Page: 1
/
39
Total 195 questions
Unlock Your Privacy Career: Master IAPP CIPP-US with Our Cutting-Edge Prep
Question 1
Which of the following most accurately describes the regulatory status ot pandemic contact-tracing apps in the United States?
Correct : C
In the United States, pandemic contact-tracing apps are regulated under a patchwork of federal and state privacy laws, rather than a single, comprehensive framework. Contact-tracing initiatives often involve the collection and processing of sensitive data, including location and health information, which may fall under different legal regimes depending on the jurisdiction and type of data.
Key Regulations Affecting Contact-Tracing Apps:
State Privacy Laws:
States such as California (via the California Consumer Privacy Act - CCPA) and others have privacy laws that may apply to contact-tracing apps, particularly when personal data is collected or shared.
State-level health privacy laws may also govern how health-related data is collected and used.
HIPAA:
HIPAA (Health Insurance Portability and Accountability Act) applies only if the app is used by or on behalf of a covered entity (e.g., healthcare providers or health plans). If the app is operated by a private company without a connection to a HIPAA-covered entity, HIPAA likely does not apply.
Federal Guidance:
The Federal Trade Commission (FTC) enforces general privacy protections under Section 5 of the FTC Act, which prohibits unfair or deceptive practices.
The FTC has also issued guidance on privacy considerations for health-related apps.
Other Federal and Sector-Specific Laws:
If the app collects health-related data, it could also trigger obligations under laws like the Americans with Disabilities Act (ADA) or sector-specific rules.
Explanation of Options:
A. Contact tracing is covered exclusively under the Health Insurance Portability and Accountability Act (HIPAA): This is incorrect. HIPAA applies only to covered entities and their business associates, not broadly to all contact-tracing apps or initiatives.
B. Contact tracing is regulated by the U.S. Centers for Disease Control and Prevention (CDC): This is incorrect. While the CDC provides guidance and recommendations for public health, it does not have regulatory authority over contact-tracing apps.
C. Contact tracing is subject to a patchwork of federal and state privacy laws: This is correct. Contact-tracing apps in the U.S. are governed by various federal, state, and sector-specific laws, creating a patchwork regulatory framework.
D. Contact tracing is not regulated in the United States: This is incorrect. While there is no single regulatory framework for contact tracing, the practice is subject to multiple federal and state laws.
Reference from CIPP/US Materials:
IAPP CIPP/US Certification Textbook: Discusses the application of HIPAA, state privacy laws, and federal regulations to health-related technologies, including contact-tracing apps.
FTC Guidance on Health Apps: Details privacy considerations for app developers handling health-related data.
Start a Discussions
Submit Your Answer:
Question 2
Which power was NOT granted to the California Privacy Protection Agency by the California Privacy Rights Act (CPRA)?
Correct : C
The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), created the California Privacy Protection Agency (CPPA). This agency has been granted significant authority to regulate and enforce California privacy laws, but it does not have the authority to override decisions made by the California Attorney General regarding CCPA enforcement.
Powers Granted to the CPPA by the CPRA:
Adopting and Updating CCPA Regulations:
The CPPA has rulemaking authority, meaning it can adopt, amend, and update CCPA regulations to clarify obligations under the law.
This is explicitly stated in the CPRA.
Investigating Violations:
The CPPA can independently investigate potential violations of the CCPA, even without a complaint from a consumer.
Imposing Administrative Fines:
The CPPA has the authority to impose administrative fines for violations of the CCPA, which is critical for enforcing compliance.
Explanation of Option C:
While the CPPA has broad regulatory and enforcement powers, it cannot override decisions made by the Attorney General. The Attorney General retains certain oversight functions, particularly in transitioning enforcement authority to the CPPA. The CPPA's role is independent and complementary to that of the Attorney General, not one of supremacy.
Reference from CIPP/US Materials:
California Privacy Rights Act (CPRA): Specifies the creation, powers, and responsibilities of the CPPA.
IAPP CIPP/US Certification Textbook: Discusses the CPPA's rulemaking and enforcement authority.
Start a Discussions
Submit Your Answer:
Question 3
Which of the following data elements is most likely to be subject to comprehensive state data security and privacy laws?
Correct : A
Social security numbers (SSNs) are one of the most sensitive types of personally identifiable information (PII) and are subject to comprehensive data security and privacy laws at both the federal and state levels. Banks, as financial institutions, are subject to strict regulations under laws like the Gramm-Leach-Bliley Act (GLBA) and state privacy laws regarding the safeguarding of sensitive data like SSNs.
Why Social Security Numbers are Most Likely to Be Covered:
SSNs are a high-value target for identity theft, making their protection a focus of numerous privacy and data security laws.
Federal laws like GLBA and the Fair Credit Reporting Act (FCRA) impose strict data security requirements on financial institutions.
State laws, such as those in California, often require businesses to protect SSNs and notify individuals in the event of a breach involving sensitive information.
Explanation of Options:
A. Account holders' social security numbers, maintained by a bank: This is correct because SSNs are consistently protected under comprehensive laws at both the federal and state levels.
B. Users' sexual orientations, maintained by a social media website: While sexual orientation may be considered sensitive data under certain laws (e.g., GDPR in the EU), U.S. privacy laws do not consistently regulate this information.
C. Individual drivers' license numbers, maintained by a state agency: While some states regulate drivers' license data, this information is not comprehensively covered under state privacy laws.
D. Contact details of individuals who report emergencies, maintained by local authorities: This information is regulated in limited circumstances (e.g., Freedom of Information Act or public records laws) but is not subject to comprehensive state privacy laws.
Reference from CIPP/US Materials:
GLBA and FCRA: Highlight the importance of safeguarding sensitive financial information such as SSNs.
State Data Breach Notification Laws: Many states explicitly list SSNs as a protected data element.
Start a Discussions
Submit Your Answer:
Question 4
More than half of U S. states require telemarketers to do which of the following?
Correct : C
More than half of U.S. states require telemarketers to register with the state before conducting telemarketing activities. These registration requirements are part of state-level consumer protection laws aimed at regulating telemarketing practices to prevent fraud and abusive practices.
Why State Registration is Required:
Telemarketing registration requirements allow states to monitor and regulate telemarketers operating within their jurisdiction.
Registration ensures that telemarketers comply with state-specific rules, such as 'Do Not Call' list regulations or prohibitions on deceptive practices.
States like Florida, New York, and California are examples of jurisdictions with telemarketing registration laws.
Explanation of Options:
A. Identify themselves at the beginning of a call: This is a requirement under the Federal Trade Commission's (FTC) Telemarketing Sales Rule (TSR), but it is not unique to state requirements.
B. Obtain written consent from potential customers: While obtaining consent may be required in specific situations (e.g., under the Telephone Consumer Protection Act - TCPA for autodialed calls), it is not the most common state-level requirement.
C. Register with the state before conducting business: This is correct. Registration with the state is one of the most common requirements for telemarketers under state laws.
D. Provide written contracts for customer transactions: Written contracts are not universally required for telemarketing; this depends on the type of product or service being sold.
Reference from CIPP/US Materials:
FTC Telemarketing Sales Rule (TSR): Covers general telemarketing rules but acknowledges additional state-specific requirements, such as registration.
State Telemarketing Laws: Examples include Florida's Telemarketing Act, which requires state registration.
Start a Discussions
Submit Your Answer:
Question 5
In the US, II is a best practice (and in some states a requirement) to conduct a data protection assessment in which instance?
Correct : D
In the U.S., it is a best practice and, in some states, a requirement to conduct a data protection impact assessment (DPIA) or similar evaluation when technology is used to monitor employees. This practice aligns with privacy principles aimed at ensuring that monitoring practices are proportionate, necessary, and lawful, while minimizing potential harm to employees' privacy.
Why Conduct a DPIA When Monitoring Employees?
Employee Privacy Risks: Monitoring technologies, such as video surveillance, keystroke logging, or location tracking, can significantly impact employees' privacy. Assessments help evaluate these risks and ensure compliance with applicable privacy laws.
State-Specific Requirements: Some states, like California under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), require businesses to implement privacy safeguards, including assessments for high-risk activities involving sensitive data.
Best Practices: Even when not legally required, conducting a DPIA demonstrates accountability and helps mitigate risks associated with employee privacy violations.
Explanation of Options:
A. When a background check is used as part of the hiring process: While background checks involve sensitive data and compliance with laws like the Fair Credit Reporting Act (FCRA), a DPIA is not typically required for this process. Instead, consent and notice are emphasized.
B. When any information is processed by a corporation: This is too broad. DPIAs are generally reserved for high-risk activities involving sensitive data or technologies, not for all data processing activities.
C. When trade secrets are shared with a third party: Sharing trade secrets involves contractual and confidentiality measures, but it does not usually necessitate a data protection assessment unless personal data is also involved.
D. When technology is used to monitor employees: This is correct. Monitoring employees with technology poses significant privacy risks, making it a best practice (and sometimes a requirement) to assess the impacts on privacy and ensure compliance with state and federal laws.
Reference from CIPP/US Materials:
California Privacy Rights Act (CPRA): Introduces risk assessments for certain data processing activities.
IAPP CIPP/US Certification Textbook: Discusses privacy risks associated with employee monitoring and the importance of impact assessments.
Start a Discussions
Submit Your Answer:
Unlock Full
CIPP-US Exam Features
In Just $49 You can Access
All Official Question Types- Interactive Web-Based Practice Test Software
- No Installation or 3rd Party Software Required
- Customize your practice sessions (Free Demo)
- 24/7 Customer Support