IAPP CIPP-US Practice Test - Questions Answers, Page 9

The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that protects the privacy of wire, oral, and electronic communications while they are being made, in transit, or stored on computers1.The ECPA has three titles: Title I prohibits the intentional interception, use, or disclosure of wire, oral, or electronic communications, except for certain exceptions, such as consent, provider protection, or law enforcement purposes2.Title II, also known as the Stored Communications Act (SCA), prohibits the unauthorized access to or disclosure of stored wire or electronic communications, such as email, voicemail, or online messages, except for certain exceptions, such as consent, provider protection, or law enforcement purposes3.Title III regulates the installation and use of pen register and trap and trace devices, which record the numbers dialed to or from a telephone line, but not the content of the communications4.

Therefore, the action that is prohibited under the ECPA is intercepting electronic communications and unauthorized access to stored communications, which are covered by Title I and Title II of the Act, respectively. The other actions are not prohibited by the ECPA, as long as they comply with the exceptions and requirements of the Act.For example, monitoring all employee telephone calls or monitoring employee telephone calls of a personal nature may be allowed if the employer has a legitimate business purpose, has obtained the consent of the employees, or has a court order5.Accessing stored communications with the consent of the sender or recipient of the message is also allowed under the ECPA, as consent is one of the exceptions to the prohibition of unauthorized access3.

Title VII of the Civil Rights Act of 1964 is a federal law that prohibits employment discrimination based on race, color, religion, sex, and national origin1It also prohibits retaliation against individuals who assert their rights under the law or participate in an EEOC investigation1Title VII applies to employers with 15 or more employees, as well as to employment agencies, labor organizations, and joint labor-management committees1

Title VII prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on any of the protected characteristics, unless they are bona fide occupational qualifications (BFOQs)2BFOQs are rare and narrowly construed exceptions that allow employers to consider a protected characteristic when it is reasonably necessary to the normal operation of the business2For example, a religious organization may require its employees to share its faith, or a women's shelter may hire only female counselors2

Option A is incorrect because questions about age are not prohibited by Title VII, but by the Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of age or older from employment discrimination based on age3The ADEA generally prohibits employers from asking applicants about their age or date of birth, unless age is a BFOQ or the inquiry is part of a lawful affirmative action plan3

Option B is incorrect because questions about a disability are not prohibited by Title VII, but by the Americans with Disabilities Act of 1990 (ADA), which protects qualified individuals with disabilities from employment discrimination based on disability4The ADA generally prohibits employers from asking applicants about whether they have a disability or the nature or severity of a disability, unless the inquiry is related to the ability to perform the essential functions of the job with or without reasonable accommodation4

Option C is incorrect because questions about a national origin are prohibited by Title VII, but not in all circumstances.Title VII prohibits employers from asking applicants about their national origin, ancestry, birthplace, native language, or accent, unless they are BFOQs or the inquiry is related to a legitimate business purpose, such as verifying eligibility to work in the United States or assessing language proficiency for a job that requires communication skills25

Option D is correct because questions about intended pregnancy are prohibited by Title VII, as amended by the Pregnancy Discrimination Act of 1978 (PDA), which protects women from employment discrimination based on pregnancy, childbirth, or related medical conditions. The PDA prohibits employers from asking applicants about whether they are pregnant or intend to become pregnant, unless they are related to the ability to perform the job. Such questions may indicate an intent to discriminate based on sex or pregnancy, or may deter women from applying for certain jobs.

FACTA added a new section to the FCRA that requires any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, to properly dispose of any such information or compilation. The purpose of this provision is to reduce the risk of identity theft and other consumer harm resulting from improper disposal of consumer information. The FTC and other federal agencies have issued rules implementing this provision, which specify the reasonable measures that covered entities must take to ensure secure disposal of consumer information, such as burning, pulverizing, shredding, erasing, or otherwise modifying the information to make it unreadable or indecipherable (16 CFR 682.3).Reference:1,2,3

The federal act that does NOT contain provisions for preempting stricter state laws is theTelemarketing Consumer Protection and Fraud Prevention Act1.This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2.However, the act also explicitly states that it does not 'annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency'1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law.In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345.Reference:1:Telemarketing Consumer Protection and Fraud Prevention Act2:Telemarketing Sales Rule | Federal Trade Commission3:CAN-SPAM Act: A Compliance Guide for Business4:Children's Online Privacy Protection Rule (''COPPA'') | Federal Trade Commission5:Fair and Accurate Credit Transactions Act of 2003 - Wikipedia: IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

Most state laws require that a person or business that conducts business in the state and owns or licenses personal information of residents of that state must notify those residents of any breach of the security of the system involving their personal information. This means that the entity does not have to be physically located in the state, have employees in the state, or be registered in the state to be subject to the breach notification requirements, as long as it conducts business in the state and holds personal information of state residents. Conducting business in the state can be interpreted broadly to include any transaction or activity that involves the state or its residents, such as selling goods or services, collecting payments, or maintaining a website accessible by state residents. The other options (B, C, and D) are not commonly required by most state laws, although some states may have additional or specific requirements for certain types of entities, such as information brokers, health care providers, or financial institutions.Reference:

Security Breach Notification Chart | Perkins Coie

Security Breach Notification Laws - National Conference of State Legislatures

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.2: State Security Breach Notification Laws.

The most likely reason that states have adopted their own data breach notification laws is that many types of organizations are not currently subject to federal laws regarding breaches. As explained in theData Breach Response: A Guide for Businessfrom the Federal Trade Commission (FTC), certain federal laws govern obligations to report data breaches in particular industries, such as health care, financial services, or telecommunications. However, these laws do not cover all types of businesses or all types of personal information that may be compromised in a data breach. Therefore, states have enacted their own data breach notification laws to fill the gaps and protect the privacy and security of their residents. According to theNational Conference of State Legislatures, as of January 2022, all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. These state laws vary in terms of the definitions of personal information, the triggers for notification, the methods and timing of notification, the exemptions and exceptions, and the penalties and enforcement mechanisms.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that regulates the privacy and security of health information in the United States.HIPAA preempts state laws that are contrary to its provisions, unless the state laws provide more stringent protections for health information12HIPAA establishes a floor of federal standards for health information privacy and security, but allows states to enact laws that are more protective of individuals' rights34For example, some states may require more specific consent from individuals before disclosing their health information, or impose stricter penalties for violations of health information privacy and security.HIPAA also provides exceptions for certain state laws that serve a compelling public interest, such as public health, safety, or welfare.

Reference: https://www.findlaw.com/litigation/legal-system/the-supremacy-clause-and-the-doctrine-of-preemption.html

https://www.bonalaw.com/insights/legal-resources/when-does-federal-law-preempt-state-law

According to the IAPP CIPP/US Study Guide, more than half of U.S. states require telemarketers to register with the state before conducting business within the state. This registration requirement may involve paying a fee, posting a bond, or providing information about the telemarketer's identity, location, and business practices. The purpose of this requirement is to protect consumers from fraudulent or deceptive telemarketing calls and to facilitate the enforcement of state laws and regulations. The other options are not required by most states, although some states may have additional rules or guidelines for telemarketers regarding identification, consent, or contracts.Reference:

IAPP CIPP/US Study Guide, Chapter 7: Marketing and Advertising

State Telemarketing Registration Requirements

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information.One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located12.The regulation defines personal information as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver's license number or state-issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account1.The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly1.Reference:

Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents

Massachusetts Law Raises the Bar for Data Security