When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?
After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
After disclosing marketing practices to customers and after giving them an opportunity to opt in.
After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
After disclosing marketing practices to customers and after giving them an opportunity to opt out.
According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A non-affiliated third party is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the financial institution’s affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.
The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer’s opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.
The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.
The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.
References:
Guide to the Gramm–Leach–Bliley Act
GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates
Existing Privacy Laws Already Regulate Information Sharing
Why Do Banks Share Your Financial Information and Are They Allowed To?
[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.
Which law provides employee benefits, but often mandates the collection of medical information?
The Occupational Safety and Health Act.
The Americans with Disabilities Act.
The Employee Medical Security Act.
The Family and Medical Leave Act.
The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child, the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee’s spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.
The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee’s ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:
Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee’s own serious health condition or that of a family member.
Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee’s own serious health condition or that of a family member, or for planned medical treatment.
A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee’s spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.
Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.
The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:
Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees’ family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.
Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.
Limit the disclosure of such records to supervisors and managers who need to know about an employee’s FMLA leave, first aid and safety personnel when an employee’s medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.
Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee’s health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.
Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee’s complete medical records or information unrelated to the FMLA leave request.
Respect the employee’s right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.
References:
The Family and Medical Leave Act (FMLA)
FMLA Employee Guide
FMLA Employer Guide
FMLA Regulations
FMLA Forms
Which of the following is NOT a principle found in the APEC Privacy Framework?
Integrity of Personal Information.
Access and Correction.
Preventing Harm.
Privacy by Design.
The APEC Privacy Framework is a set of non-binding principles adopted by the Asia-Pacific Economic Cooperation (APEC) that aim to promote electronic commerce and protect information privacy in the region. The Framework is consistent with the core values of the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and reaffirms the value of privacy to individuals and to the information society. The Framework consists of nine principles: Preventing Harm, Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability. Privacy by Design is not one of the principles in the APEC Privacy Framework, although it is a concept that is endorsed by the OECD Guidelines and other privacy frameworks. References: APEC Privacy Framework (2015), APEC Privacy Principles, IAPP CIPP/US Study Guide, Chapter 4.
The rules for “e-discovery” mainly prevent which of the following?
A conflict between business practice and technological safeguards
The loss of information due to poor data retention practices
The practice of employees using personal devices for work
A breach of an organization’s data retention program
E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter1. The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology2. For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e-discovery, as well as the sanctions for failing to comply with e-discovery obligations3. The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively4. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.
The other options are not the main purpose of the rules for e-discovery, although they may be related or affected by them. The rules for e-discovery do not directly prevent the loss of information due to poor data retention practices, although they do impose a duty to preserve relevant ESI when litigation is reasonably anticipated5. The rules for e-discovery do not directly prevent the practice of employees using personal devices for work, although they do require parties to identify and disclose the sources of ESI that may be subject to discovery, including personal devices6. The rules for e-discovery do not directly prevent a breach of an organization’s data retention program, although they do require parties to produce ESI in a reasonably usable form and to protect privileged or confidential information7.
References: 1: Everything You Need to Know About E-Discovery, The National Law Review. 2: E-Discovery: The Basics of E-Discovery Guide - Exterro, Exterro.com. 3: Federal Court and Government Agency E-Discovery Rules and Guidelines, Crowell & Moring LLP. 4: FRCP Rule 1, Cornell Law School. 5: FRCP Rule 37, Cornell Law School. 6: FRCP Rule 26, Cornell Law School. 7: FRCP Rule 34, Cornell Law School.
The concept of data portability refers to what?
The practice of disclosing all the data sources one organization uses to enhance data collection from different social media platforms
The technical measures organizations use to empower consumers' control in case data is being transferred to service providers
The ability of individuals to obtain and reuse their personal data for their own purposes across different services.
The ability of individuals to easily change to another similar service provider if fees are unlawfully being raised
The concept of data portability refers to an individual’s right to access and transfer their personal data from one organization to another. It enables individuals to obtain and reuse their personal data for their own purposes across different services. For example, an individual can request their data from one service provider and transfer it to another provider, facilitating competition and giving consumers more control over their data.
This right is commonly associated with General Data Protection Regulation (GDPR) but is becoming more widely discussed in U.S. privacy contexts, such as under the California Consumer Privacy Act (CCPA) and similar state laws. Although the CCPA does not explicitly mention "data portability," the concept aligns with its provision that grants individuals the right to access their data in a portable and usable format.
Explanation of Options:
A. The practice of disclosing all the data sources one organization uses to enhance data collection from different social media platforms: This describes a data disclosure practice, not data portability.
B. The technical measures organizations use to empower consumers' control in case data is being transferred to service providers: This refers to technical controls but does not fully capture the essence of data portability.
C. The ability of individuals to obtain and reuse their personal data for their own purposes across different services: This is the correct answer and accurately defines data portability.
D. The ability of individuals to easily change to another similar service provider if fees are unlawfully being raised: While data portability might facilitate switching providers, it is not specifically tied to the issue of unlawful fee increases.
References from CIPP/US Materials:
GDPR Article 20: Provides the right to data portability in the EU.
CCPA Section 1798.100: Requires businesses to provide personal data in a readily usable format upon request.
IAPP CIPP/US Certification Textbook: Discusses data portability as part of consumer rights and privacy frameworks.
Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?
The consent must be in writing, must state the times when calls can be made to the consumer and must be signed
The consent must be in writing, must contain the number to which calls can be made and must have an end date
The consent must be in writing, must contain the number to which calls can be made and must be signed
The consent must be in writing, must have an end data and must state the times when calls can be made
The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2
The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3
Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.
Which of the following became the first state to pass a law specifically regulating the practices of data brokers?
Washington.
California.
New York.
Vermont.
According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:
Registered Data Brokers in the United States: 2021 | Privacy Rights …
Am I A Data Broker?: A Quick Primer on State Laws Regulating a … - Taft
Based on the 2012 Federal Trade Commission report “Protecting Consumer Privacy in an Era of Rapid Change”, which of the following directives is most important for businesses?
Announcing the tracking of online behavior for advertising purposes.
Integrating privacy protections during product development.
Allowing consumers to opt in before collecting any data.
Mitigating harm to consumers after a security breach.
According to the FTC report, the most important directive for businesses is to adopt a “privacy by design” approach, which means integrating privacy protections throughout the entire product lifecycle, from initial design to disposal. This includes implementing reasonable security measures, collecting only the data needed for a specific purpose, retaining data only as long as necessary, and safely disposing of data that is no longer needed. The FTC report also recommends that businesses provide clear and transparent privacy notices, offer consumers meaningful choices about how their data is used, and increase their accountability for data practices. References: FTC Report, IAPP CIPP/US Study Guide (p. 32-33)
Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?
Disclosing health information for public health activities.
Disclosing health information to file a child abuse report.
Disclosing health information needed to treat a medical emergency.
Disclosing health information needed to pay a third party billing administrator.
The HIPAA Privacy Rule requires covered entities to obtain an individual’s written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. However, there are some exceptions to the authorization requirement for certain public interest-related activities, such as disclosing health information for public health activities, reporting child abuse, or treating a medical emergency. These exceptions are intended to balance the privacy interests of individuals with the public interest in protecting health and safety, promoting quality health care, and ensuring compliance with the law. Disclosing health information needed to pay a third party billing administrator is not one of the exceptions to the authorization requirement, as it is considered a payment activity that falls under the general rule of requiring authorization. Therefore, it is the correct answer to the question. References: Summary of the HIPAA Privacy Rule, HIPAA Exceptions, Exceptions to HIPAA Privacy Rule, Waiver of Authorization, IAPP CIPP/US Study Guide, Chapter 5.
The Video Privacy Protection Act of 1988 restricted which of the following?
Which purchase records of audio visual materials may be disclosed
When downloading of copyrighted audio visual materials is allowed
When a user’s viewing of online video content can be monitored
Who advertisements for videos and video games may target
The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer’s informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:
Video Privacy Protection Act - Wikipedia
18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute
IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)
