasizing user consent and transparency.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, updates the legal framework for federal law enforcement to access electronic data held by U.S. service providers, even when the data is stored outside the United States. The act resolves jurisdictional issues that arise in cross-border data requests and facilitates international cooperation for law enforcement purposes.

Key Provisions of the CLOUD Act:

Data Access for Law Enforcement:

The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based service providers (e.g., Microsoft, Google) to provide access to data stored abroad using a valid warrant or subpoena, provided the request complies with applicable laws.

International Data Sharing Agreements:

The CLOUD Act enables the U.S. to establish bilateral agreements with other countries to streamline access to data for law enforcement purposes. These agreements ensure that U.S. and foreign law enforcement can access data without violating each other's sovereignty or privacy laws.

Conflict with Foreign Laws:

The act includes mechanisms for providers to challenge data requests that conflict with the laws of the country where the data is stored, providing safeguards for compliance with foreign privacy laws like the General Data Protection Regulation (GDPR).

Explanation of Options:

A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the GDPR: This is incorrect. The CLOUD Act is not specific to the EU or GDPR compliance. Instead, it focuses on law enforcement access to data stored abroad.

B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country: This is correct. The CLOUD Act directly addresses law enforcement's ability to compel data access from U.S. providers, regardless of the data's physical location.

C. Establish baseline privacy obligations that U.S. companies must comply with for personal information, even if stored in a foreign country: This is incorrect. The CLOUD Act is focused on law enforcement access to data, not privacy obligations for companies.

D. Prohibit foreign companies from using the personal information of U.S. citizens without their consent: This is incorrect. The CLOUD Act does not regulate foreign companies or impose consent requirements for using personal information.

Reference from CIPP/US Materials:

CLOUD Act (18 U.S.C. 2713): Establishes legal mechanisms for cross-border data access and international agreements.

IAPP CIPP/US Certification Textbook: Discusses the CLOUD Act's impact on cross-border data requests and its interaction with global privacy laws.

In the United States, pandemic contact-tracing apps are regulated under a patchwork of federal and state privacy laws, rather than a single, comprehensive framework. Contact-tracing initiatives often involve the collection and processing of sensitive data, including location and health information, which may fall under different legal regimes depending on the jurisdiction and type of data.

Key Regulations Affecting Contact-Tracing Apps:

State Privacy Laws:

States such as California (via the California Consumer Privacy Act - CCPA) and others have privacy laws that may apply to contact-tracing apps, particularly when personal data is collected or shared.

State-level health privacy laws may also govern how health-related data is collected and used.

HIPAA:

HIPAA (Health Insurance Portability and Accountability Act) applies only if the app is used by or on behalf of a covered entity (e.g., healthcare providers or health plans). If the app is operated by a private company without a connection to a HIPAA-covered entity, HIPAA likely does not apply.

Federal Guidance:

The Federal Trade Commission (FTC) enforces general privacy protections under Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

The FTC has also issued guidance on privacy considerations for health-related apps.

Other Federal and Sector-Specific Laws:

If the app collects health-related data, it could also trigger obligations under laws like the Americans with Disabilities Act (ADA) or sector-specific rules.

Explanation of Options:

A. Contact tracing is covered exclusively under the Health Insurance Portability and Accountability Act (HIPAA): This is incorrect. HIPAA applies only to covered entities and their business associates, not broadly to all contact-tracing apps or initiatives.

B. Contact tracing is regulated by the U.S. Centers for Disease Control and Prevention (CDC): This is incorrect. While the CDC provides guidance and recommendations for public health, it does not have regulatory authority over contact-tracing apps.

C. Contact tracing is subject to a patchwork of federal and state privacy laws: This is correct. Contact-tracing apps in the U.S. are governed by various federal, state, and sector-specific laws, creating a patchwork regulatory framework.

D. Contact tracing is not regulated in the United States: This is incorrect. While there is no single regulatory framework for contact tracing, the practice is subject to multiple federal and state laws.

Reference from CIPP/US Materials:

IAPP CIPP/US Certification Textbook: Discusses the application of HIPAA, state privacy laws, and federal regulations to health-related technologies, including contact-tracing apps.

FTC Guidance on Health Apps: Details privacy considerations for app developers handling health-related data.

The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), created the California Privacy Protection Agency (CPPA). This agency has been granted significant authority to regulate and enforce California privacy laws, but it does not have the authority to override decisions made by the California Attorney General regarding CCPA enforcement.

Powers Granted to the CPPA by the CPRA:

Adopting and Updating CCPA Regulations:

The CPPA has rulemaking authority, meaning it can adopt, amend, and update CCPA regulations to clarify obligations under the law.

This is explicitly stated in the CPRA.

Investigating Violations:

The CPPA can independently investigate potential violations of the CCPA, even without a complaint from a consumer.

Imposing Administrative Fines:

The CPPA has the authority to impose administrative fines for violations of the CCPA, which is critical for enforcing compliance.

Explanation of Option C:

While the CPPA has broad regulatory and enforcement powers, it cannot override decisions made by the Attorney General. The Attorney General retains certain oversight functions, particularly in transitioning enforcement authority to the CPPA. The CPPA's role is independent and complementary to that of the Attorney General, not one of supremacy.

Reference from CIPP/US Materials:

California Privacy Rights Act (CPRA): Specifies the creation, powers, and responsibilities of the CPPA.

IAPP CIPP/US Certification Textbook: Discusses the CPPA's rulemaking and enforcement authority.