ExamGecko
Search Search Login
Home Home / IAPP / CIPP-US
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following federal agencies does NOT have regulatory authority related to privacy?
Under the Driver's Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?
The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?
Which of the following data elements is most likely to be subject to comprehensive state data security and privacy laws?
Which power was NOT granted to the California Privacy Protection Agency by the California Privacy Rights Act (CPRA)?
Which of the following most accurately describes the regulatory status ot pandemic contact-tracing apps in the United States?
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?
Due to cookie deprecation, businesses will be required to simplify their tracking practices by doing what?
A software company wants to use web scraping to collect personal data from professional networking websites in order to train an artificial intelligence program to evaluate Job applications. The company has identified several actions for limiting their potential legal liability regarding affected data subjects and professional networking websites. Which of the following would be the least effective action for helping them do this?

Question 122 - CIPP-US discussion

Report
Export

A California resident has created an account on your company's online food delivery platform and placed several orders in the past month Later she submits a data subject request to access her personal information under the California Privacy Rights Act.

Based on the CPRA. which of the following data elements would your company NOT have to provide to the requestor once her identity has been verified?

A.

Inferences made about the individual for the company s internal purposes

Answers
A.

Inferences made about the individual for the company s internal purposes

B.

The loyalty account number assigned through the individuals use of the services

Answers
B.

The loyalty account number assigned through the individuals use of the services

C.

The time stamp for the creation of the individual's account in the platform's database.

Answers
C.

The time stamp for the creation of the individual's account in the platform's database.

D.

The email address submitted by the individual as part of the account registration process.

Answers
D.

The email address submitted by the individual as part of the account registration process.

Suggested answer: A

Explanation:

Under the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), California residents have the right to request access to their personal information collected by a business. However, the CPRA provides an exception for inferences made about an individual for internal purposes, meaning businesses are not obligated to disclose inferences generated solely for internal use.

Key Points Under the CPRA:

Access to Personal Information:

Businesses must provide consumers with access to personal information they have collected, which includes data submitted by the consumer and other information directly associated with the consumer.

Exception for Inferences:

Inferences made about a consumer, particularly when used for internal purposes (e.g., improving services, analytics, or predicting preferences), are not explicitly required to be disclosed under the CPRA unless they are part of the consumer's profile or used for decision-making purposes that affect the consumer.

Examples of Data to Be Provided:

Information provided by the consumer (e.g., email address, account information).

Automatically collected information (e.g., timestamps, purchase history).

Identifiers (e.g., loyalty account numbers).

Explanation of Options:

A . Inferences made about the individual for the company's internal purposes: This is correct. Inferences generated for internal use are not considered part of the data set that must be disclosed in response to a CPRA data access request.

B . The loyalty account number assigned through the individual's use of the services: Loyalty account numbers are directly associated with the consumer and must be provided in response to an access request under the CPRA.

C. The time stamp for the creation of the individual's account in the platform's database: This information is part of the consumer's account data and must be disclosed under the CPRA.

D . The email address submitted by the individual as part of the account registration process: This is personal information directly provided by the consumer and must be disclosed under the CPRA.

Reference from CIPP/US Materials:

CPRA (Civil Code 1798.140): Defines personal information and exceptions for internal use, including inferences.

IAPP CIPP/US Certification Textbook: Discusses consumer rights under the CPRA, including access rights and the treatment of inferences.

Show Answer
asked 22/11/2024
Koh Renbin
35 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms