Free Practice Questions for IAPP CIPP-US Exam

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB. However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1. The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2. The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA. References: 1: FTC3, Fair Credit Reporting Act; 2: CFPB4, Fair Credit Reporting Act; 3: FTC; 4: CFPB.

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:

The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.

The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.

The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.

A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a written contract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.

References:

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information

Practice Exam - International Association of Privacy Professionals

The Cable Communications Policy Act of 1984 (CCPA) is a federal law that regulates the cable television industry and protects the privacy of cable subscribers. One of the provisions of the CCPA is that cable operators must provide their subscribers with an annual notice that clearly and conspicuously informs them of the following information12:

The nature of personally identifiable information collected or to be collected with respect to the subscriber and the nature of the use of such information

The nature, frequency, and purpose of any disclosure of such information, including an identification of the types of persons to whom the disclosure may be made

The period during which such information will be maintained by the cable operator

The times and place at which the subscriber may have access to such information

The limitations provided by the CCPA with respect to the collection and disclosure of information by a cable operator and the right of the subscriber under the CCPA to enforce such limitations

The annual notice must also state that the subscriber has the right to prevent disclosure of personally identifiable information to third parties, except as required by law or court order, and that the subscriber may sue for damages, attorney’s fees, and other relief for violations of the CCPA12.

References: 1: Cable Communications Policy Act of 1984, Section 631 2: [IAPP CIPP/US Study Guide], Chapter 8, Section 8.3.2

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws

 In order for a court to hear a case, it must have both personal jurisdiction and subject matter jurisdiction. Personal jurisdiction refers to the authority of a court over the parties to a case, while subject matter jurisdiction refers to the authority of a court to hear a particular type of case. For example, a federal court may have subject matter jurisdiction over a case involving a federal law, but it may not have personal jurisdiction over a defendant who has no contacts with the state where the court is located. Similarly, a state court may have personal jurisdiction over a resident of the state, but it may not have subject matter jurisdiction over a case involving a foreign treaty. References: [IAPP CIPP/US Study Guide], Chapter 2: Introduction to U.S. Law, p. 25-26; Wex Legal Dictionary, Subject Matter Jurisdiction and Personal Jurisdiction.

The Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act are all federal laws that prohibit employment discrimination based on certain protected characteristics, such as race, sex, disability, age, and pay1234 These laws also afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes. For example:

The Civil Rights Act of 1964 prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on race, color, religion, sex, or national origin, unless they are bona fide occupational qualifications.

The Pregnancy Discrimination Act of 1978, which amended the Civil Rights Act of 1964, prohibits employers from making pre-employment inquiries about whether an applicant is pregnant or intends to become pregnant, unless they are related to the ability to perform the job.

The Americans with Disabilities Act of 1990 prohibits employers from making pre-employment inquiries about whether an applicant has a disability or the nature or severity of a disability, unless they are related to the ability to perform the essential functions of the job with or without reasonable accommodation.

The Age Discrimination in Employment Act of 1967 prohibits employers from making pre-employment inquiries about an applicant’s age, unless they are related to a bona fide occupational qualification or a lawful affirmative action plan.

The Equal Pay Act of 1963 prohibits employers from making pre-employment inquiries about an applicant’s salary history, unless they are made for a lawful purpose other than determining the applicant’s pay.

Option A is incorrect because these laws do not require employers not to discriminate against certain classes when employees use personal information. Rather, they require employers not to discriminate against certain classes in any aspect of employment, such as hiring, firing, pay, promotion, training, benefits, etc1234 The use of personal information by employees is not directly addressed by these laws, although it may be subject to other privacy laws or policies.

Option B is incorrect because these laws do not require that employers provide reasonable accommodations to certain classes of employees. Rather, only the Americans with Disabilities Act and the Pregnancy Discrimination Act require employers to provide reasonable accommodations to qualified individuals with disabilities and workers with limitations related to pregnancy, childbirth, or related medical conditions, respectively, unless doing so would cause an undue hardship to the employer. The other laws do not have a similar requirement, although they may prohibit employers from denying equal opportunities to certain classes of employees.

Option C is correct because these laws afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes, as explained above.

Option D is incorrect because these laws do not permit employers to use or disclose personal information specifically about employees who are members of certain classes. Rather, these laws generally prohibit employers from using or disclosing personal information that is protected by these laws for any unlawful or discriminatory purpose, unless an exception applies. For example, employers may use or disclose such information for legitimate business reasons, such as complying with reporting requirements, administering benefits, or conducting investigations.

References: 1: Facts About Equal Pay and Compensation Discrimination 2: Pregnancy Discrimination and Pregnancy-Related Disability Discrimination | U.S. Equal Employment Opportunity Commission 3: Regulations, Guidance and Policy | Equal Opportunity Guidance | OEEOWE 4: Age Discrimination | U.S. Equal Employment Opportunity Commission : Pre-Employment Inquiries and Medical Questions & Examinations | U.S. Equal Employment Opportunity Commission : Employee Medical Information | U.S. Equal Employment Opportunity Commission : Employee Privacy Rights | U.S. Department of Labor : Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission : Fact Sheet: Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission : The Americans with Disabilities Act: A Primer for Small Business : Age Discrimination in Employment Act of 1967 | U.S. Equal Employment Opportunity Commission : Equal Pay Act of 1963 | U.S. Equal Employment Opportunity Commission

A cookie is a small piece of data that a website sends to a user’s browser and stores on the user’s device, usually for the purpose of remembering the user’s preferences, settings, or actions1.

A cookie notice is a message that informs the user about the website’s use of cookies and the user’s choices regarding the acceptance or rejection of cookies2.

A legal choice is the mechanism that the website provides to the user to express their consent or dissent to the use of cookies2.

There are different types of legal choices for cookie notices, depending on the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States34.

The four types of legal choices mentioned in the question are:

Mandatory: The website does not allow the user to access the site unless they accept the use of cookies. This type of choice is generally considered unlawful and non-compliant with the GDPR and the CCPA34.

Implied consent: The website assumes that the user consents to the use of cookies by continuing to browse the site or by dismissing the cookie notice. This type of choice is often used by websites that operate in the U.S. or other jurisdictions that do not have strict cookie laws, but it may not be sufficient for the GDPR or the CCPA34.

Opt-in: The website requires the user to explicitly agree to the use of cookies by clicking a button or checking a box. This type of choice is usually compliant with the GDPR and the CCPA, as it ensures that the user gives informed and affirmative consent34.

Opt-out: The website allows the user to reject the use of cookies by clicking a link or changing their browser settings. This type of choice is also compliant with the GDPR and the CCPA, as it gives the user the right to withdraw their consent at any time34.

Based on the description of the cookie notice in the question, the type of legal choice that the notice provides is implied consent, as the website does not explicitly ask for the user’s agreement, but rather assumes that the user accepts the use of cookies by using the site. The notice also provides a link for the user to opt out of cookies by setting their browser to refuse them.

References: 1: Cookie 2: Cookie Notice 3: INSIGHT: Website Cookies and Privacy—GDPR, CCPA, and Evolving Standards for Online Consent 4: Do You Need A Cookie Notice

The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon. It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power1 The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation23 FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of U.S. persons4 References:  https://www.intelligence.gov/foreign-intelligence-surveillance-act

https://www.intelligence.gov/foreign-intelligence-surveillance-act/1234-categories-of-fisa

 The U.S. Supreme Court has recognized an individual’s right to privacy over personal issues, such as contraception, by acknowledging a “penumbra” of unenumerated constitutional rights as well as more general protections of due process of law. This means that the right to privacy is not explicitly stated in the Constitution, but it is implied from other rights that are explicitly stated, such as the First Amendment rights of speech and assembly, the Third Amendment right to be free from quartering of soldiers, the Fourth Amendment right to be secure from unreasonable searches and seizures, the Fifth Amendment right to be free from self-incrimination, and the Ninth Amendment right to retain other rights not enumerated in the Constitution. These rights create a “zone of privacy” that protects individuals from undue government interference in their personal affairs. The Supreme Court first articulated this concept of privacy in Griswold v. Connecticut (1965), where it struck down a state law that prohibited the use of contraceptives by married couples. The Court also relied on the due process clause of the Fourteenth Amendment, which prohibits states from depriving any person of life, liberty, or property without due process of law. The Court interpreted this clause to include a substantive component that protects certain fundamental rights from state regulation, unless there is a compelling state interest and the regulation is narrowly tailored to achieve that interest. The Court has applied this due process analysis to other privacy issues, such as abortion, marriage, and sexual orientation. References:

Privacy | Wex | US Law | LII / Legal Information Institute

Privacy isn’t in the Constitution – but it’s everywhere in constitutional law

Privacy Rights and Personal Autonomy Legally Protected by the … - Justia

Right to privacy | Wex | US Law | LII / Legal Information Institute

Social security numbers (SSNs) are one of the most sensitive types of personally identifiable information (PII) and are subject to comprehensive data security and privacy laws at both the federal and state levels. Banks, as financial institutions, are subject to strict regulations under laws like the Gramm-Leach-Bliley Act (GLBA) and state privacy laws regarding the safeguarding of sensitive data like SSNs.

Why Social Security Numbers are Most Likely to Be Covered:

SSNs are a high-value target for identity theft, making their protection a focus of numerous privacy and data security laws.

Federal laws like GLBA and the Fair Credit Reporting Act (FCRA) impose strict data security requirements on financial institutions.

State laws, such as those in California, often require businesses to protect SSNs and notify individuals in the event of a breach involving sensitive information.

Explanation of Options:

A. Account holders' social security numbers, maintained by a bank:This is correct because SSNs are consistently protected under comprehensive laws at both the federal and state levels.

B. Users' sexual orientations, maintained by a social media website:While sexual orientation may be considered sensitive data under certain laws (e.g., GDPR in the EU), U.S. privacy laws do not consistently regulate this information.

C. Individual drivers' license numbers, maintained by a state agency:While some states regulate drivers' license data, this information is not comprehensively covered under state privacy laws.

D. Contact details of individuals who report emergencies, maintained by local authorities:This information is regulated in limited circumstances (e.g., Freedom of Information Act or public records laws) but is not subject to comprehensive state privacy laws.

References from CIPP/US Materials:

GLBA and FCRA: Highlight the importance of safeguarding sensitive financial information such as SSNs.

State Data Breach Notification Laws: Many states explicitly list SSNs as a protected data element.