IAPP CIPP-US - Certified Information Privacy Professional/United States (CIPP/US)

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States. The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship. The law also does not apply to non-commercial messages, such as political or charitable solicitations12

The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers’ requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request. The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transfer the e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12

By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content. The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12

References:

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act

According to the HIPAA Security Rule, covered entities are responsible for ensuring that their business associates comply with the security standards and safeguards required by the rule. This includes conducting due diligence to assess the business associate’s security capabilities and practices, and monitoring their performance and compliance. Failure to do so may result in a violation of the rule and a penalty by the HHS. In this scenario, HealthCo did not perform due diligence on CloudHealth before entering the contract, and did not conduct audits of CloudHealth’s security measures. This is the most significant reason why HHS might impose a penalty on HealthCo, as it indicates a lack of oversight and accountability for the protection of ePHI. References:

HIPAA Security Rule

HIPAA Business Associate Contracts

HIPAA Enforcement and Penalties

A cookie is a small piece of data that a website sends to a user’s browser and stores on the user’s device, usually for the purpose of remembering the user’s preferences, settings, or actions1.

A cookie notice is a message that informs the user about the website’s use of cookies and the user’s choices regarding the acceptance or rejection of cookies2.

A legal choice is the mechanism that the website provides to the user to express their consent or dissent to the use of cookies2.

There are different types of legal choices for cookie notices, depending on the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States34.

The four types of legal choices mentioned in the question are:

Mandatory: The website does not allow the user to access the site unless they accept the use of cookies. This type of choice is generally considered unlawful and non-compliant with the GDPR and the CCPA34.

Implied consent: The website assumes that the user consents to the use of cookies by continuing to browse the site or by dismissing the cookie notice. This type of choice is often used by websites that operate in the U.S. or other jurisdictions that do not have strict cookie laws, but it may not be sufficient for the GDPR or the CCPA34.

Opt-in: The website requires the user to explicitly agree to the use of cookies by clicking a button or checking a box. This type of choice is usually compliant with the GDPR and the CCPA, as it ensures that the user gives informed and affirmative consent34.

Opt-out: The website allows the user to reject the use of cookies by clicking a link or changing their browser settings. This type of choice is also compliant with the GDPR and the CCPA, as it gives the user the right to withdraw their consent at any time34.

Based on the description of the cookie notice in the question, the type of legal choice that the notice provides is implied consent, as the website does not explicitly ask for the user’s agreement, but rather assumes that the user accepts the use of cookies by using the site. The notice also provides a link for the user to opt out of cookies by setting their browser to refuse them.

References: 1: Cookie 2: Cookie Notice 3: INSIGHT: Website Cookies and Privacy—GDPR, CCPA, and Evolving Standards for Online Consent 4: Do You Need A Cookie Notice

Title VII of the Civil Rights Act of 1964 is a federal law that prohibits employment discrimination based on race, color, religion, sex, and national origin1 It also prohibits retaliation against individuals who assert their rights under the law or participate in an EEOC investigation1 Title VII applies to employers with 15 or more employees, as well as to employment agencies, labor organizations, and joint labor-management committees1

Title VII prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on any of the protected characteristics, unless they are bona fide occupational qualifications (BFOQs)2 BFOQs are rare and narrowly construed exceptions that allow employers to consider a protected characteristic when it is reasonably necessary to the normal operation of the business2 For example, a religious organization may require its employees to share its faith, or a women’s shelter may hire only female counselors2

Option A is incorrect because questions about age are not prohibited by Title VII, but by the Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of age or older from employment discrimination based on age3 The ADEA generally prohibits employers from asking applicants about their age or date of birth, unless age is a BFOQ or the inquiry is part of a lawful affirmative action plan3

Option B is incorrect because questions about a disability are not prohibited by Title VII, but by the Americans with Disabilities Act of 1990 (ADA), which protects qualified individuals with disabilities from employment discrimination based on disability4 The ADA generally prohibits employers from asking applicants about whether they have a disability or the nature or severity of a disability, unless the inquiry is related to the ability to perform the essential functions of the job with or without reasonable accommodation4

Option C is incorrect because questions about a national origin are prohibited by Title VII, but not in all circumstances. Title VII prohibits employers from asking applicants about their national origin, ancestry, birthplace, native language, or accent, unless they are BFOQs or the inquiry is related to a legitimate business purpose, such as verifying eligibility to work in the United States or assessing language proficiency for a job that requires communication skills25

Option D is correct because questions about intended pregnancy are prohibited by Title VII, as amended by the Pregnancy Discrimination Act of 1978 (PDA), which protects women from employment discrimination based on pregnancy, childbirth, or related medical conditions. The PDA prohibits employers from asking applicants about whether they are pregnant or intend to become pregnant, unless they are related to the ability to perform the job. Such questions may indicate an intent to discriminate based on sex or pregnancy, or may deter women from applying for certain jobs.

References: 1: Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission 2: Questions and Answers about Race and Color Discrimination in Employment | U.S. Equal Employment Opportunity Commission 3: Age Discrimination | U.S. Equal Employment Opportunity Commission 4: Disability Discrimination | U.S. Equal Employment Opportunity Commission 5: National Origin Discrimination | U.S. Equal Employment Opportunity Commission : Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission

More than half of U.S. states require telemarketers to register with the state before conducting telemarketing activities. These registration requirements are part of state-level consumer protection laws aimed at regulating telemarketing practices to prevent fraud and abusive practices.

Why State Registration is Required:

Telemarketing registration requirements allow states to monitor and regulate telemarketers operating within their jurisdiction.

Registration ensures that telemarketers comply with state-specific rules, such as "Do Not Call" list regulations or prohibitions on deceptive practices.

States like Florida, New York, and California are examples of jurisdictions with telemarketing registration laws.

Explanation of Options:

A. Identify themselves at the beginning of a call:This is a requirement under the Federal Trade Commission's (FTC) Telemarketing Sales Rule (TSR), but it is not unique to state requirements.

B. Obtain written consent from potential customers:While obtaining consent may be required in specific situations (e.g., under the Telephone Consumer Protection Act - TCPA for autodialed calls), it is not the most common state-level requirement.

C. Register with the state before conducting business:This is correct. Registration with the state is one of the most common requirements for telemarketers under state laws.

D. Provide written contracts for customer transactions:Written contracts are not universally required for telemarketing; this depends on the type of product or service being sold.

References from CIPP/US Materials:

FTC Telemarketing Sales Rule (TSR): Covers general telemarketing rules but acknowledges additional state-specific requirements, such as registration.

State Telemarketing Laws: Examples include Florida's Telemarketing Act, which requires state registration.

 The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1. A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2. A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service. References:

1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule

2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business, https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business

3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks, https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/

Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to provide their customers with an annual privacy notice that explains how they collect, share, and protect customers' personal information. However, the GLBA Privacy Rule (16 CFR Part 313) was amended by the Fixing America’s Surface Transportation Act (FAST Act) in 2015, which introduced an exception to this requirement.

According to the FAST Act, financial institutions are not required to provide annual privacy notices if they meet two conditions:

No changes have been made to their privacy policy or practices since the last notice was sent to customers.

The financial institution does not share customers’ nonpublic personal information with nonaffiliated third parties in a way that triggers an opt-out requirement under GLBA.

Explanation of Options:

A. An insurance company that has no privacy department: This is irrelevant. The requirement to provide privacy notices depends on whether the organization falls under GLBA's definition of a "financial institution" and their compliance with privacy practices, not on the presence of a privacy department.

B. An auction house that also acts as a financial institution: If the auction house qualifies as a financial institution under GLBA (e.g., if it arranges financing), it would still need to comply with GLBA privacy requirements, including issuing annual privacy notices unless it qualifies for the exception.

C. A credit union that has made changes to its privacy notice from last year: If any changes are made to the privacy policy, the credit union must issue an updated privacy notice to its customers.

D. A credit union that has not made changes to its privacy notice from last year: This is the correct answer. If the credit union has not made any changes to its privacy notice and meets the FAST Act exception criteria (outlined above), it is not required to issue an annual privacy notice.

References from CIPP/US Materials:

GLBA Privacy Rule (16 CFR Part 313): This rule outlines the requirements for financial institutions to provide privacy notices.

FAST Act (2015) Amendment to GLBA Privacy Rule: This amendment introduced exceptions to the annual notice requirement for institutions that meet specific criteria.

IAPP CIPP/US Certification Textbook: Details the conditions under which GLBA exceptions apply and describes how the FAST Act impacted annual privacy notice requirements.

The USA FREEDOM Act is a law that was enacted in 2015 to reform the surveillance practices of the U.S. government. The law was a response to the revelations by Edward Snowden about the mass collection of phone records and internet data by the National Security Agency (NSA) under the authority of Section 215 of the USA PATRIOT Act. The USA FREEDOM Act ended the bulk collection of telephone data and internet metadata by the NSA, and instead required the government to obtain a specific order from the Foreign Intelligence Surveillance Court (FISC) to access such data from the telecommunication providers. The law also authorized the following practices:

Emergency exceptions that allow the government to target roamers: The law allows the government to temporarily target a non-U.S. person who is using a phone number or identifier of a U.S. person, without a court order, if there is an emergency situation that involves a threat of death or serious bodily harm. The government must obtain a court order within seven days to continue the surveillance.

An increase in the maximum penalty for material support to terrorism: The law increases the maximum prison term for providing material support or resources to a foreign terrorist organization from 15 years to 20 years.

An extension of the expiration for roving wiretaps: The law extends the sunset date for the roving wiretap provision of the USA PATRIOT Act, which allows the government to obtain a single order from the FISC to conduct surveillance on a target who switches devices or locations, without specifying the device or location. The law extends the expiration date from June 1, 2015 to December 15, 2019. References:

USA FREEDOM Act

USA FREEDOM Act Summary

USA FREEDOM Act FAQs