Upgrade to remove ads
CIPP/US Practice Questions
Terms in this set (361)
The U.S. Constitution establishes what three branches of government?
Legislative, Executive, Judicial
What establishes the three branches of the U.S. Government?
The U.S. Consitution
What is the purpose of the three-branch government design?
To provide a separation of powers with a system of check and balances among the branches.
What similarities are found between state and federal government?
The three branches are also often found at the state and often the local levels.
What is the legislative branch's make-up?
The legislative branch is made up of elected representatives who write and pass laws. It includes the Congress (House and Senate).
What does the legislative branch do?
Congress confirms presidential appointees, and can override vetoes.
What are the duties of the executive branch?
The executive branch's duties are to enforce and administer the law.
Who makes up the executive branch?
The President, Vice President, cabinet, and federal agencies (such as the FTC).
What can the executive branch do?
President appoints federal judges. It can veto laws passed by Congress.
What can the judicial branch do?
The Judicial branch determines whether the laws are constitutional. It also interprets laws, the meaning of a law, and how it is applied. It can also examine the intent behind a law's creation.
What is the judicial branch?
The Federal Courts.
What two parts make up the U.S. Congress?
The Senate and the House of Representatives (legislative branch)
What can Congress do when enacting legislation?
Congress can delegate the power to promulgate regulations to federal agencies (such as the FTC).
What laws has Congress enacted involving the FTC?
Congress has enacted several laws that give the U.S. Federal Trade Commission the authority to issue regulations to implement the laws.
Does the executive branch include federal agencies that report directly to the President?
What do federal agencies in the executive branch do?
They implement the laws through rule making and enforce the laws through civil and criminal procedures.
What are the lowest courts called in the federal court system (judicial branch)?
District Courts. These serve as federal trial courts.
Cases decided by a district court can be referred to what?
A federal appellate court (also called a "circuit court").
What do federal circuit courts do?
They are not trial courts; they serve as appeals courts for federal cases.
The federal appeals courts are divided into how many circuits?
12 regional circuits; each district court is assigned to a appeals court which decides the appeals for that circuit.
What are the other federal courts called?
Special courts include the U.S. Court of Federal Claims and the U.S. Tax Court.
What is the top court in the judicial branch?
The U.S. Supreme Court.
What does the U.S. Supreme Court do?
Hears appeals from the circuit courts and decides questions of federal law; also interprets the U.S. Constitution. May also hear appeals from the highest state courts or function as a trial court in rare instances.
In what circumstances do federal agencies wield power that is characteristic of all three branches of government?
When they are given authority by Congress to promulgate and enforce rules pursuant to law. This means they operate under statutes that give them legislative power to issue rules, executive power to investigate and enforce violations of rules/statutes, and judicial power to settle particular disputes.
What are the sources of law in the U.S.?
Federal and state constitutions, legislation, case law (contracts and torts), and agency-issued regulations.
What is the supreme law in the U.S.?
Who drafted the Constitution and when?
The Constitutional Convention drafted the Constitution in 1787.
True/False: The U.S. Constitution does not contain the word "Privacy".
Which parts of the Constitution directly affect privacy?
The Fourth Amendment limits on government searches.
Which Supreme Court decisions affect privacy?
The S.C. has held that a person has a right to privacy over personal issues such as contraception and abortion, arising from more general protections of due process of law.
What are other sources of law affecting privacy?
State constitutions may create stronger rights than are provided in the U.S. Constitution.
Which state expressly recognizes a right to privacy in its constitution?
What areas are regulated by laws enacted by federal Congress and state legislatures?
applications of information (use of information for marketing or pre-employment screening), certain industries (such as financial institutions or healthcare providers), certain data elements (SSNs or driver's license info), or specific harms (identity theft or children's online privacy)
How is law-making power distributed in the U.S.?
Law-making power is shared between the national and state governments.
What does the U.S. Constitution say about laws under the Constitution?
It states that the Constitution and the laws passed pursuant to it, is "the supreme law of the land."
When do states have the power to make laws?
Where federal law does not prevent it, states have the power to make law.
Which Amendment to the Constitution states "the powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."?
The Tenth Amendment to the Constitution.
What is one area of law where states may pass privacy/other laws with stricter requirements than federal law?
HIPAA medical privacy rule.
In which areas do federal laws pre-empt state laws, preventing states from passing stricter provisions?
Limits on commercial e-mails in the CAN-SPAM Act.
What is the CAN-SPAM Act?
Controlling the Assault of Non-Solicited Pornography and Marketing Act.
Aside from the ability to make and enforce laws and regs, what does the U.S. legal system rely on?
"1. Legal precedent based on court decisions
2. Doctrines implicit in legal precedent
3. Customs and uses of legal precedent"
What are two key areas of the common law?
Contracts and torts.
What regulatory agencies are required by law to issue regulations and rules
FTC (Federal Trade Commission) or the FCC (Federal Communications Commission).
What do rules and regulations passed by regulatory agencies do?
These rules and regulations place specific compliance expectations on the marketplace.
In what year was the CAN-SPAM Act passed?
Which entity passed the CAN-SPAM Act?
What does the CAN-SPAM Act require?
CAN-SPAM Act requires the senders of commercial e-mail messages to offer an "opt-out" option to recipients of those messages.
Which agencies enforce the CAN-SPAM Act?
FTC and FCC.
What does the CAN-SPAM Act allow the FTC and FCC to do?
It provides the FTC and the FCC with the authority to issue regulations that set forth exactly how the opt-out mechanism must be offered and managed.
What is case law?
Case law refers to the final decisions made by judges in court cases.
How is case law utilized by the courts?
When similar issues arise in the future, judges look to past decisions as precedents and decide the new case in a manner consistent with past decisions.
What is common law?
Common law refers to legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations.
True/false: common law contrasts with law created by statute.
What is stare decisis?
It refers to a following of past precedent; stare decisis is a Latin term meaning "to let the decision stand."
How do precedents handle the passing of time?
As time passes, precedents often change to reflect technological and societal changes in values and laws.
What are common law's rules in regards to privacy?
Common law upholds special privilege rules, even in the absence of statutes protecting that confidentiality.
Name two special privilege rules.
"1. Doctor-patient privilege
2. attorney-client confidentiality."
What is a judgment entered by consent of the parties whereby the defendant agrees to stop alleged illegal activity?
Does a consent decree typically admit guilt or wrongdoing?
How are the courts involved in a consent decree?
The document is approved by a judge.
What does a consent decree accomplish?
It formalizes an agreement reached between a federal or state agency and an adverse party.
What are the contents of the consent decree?
It describes the actions that the defendant will take and the decree may be subject to a public comment period.
How much power does a consent decree hold?
Once approved, the consent decree has the effect of a court decision.
In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws.
COPPA has allowed for several consent decrees, which require violators to pay money to the government and agree not to violate the relevant law in the future.
What services do federal agencies provide?
"1. promulgate rules and enforce them; 2. provide guidance in the form of opinions."
How are agency opinions interpreted and used?
They do not carry the weight of law, but do give specific guidance to interested parties trying to interpret agency rules and regulations.
What is a legally binding agreement enforceable in a court of law?
What provisions might a privacy contract contain?
data useage, data security, breach notification, jurisdiction, and damages. (A contract b/w an EU company and a US data processor might include provision requiring US co to be safe harbor certified/abide by framework)
True/false: Every agreement is a legally binding contract.
False. There are three fundamental requirements for forming a binding contract.
What are the three factors required to form a contract?
Offer, Acceptance, Consideration.
What is the proposed language to enter into a bargain?
Which terms of the offer must be specific and definite?
Price, quantity, and description.
What ends the original offer?
What actions must be taken with an offer for it to qualify to form a contract?
The offer must be communicated to another person and remain open until it is accepted, rejected, retracted or has expired.
What is acceptance?
The assent or agreement by the person to whom the offer was made that the offer is accepted.
What requirements must the acceptance meet?
The acceptance must comply with the terms of the offer and must be communicated to the person who proposed the deal.
What is the bargained-for exchange?
What is consideration?
The legal benefit received by one person and the legal detriment imposed on the other person.
What forms does consideration typically take?
Consideration usually takes the form of money, property or services.
True/False: An agreement without consideration is not a contract.
When may a privacy notice constitute a contract?
If a consumer provides data to a company based on the company's promise to use the data in accordance with the terms of the notice.
What is a tort?
Torts are civil wrongs recognized by law as the grounds for lawsuits. These wrongs are those that result in an injury or harm that constitutes the basis for a claim by the injured party.
What are the goals of tort law?
"a. provide relief for damages incurred;
b. deter others from committing the same wrongs."
What are the three tort categories?
Intentional torts, negligent torts, and strict liability torts.
What is an Intentional tort?
These are wrongs that the defendant knew / should have known would occur through their actions or inactions.
Give an example of an intentional tort.
Intentionally hitting a person or stealing personal information.
What is a negligent tort?
These occur when the defendant's actions were unreasonably unsafe.
Give an example of a negligent tort.
Causing a car accident by not obeying traffic rules or not having appropriate security controls.
What is a strict liability tort?
These are wrongs that don't depend on the degree of carelessness by the defendant, but are established when a particular action causes damage.
What are some examples of strict liability torts?
Product liability torts (concern potential liability for making and selling defective products without the need for the plaintiff to show negligence by the defendant).
When did the concept of a personal privacy tort enter U.S. jurisprudence?
The late 1890s.
What are some current privacy torts?
"a. intrusion on seclusion;
b. public revelation of private facts;
c. interfering with a person's right to publicity;
d. casting a person in a false light."
What is a defense to some of the traditional privacy torts?
The speaker is exercising free speech rights under the First Amendment.
What are some other, more recent, privacy-related torts considered by courts?
Allegations that a company was negligent for failing to provide adequate safeguards for PI, thus causing harm due to disclosure of the data. Lack of adequate safeguards therefore may expose a company to damages under tort law.
An entity with legal rights, including an individual ("natural person") or a corporation ("legal person")
authority of a court to hear a particular case
What two areas of the case must the court have jurisdiction over?
"1. subject matter jurisdiction
2. personal jurisdiction"
What is subject matter jurisdiction?
Jurisdiction over the type of dispute / cause of action.
What is personal jurisdiction?
Jurisdiction over the parties (often based on their location)
True/false: Government agencies do not have jurisdictional limits.
A superior government's ability to have its laws supersede those of an inferior government
Give an example of pre-emption.
the U.S. federal government has mandated that state governments cannot regulate e-mail marketing; the federal CAN-SPAM Act preempts state laws that might impose greater obligations on senders of commercial electronic messages.
Define "private right of action"
Ability of an individual harmed by a violation of a law to file a lawsuit against the violator.
description of an organization's information management practices.
What are the two purposes of a notice?
"1. consumer education
2. corporate accountability"
What does the typical notice contain?
It tells the individual what information is collected, how the information is used and disclosed, how to exercise any choices about uses or disclosures,and whether the individual can access or update the information.
True/false: U.S. privacy laws have additional notice requirements.
Who can legally enforce the promises made in a company's privacy notice?
Federal Trade Commission and states.
What are two other names for privacy notices?
"a. privacy statements
b. privacy policies (however, often internal only)"
Often used to refer to the internal standards used within the organization.
Define Privacy Notice.
Refers to an external communication, issued to consumers, customers, or users.
The ability to specify whether personal information will be collected and/or how it will be used or disclosed.
In what two forms is choice recognized?
express or implied.
an affirmative indication of choice based on an express act of the person giving the consent.
Give an example of "opt-in" behavior.
A person opts in if he says yes when asked, "May we share your information?" Failure to answer would result in the information not being shared.
a choice can be implied by the failure of the person to object to the use or disclosure.
Given an example of "opt-out" behavior
A company says "Unless you tell us not to, we may share your information." The person then has the ability to opt out of the sharing by saying no. Failure to answer would result in the information being shared.
What defines "meaningful" choice?
Where choice is offered, it should be meaningful, which is that it should be based on a real understanding of the implication of the decision.
Access is the ability to view personal information held by an organization.
What can be used to supplement access?
Updates or corrections to the information may be allowed.
What do U.S. laws often require around access?
They often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports.
At the federal level, which agencies engage in regulatory activities concerning the private sector?
FTC, federal banking regulatory agencies (Consumer Financial Protection Bureau, Federal Reserve, Office of the Comptroller of the Currency), the FCC, DOT, Dept. of Health and Human Services through its Office for Civil Rights.
What role does the Department of Commerce play in privacy?
What authority does the FTC have re: privacy in the private sector?
General authority to enforce against "unfair and deceptive trade practices."
In which areas does the FTC have specific regulatory authority?
"1. marketing communications;
2. children's privacy"
Who brings privacy-related enforcement actions at the state level?
State Attorneys General
On what basis are state privacy enforcement actions brought?
pursuant to state laws prohibiting unfair and deceptive practices.
What role does the State Attorney General serve?
Serves as the chief legal advisor to the state government and as the state's chief law enforcement officer
Which states have successfully pursued privacy actions related to unfair and deceptive practices?
Minnesota and Washington.
Give examples of self-regulatory regimes.
Network Advertising Initiative, Direct Marketing Association, Children's Advertising Review Unit.
True/false: some trade associations issue rules or codes of conduct for members.
Give an example of a regulatory setting where government-created rules expect companies to sign up for self-regulatory oversight.
The Safe Harbor for companies that transfer personal information from the EU to the US.
What six questions are necessary to understand a law, statute, or regulation?
"1. Who is covered by this law?
2. What types of information (and what uses of information) are covered?
3. What exactly is required or prohibited?
4. Who enforces the law?
5. What happens if I don't comply?
6. Why does this law exist?"
What are some reasons for knowing a law's scope when you don't have to follow it?
"1. the law may suggest good practices that you want to emulate
2. it may provide an indication of legal trends
3. i may provide a proven way to achieve a particular results (i.e. protecting individuals in a given situation)"
Give an example of a time when the costs of compliance with a law might exceed the risks of noncompliance for a period of time.
If a system that is not appropriately compliant with a new law, but is going to be replaced in a few months, a company may decide that the risks of noncompliance outweigh the costs and risk of trying to accelerate the system transition.
In which state was the first security breach notification law enacted?
What does the CA law regulate?
The CA Data Breach Notification Law regulates entities that do business in CA and that own or license computerized data, including PI.
To whom does the CA law apply?
It applies to natural persons, legal persons, and government agencies.
True/false: if you do business only in Montana or NY, you are still subject to this CA law.
Even if you do business in this CA, what is required for this law to apply to you?
You must have computerized data.
What does the CA data breach law cover?
It regulates computerized PI of CA residents.
What is PI?
Personal information - an individual's name in combination with any one or more of (1) SSN, (2) CA identification card number, (3) Driver's License number, (4) financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account, when either the name or the data elements are not encrypted.
True/False: If your databases contain only names and addresses, you are not subject to the CA law.
True/False: If your database contains only encrypted information, you are not subject to the CA law.
What does the CA Data Breach Notification law require or prohibit?
It requires you to disclose any breach of system security to any resident of CA whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
Define "breach of the security of the system".
Unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person.
How must disclosure be carried out?
The disclosure must be made "in as expedient a manner as possible."
What is the exception to the CA law?
There is an exception for the good faith acquisition of PI by an employee or agent of the business, provided the PI is not used or subject to further unauthorized disclosure.
When is a delay in providing notice permissible?
When a delay is requested by law enforcement.
Who enforces the CA law?
The CA Attorney General enforces the law.
True/false: the law provides for a private cause of action.
What happens if one doesn't comply with the CA law?
The CA attorney general or any citizen can file a civil lawsuit against you, seeking damages and forcing you to comply.
Why does the CA data notification law exist?
SB 1386 was enacted because there is a fear that security breaches of computerized databases cause identity theft and individuals should be notified about the breach so that they can take steps to protect themselves. If you have a security breach that puts people at real risk of identity theft, you should consider notifying them even if you are not subject to this law.
What is the FTC?
The Federal Trade Commission is an independent agency governed by a chairman and four other commissioners.
True/False: The FTC's decisions are under the president's control.
What authority does the FTC have?
Authority to enforce against "unfair and deceptive trade practices", as well as specific statutory responsibility for issues such as (a) children's privacy online and (b) commercial e-mail marketing.
What are some of the ways that the FTC has played a prominent role in the development of US privacy standards?
Are there other federal agencies involved in privacy enforcement?
Yes, although the FTC plays a leading role.
What is civil litigation?
Civil litigation occurs in the courts, when one person (plaintiff) sues another person (defendant) to redress a wrong. Plaintiff often seeks monetary judgment from defendant. Plaintiff may also seek an injunction.
What is an injunction?
A court order mandating the defendant to stop engaging in certain behaviors. Maybe awarded to plaintiff in civil litigation.
What are important categories of civil litigation?
Contracts and torts.
Describe a possible civil litigation scenario involving contracts.
A plaintiff might sue for breach of a contract that promised confidential treatment of personal information.
Describe a possible civil litigation scenario involving torts.
A plaintiff might sue for invasion of privacy where defendant surreptitiously took pictures in a changing room and broadcast the pictures to the public.
Do privacy rights ever create private rights of action?
Yes, and this allows an individual plaintiff to sue based on violations of the statute.
What does the Fair Credit Reporting Act allow?
It has a private right of action, which allows a person to sue a company if his consumer reports have been used inappropriately.
What is criminal litigation?
Criminal lit involves lawsuits brought by the government for violations of criminal laws.
How is criminal litigation different from civil litigation?
Civil lit involves an effort by a private party to correct specific harms. Criminal prosecution, brought by gov, can lead to imprisonment and criminal fines.
Who prosecutes criminal laws?
Department of Justice in the federal government. For states, the state attorney general and local officials (district attorney) usually have criminal prosecutorial power.
What are administrative enforcement actions?
These are carried out pursuant to the statutes that create and empower an agency, such as the FTC.
Where are the rules found for agency enforcement actions in the federal government?
the Administrative Procedure Act (APA).
What does the APA contain?
The APA sets forth basic rules for adjudication within an agency, where court-like hearings may take place before an administrative law judge.
What is the appeals process for agency enforcement actions?
Federal agency adjudications can generally be appealed to federal court.
True/false: A federal agency may sue a party in federal court, with the agency as the plaintiff in a civil action.
Which agencies are responsible for medical privacy?
Office for Civil Rights in the Department of Health and Human Services (HHS), for the Health Insurance Portability and Accountability Act (HIPAA)
Which agencies oversee financial privacy?
Consumer Financial Protection Bureau for financial consumer protection issues generally; federal financial regulators such as the Federal Reserve and the Office of Comptroller of the Currency, for institutions under their jurisdiction under the Gramm-Leach-Bliley Act (GLBA)
Which agencies are responsible for educational privacy?
Department of Education for the Family Educational Rights and Privacy Act.
Which agencies oversee telemarketing and marketing privacy?
Federal Communications Commission (along with the FTC) under the Telephone Consumer Protection Act and other statutes.
Which agencies are responsible for workplace privacy?
Equal Employment Opportunity Commission for the Americans with Disabilities Act and other anti-discrimination statutes.
Department of Commerce.
Which federal department has been increasingly active in privacy, negotiating internationally on privacy issues with other countries/multinational groups such as the UN and OECD?
Which agency is responsible for transportation companies under its jurisdiction and for enforcing violations of Safe Harbor agreement between US and EU?
Department of Transportation.
What is the name of the lead agency for interpreting the Privacy Act of 1974?
US Office of Management and Budget (OMB)
What are some of the other functions of the OMB?
OMB also issues guidance to agencies and contractors on privacy and information security issues, such as data breach disclosure and privacy impact assessments.
To which agencies does the Privacy Act of 1974 apply?
federal agencies and private sector contractors to those agencies.
Which Department is subject to privacy rules concerning tax records, including disclosures of such records in the private sector?
Internal Revenue Service (IRS)
Describe one way in which other parts of the Department of Treasury are also involved with financial records issues.
They are involved in money-laundering rules at the Financial Crimes Enforcement Network.
What are some of the privacy issues faced by the Department of Homeland Security?
E-Verify program for new employees, rules for air traveler records (Transportation Security Administration), and immigration and other border issues (Immigration and Customs Enforcement)
What agencies are affected by the increasing development of smart grid?
Smart grid development is making privacy an important issues for the electric utility system, involving the Department of Energy.
Which agency is affected by the increasing use of Unmanned Aerial Vehicles (drones)?
The surveillance implications have raised issues for the Federal Aviation Administration (FAA).
True/false: Almost every agency in the federal government is or may soon become involved with privacy in some manner within that agency's jurisdiction.
What is the sole federal agency to bring criminal enforcement actions which can results in imprisonment or criminal fines?
Department of Justice.
Name one statue that provides for both civil and criminal enforcement
Where a statute provides for both civil and criminal enforcement, how is jurisdiction apportioned?
Procedures exist for the roles of both HHS and the Department of Justice (in HIPAAs case)'
When was the FTC founded?
For what purpose was the FTC founded?
FTC was founded to enforce antitrust laws.
What changes to the FTC mission were affected in 1938?
a statutory change caused the FTC mission to shift to a consumer protection focus.
True/False: today, the FTC focuses on both antitrust law enforcement, and consumer protection
True/false: Today's FTC does not include privacy and computer security issues as an important part of its work.
What does it mean that the FTC is an "independent" agency?
It is governed by the decisions of its chairman and four other commissioners, instead of falling under the direct control of the president.
What is the single most important piece of US privacy law?
Section 5 of the FTC Act.
What does Section 5 of the FTC Act state:
"Unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful."
Does FTC Act Section 5 say anything specifically about privacy or information security?
True/false: The application of Section 5 to privacy and information security is clearly established today
What marks the beginning of the FTC's enforcement of privacy violations?
The Fair Credit Reporting Act of 1970.
When did the FTC begin bringing privacy enforcement cases under its powers to address unfair and deceptive practices?
During the 1990s.
Name the ways in which Congress added privacy-related responsibilities to the FTC over time.
The Children's Online Privacy Protection Act (COPPA) of 1998 and the Controlling the Assault of Non-Solicited Portnography and Marketing (CAN-SPAM) Act of 2003.
What does Section 6 of the FTC Act do?
It vests the commission with the authority to conduct investigations and to require businesses to submit investigatory reports under oath.
To what does the FTC Act Section 5 apply and not apply?
It applies to "unfair and deceptive practices in commerce" and does not apply to nonprofit organizations. It's powers also do not extend to certain industries, such as banks and other federally regulated financial institutions, as well as common carriers such as transportation and communications industries.
What other issues does the FTC retain authority over?
In addition to the authority granted under Section 5, the FTC retains separate and specific authority over privacy and security issues under other federal statutes.
Until the creation of which agency did the FTC issue rules and guidance for the Fair Credit Reporting act and Gramm-Leach-Bliley Act?
Consumer Financial Protection Bureau (CFPB)
What amended the Fair Credit Reporting Act?
The Fair and Accurate Credit Transactions Act of 2003.
What authorities does the CFPB hold?
Authority to issues rules and guidance for the FCRA and GLBA, and shares enforcement authority with the FTC for financial institutions that are not covered by a separate financial regulator.
Who is the rule-making and enforcement agency for COPPA?
With which agency does the FTC share rule-making and enforcement power under the Telemarketing Sales Rule and the CAN-SPAM Act?
With which agency does the FTC share rule-making and enforcement power for data breaches related to medical records under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009?
Describe FTC's regulation-issuing authority?
The FTC has general authority to issue regulations to implement protections against unfair and deceptive acts and practices.
Because the FTC's regulations re: unfair and deceptive acts are not promulgated under the usual procedures of the Administrative Procedure Act, describe how they are handled?
Any such regulation must comply with the more complex and lengthy procedures under the Magnuson-Moss Warranty Federal Trade Commission Improvement Act of 1975.
True / false: as of recently, the FTC has not put forth any privacy or information security regulation under its Magnuson-Moss authority.
Describe the situation surrounding FTC and the APA rule-making authority.
FTC has supported congressional proposals to provide the FTC with APA rule-making authority; such proposal shave not been successful to date, in part due to opposition from companies that are against increased regulation.
What begins the typical FTC enforcement action?
A claim that a company has committed an unfair or deceptive practice OR has violated a specific consumer protection law.
In what ways can the enforcement action be brought to the FTC's attention?
"1. press reports covering the questionable practices
2. complaints from consumer groups of competitors"
What options might the FTC exercise if the complaint is minor?
FTC may work with the company to resolve the problem without launching a formal investigation.
In what situations will the FTC proceed to full enforcement?
Where the violation is significant or there is a pattern of noncompliance.
What are some actions allowed under the FTC's broad investigative authority?
"1. subpoenas of witnesses
2. civil investigative demands
3. requirements for businesses to submit written reports under oath"
What may the commission do after an investigation?
The commission may initiate an enforcement action if it has reason to believe a law is being or has been violated. It issues a complaint.
What happens after the commission issues a complaint?
An administrative trial can proceed before an administrative law judge (ALJ).
Can the Administrative Law Judge's opinion be appealed?
Yes, it can be appealed to the five commissioners.
Can the decision of the five commissioners on appeal be appealed?
Yes, it can be appealed to the federal district court.
When does an order by the commission become final?
60 days after it is served on the company.
True/False: The FTC can assess civil penalties.
False, the FTC lacks authority to assess civil penalties.
What can the FTC do if its ruling is ignored?
It can seek civil penalties in federal court of up to $16,000 per violation and can seek compensation for those harmed by the unfair or deceptive practices.
True/False: Each violation of such an order is treated as a separate offense.
True/False: Each day the violator fails to comply with the order is considered a separate offense.
What can the court do if consumers are harmed by the act or practice?
The court can order "redress" or mandate an injunction against a violator.
Can additional penalties be assessed if a company does not respond to a complaint or order?
How have FTC privacy enforcement actions been settled in practice?
Through consent decrees and accompanying consent orders.
What is a consent decree?
In a consent decree, the respondent does not admit fault, but promises to change its practices.
Where are consent decrees posted?
Publicly on the FTC's website.
What can the details of these consent decrees be used to do?
The details of these decrees provide guidance about what practices the FTC considers inappropriate.
Once an individual or company has agreed to a consent decree, what can violations of that decree lead to?
Following an FTC investigation, it can lead to enforcement in the federal district court, including civil penalties as discussed above.
What can the federal court grant?
It can grant injunctions and other forms of relief.
Which FTC division monitors and litigates violates of consent decrees in cooperation with the Department of Justice?
The FTC's Enforcement Division within the Bureau of Consumer Protection.
True/false: Consent decree terms vary depending on the violation.
What does the consent decree usually state?
What affirmative actions the respondent needs to take and which practices their respondent must refrain from engaging in.
What does the consent decree require of the respondent?
To maintain proof of compliance with the decree; inform all related individuals of the consent decree obligations; provide the FTC with confirmation of its compliance with the decree; inform the FTC if company changes will affect the respondent's ability to adhere to its terms.
Can FTC respondents face civil penalties for noncompliance with a consent decree?
What are companies increasingly subjected to or required to do re: privacy cases?
Companies are subject to periodic outside audits or reviews of their practices, or they may be required to adopt and implement a comprehensive privacy program.
True/False: Over time, consent decrees have become more specific in nature.
What do the company and FTC have incentive to do?
Both have incentives to negotiate a consent decree rather than proceed with a full adjudication process.
Why would the company have incentives to negotiate?
The company avoids a prolonged trial, as well as negative, ongoing publicity; it also avoids the details of its business practices being exposed to the public.
Why would the FTC have incentives to negotiate?
It (1) achieves a consent decree that incorporates good privacy and security practices, (2) avoids the expense and delay of a trial, and (3) gains an enforcement advantage, due to the fact that monetary fines are much easier to assess in federal court if a company violates a consent decree.
What methods were used before the FTC began to use consent decrees in privacy cases?
the FTC's Bureau of Consumer Protection negotiated such decrees for other consumer protection issues under Section 5 of the FTC Act.
True/false: Review of nonprivacy decrees can be instructive for lawyers or others who seek to understand the FTC's approach to and priorities for consumer protection consent decrees.
What motivated the FTC and Commerce Department to begin convening public workshops and conduction other activities to highlight the importance of privacy protection on websites?
An increase in commercial activity on the Internet that became significant in the mid-1990s.
When did organizations begin to post public privacy notices on their websites?
What purpose do privacy notices serve?
Help inform customers about how their PI was being collected and used, as well as helping with enforcement purposes.
How do privacy notices help with enforcement?
If a company promised a certain level of privacy or security on a company website or elsewhere, and the company did not fulfill its promise, then the FTC considered that breach of promise a "deceptive" practice under Section 5 of the FTC Act.
Is there an omnibus federal law requiring companies to have public privacy notices?
No, Sector-specific statutes such as HIPAA, GLBA, and COPPA impose notice requirements
What does California require of companies and organizations doing in-state business?
To post privacy policies on their websites.
Where there is no legal requirement to do so, do the vast majority of commercial websites post privacy websites?
Yes, according to an FTC survey conducted in 2000.
What does the FTC investigate when a company posts a privacy notice?
Whether they adhere to their own policies; if not, the FTC will bring an enforcement action for deceptive trade practices.
What was the first FTC Internet privacy enforcement action?
In the Matter of GeoCities, Inc.
What are the facts of the GeoCities case?
GeoCities operated a website that provided an online community through which users could maintain personal home pages. To register and become a member of GeoCities, users were required to fill out an online form that requested PI, with which GeoCities created an extensive info database. GeoCities promised on its website that the collected information would not be sold or distributed without user consent.
What was the basis of the GeoCities action brought by the FTC?
Enforcement actions was for two separate unfair and deceptive practices. First, the FTC alleged that GeoCities misrepresented how it would use info collected from its users by reselling the information to third parties, which violated its privacy notice. Second GeoCities collected and maintain children's PI without parental consent.
What was the outcome of the GeoCities action?
GeoCities settled the action and the FTC issued a consent order, which required GeoCities to post and adhere to a conspicuous online privacy notice that disclosed to users how it would collect and use PI. It was also required to obtain parental or guardian consent before collective information from children 12 years of age or under.
When did FTC bring an action against Eli Lilly & Co?
What are the facts of Eli Lilly & Co case?
Eli Lilly is a pharaceutical manufacturer that maintained a website where users would provide PI for messages and updates reminding them to take their medication. The website included a privacy notice that made promises about the security and privacy of the info provided. When Eli Lilly ended the program, it sent subscribers an e-mail announcement, inadvertently addressed to and revealing the e-mail addresses of all subscribers.
What was the basis of the enforcement action against Eli Lilly by the FTC?
It reuslted in settlement terms, which required Eli Lilly to adhere to representations about how it collects, uses and protects user information. It also required, for the first time in an online privacy and security case, that Eli Lilly develop and maintain an information privacy and security program.
Before the Eli Lilly case, what had the FTC required of companies?
Only that they stop the current unfair and deceptive practices; after the settlement, it became clear that the scope of settlement terms had expanded to include implementation and evaluation of security programs.
When did the FTC bring an enforcement action against Microsoft Corp?
What was the basis of the FTC action against Microsoft?
The action concerned MS's security representations about info collected through its "passport" website service. FTC alleged that representations of high level online security were misleading because the security of the PI was within the control, not of MS. but of MS's vendors and biz partners. FTC also asserted that the Passport service collected and shared more info than disclosed in its privvacy notice and claimed that the access controls for the children's website were inadequate.
What are the facts of the Microsoft action?
MS Passport was an online service that allowed customers to use single sing-in to access multiple web services. MS made claims about the high level of security used to protect users' personal and financial information, as well as Passport's parental controls for its children's services.
How did the Microsoft action resolve?
MS settled the action with the FTC. MS was prohibited from making future misrepresentations about the security and privacy of its products and was required to adopt and implement a comprehensive info sec program. MS was required to undergo a biannual third-party audit to ensure compliance with its program terms.
What is the focus of early privacy and security enforcement actions?
What did the FTC add to its enforcement scope in 2004?
Unfair practices, as well as the previously-enforced deceptive practices.
Where is the scope of the term "unfairness" clarified?
In a 1980 policy statement and in 1994 amendments to the FTC Act.
What three things are required for an injury to be considered "unfair"?
The injury caused must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid.
What was the first instance of the FTC basing an enforcement action on a company's material change to its PI-handling practices, as well as the first privacy case based on unfairness?
In the matter of Gateway Learning Corp, in 2004.
What are the facts of Gateway?
Gatewya Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this practice changed. Gateway then began renting personal customer info to third-party marketers and advertisers without providing the opt-out. It later revised its website privacy notice to allow for disclosing to third-party advertisers and continued to rent consumer information without providing notice to customers about the change in policy.
What was the outcome of the Gateway case?
The consent decree stated that thte retroactive application of material changes to the company's data sharing policy was an unfair trade practice. The settlement prohibited Gateway from sharing any PI collected from users under its initial privacy notice unless it obtained an affirmative opt-in from users. It also required Gateway to relinquish the money earned from renting consumer info.
In what 2005 enforcement action did the FTC allege that a company did not engage in reasonable security practices to protect the personal and financial information of its consumers?
In the Matter of BJ's Wholesale Club, Inc.
What security flaws caused the enforcement action against BJ's?
The complaint stated that BJ's failed to encrypt the information and failed to secure wireless networks to prevent unauthorized access, among other security lapses.
What are the facts of the BJ's case?
The security flaws caused substantial injury to consumers and resulted in almost eight hundred cases of customer identity theft.
What was the outcome of the BJ's case?
In the settlement, the consent decree required BJ's to implement a comprehensive inofsec program, including regular audits. This was the first time the FTC alleged only unfair, and not deceptive, practices for the basis of a privacy or infosec case.
What did BJ's establish for all future FTC enforcement case scopes?
FTC established its view that failing to implement basic security controls to protect consumer info alone constitutes an enforceable unfair trade practice, without any need for the FTC to allege deception. Even without heightened security requirements under sector-specific statutes (HIPAA, COPPA, GLBA), companies not face potential enforcement action based on the FTC's Section 5 unfairness authority.
True/false: More recent actions indicate the FTC's willingness to impose stringent information-handling practices.
True. In addition to consent decrees with Google and Facebook, in 2010 Twitter entered a consent decree promising to protect privacy and security and to implement a comprehensive security program subject to outside audit.
What were the charges in the FTC's 2010 case against Google?
The charges were that Google engaged in deceptive trade practices and violated its own privacy policies with the launch of its Google Buzz social networking service.
What are the facts of the Google case?
Google Buzz was a social networking service integrated with Google's e-mail service, Gmail. When it launched, consumers were automatically enrolled in Buzz services without having to provide consent. Buzz also exposed PI harvested from Gmail to the public without making this clear to users. These actions conflicted without Google's privacy notice on tis site.
What were the FTC assertions in their charges?
FTC alleged that automatic enrollment without prior notice and explicit consent was a deceptive trade practice. It also asserted that Google was in violation of the US-EU Safe Harbor Framework, which provides a method for US companies to transfer personal data from the EU to the US in compliacne with UE Data protection requirements.
Name one reason the Google settlement was noteworthy.
This consent decree was the first in which a company agreed to implement a "comprehensive privacy program." As of 2012, it was not clear what exact elements a "comprehensive" program should contain. However the term "comprehensive" seems to signal that the FTC believes privacy should be thoroughly integrated with product development and implementation. To enforce, Google agreed to undergo independent third-party privacy audits on a biannual basis.
Name a second reason the Google settlement was noteworthy.
The Google consent decree was the first substantial US-EU Safe Harbor enforcement by the FTC. Complaint stated that Google had represented it would use PI only for the purposes for which it was initially collected or consented to by users. The complaint stated that Google violated Section 5 and failed to live up to its promise to comply with the notice and choice principles of Safe Harbor.
When did the FTC settle an enforcement action for deceptive practices with Facebook?
What did the FTC's 8-count complaint allege, among other things, against Facebook?
FB deceived consumers by repeatedly making changes to services so that information designated as private was made public. This violated promises FB made in its privacy notice.
What did the FB settlement require?
Required FB to provide users with clear notice and obtain user consent before making retroactive changes to material privacy terms, and barred FB from making any further deceptive privacy claims. FB was also required to establish and maintain a comprehensive privacy program. FB must obtain biannual independent third-party audits of its privacy program for the next 20 years.
What does the FB case indicate?
Broader government efforts to hold companies accountable for information handling practices.
In what year did the Obama administration issue a report titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy"
What report did the FTC issue that, together with the Obama framework, illustrates the evolution from earlier methods of privacy enforcement to current approaches?
"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy makers."
What was the FTC's primary method of enforcement used in the late 1990s?
"notice and choice approach" - emphasis was placed on having companies provide privacy notices on their websites and offering choice to consumers about whether info would be shared with third parties. Enforcement actions were based on deception and the failure to comply with a privacy promise rather than specific, tangible harm to consumers.
What enforcement method was adopted by Chairmen Muris and Majoris in the mid-2000s?
"harm-based model" - used in the Gateway and BJ's cases; placed new emphasis on addressing substantial injury, as required under the FTC's unfiarness authority.
When did the FTC begin to include the requirement of a comprehensive privacy program in consent decrees?
Under Chairman Leibowitz in 2009, as referenced in the Obama and FTC reports of 2012.
The Obama report defines the "Consumer Privacy Bill of Rights for commercial uses of Personal Data as encompassing what 7 rights?
"1. individual control;
3. respect for context;
5. access and accuracy;
6. focused collection;
Define "individual control."
Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Consumers have a right to easily understandable and accessible information about privacy and security practices.
Define "respect for context"
Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Consumers have a right to secure and responsible handling of personal data.
Define "access and accuracy"
Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Define "focused collection"
Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
What does the Obama report recommend re: these 7 rights?
That they be included in federal legislation with the use of multistakeholder processes to develop enforceable codes of conduct until legislation is passed, emphasizing achieving international interoperability, including with trans-border cooperation on privacy enforcement (utilizing FTC).
What 3 areas does the FTC emphasize as themes?
"1. Privacy by Design;
2. Simplified consumer choice;
Privacy by Design is what?
Companies should promote consumer privacy throughout their org and at every stage in the development of their products and services. Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
What is Simplified Consumer Choice?
Companies should simplify consumer choices; they don't need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company's relationship with the consumer, or are required or specifically authorized by law. Where appropriate, companies should offer the choice at a time and in a context in which the consumer is making a decision about his/her data.
When should companies obtain affirmative express consent?
Before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes.
What is Transparency?
Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
What are the FTC's five priority areas for attention?
"1. Do No Track;
3. Data Brokers;
4. Large platform providers
5. Promoting enforceable self-regulatory codes."
What does "do not track" encompass?
The FTC has encouraged industry to create a mechanism for consumers to signal if they do not wish to be tracked for online behavioral advertising purposes.
True/false: the FTC encourages greater self-regulation around location and other mobile-related services.
What is the FTC's priority around Data brokers?
The FTC supports targeted legislation to provide consumers with access to info held about them by data brokers who are not already covered by the Fair Credit Reporting Act.
Explain the FTC's prioritization of large platform providers.
The FTC is examining special issues raised by very large online companies that may do what the FTC calls "comprehensive" tracking.
What provisions do most states have in place?
Each state has a law roughly similar to Section 5 of the FTC Act, commonly known as Unfair and Deceptive Acts and Practices (or UDAP) statutes.
In addition to covering unfair and deceptive practices, what do some state statutes allow?
Enforcement against "unconscionable" practices, a contract law term for a range of harsh seller practices.
Who enforces UDAP statutes?
State attorney generals, who serve as the chief legal officers of each state.
What do some federal statutes, such as CAN-SPAM, allow state attorneys general to do?
To bring enforcement actions along with relevant federal agencies; some states allow private rights of action under their state UDAP laws, so individuals can bring suit against violators.
What has driven the recent prominence of state enforcement of info sec lapses?
Data breach notifications.
What has happened since CA passed the first breach notification law in 2002?
Almost every state has passed a similar breach notification law, many of which require orgs to furnish the state attorney general with reports about breaches when they occur. They also impose enforcement responsibility on state attorney generals if they breach notification reveals the implementation of inadequate security controls.
States have other specialized statues protecting privacy in what other sectors?
Medical, financial, and workplace.
What is happening on a state level in relation to the smart grid?
State public utilities commissions have started to set rules for PI collected in connection with the smart grid.
True/false: State common law is not a source of privacy enforcement
False. Plaintiffs can sue under the privacy torts, which traditionally have been categorized as intrusion upon seclusion, appropriation of name or likeness, publicity given to private life and publicity placing a person in a false light. Plaintiffs may also sue under a contract theory in some situations.
Give an example of when someone could sue under state common law on a contract theory.
When a physician, financial institution or other entity holding sensitive information breaches a promise of confidentiality and causes harm.
Which project helps coordinate the work of state attorneys general?
The National Association of Attorneys General Consumer Protection Project, which works to improve the enforcement of state and federal consumer protection laws by State Attorneys General, as well as multistate consumer protection enforcement efforts. It also promotes info exchange among the states with respect to investigations, litigation, consumer education, and both federal and state legislation.
What are three ways that self-regulation can occur?
It can occur through the 3 traditional separation of powers components: legislation, enforcement and adjudication.
To what does legislation in self-regulation refer?
Legislation refers to the question of who should define appropriate rules for protecting privacy.
To what does enforcement in self-regulation refer?
Enforcement refers to the question of who should initiate enforcement actions.
To what does adjudication in self-regulation refer?
Adjudication refers to the question of who should decide whether a company has violated the privacy rules and with what penalties.
True/False: For enforcement under Section 5 of the FTC Act or state UDAP laws, self-regulation only occurs at the legislation stage.
Describe how self-regulation occurs under Section 5 of the FTC Act.
Give an example of a self-regulatory system that goes through all 3 stages without government agency involvement.
The PCI DSS provides an enforceable security standard for PCI; the rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit ard companies. Compliance with the standard requires hiring a third party to conduct security assessments and detect violations; failure to comply can lead to exclusion from Visa, MasterCard or other major payment card systems, as well as penalties of $5,000 to $100,000 per month.
Give examples of third-party privacy seal and certification programs that provide assurances that companies are complying with self-regulatory programs.
TRUSTe, Better Business Bureau.
True/false: The US - EU Safe Harbor Framework requires participating companies to name a compliance third party.
COPPA authorizes the FTC to confirm what?
That certification programs are in compliance with the law.
What is the DAA and how does it's icon program serve as a self-regulatory effort?
Digital Advertising Alliance is a coalition of media and advertising organizations; it developed an icon program to inform consumers about how they can exercise choice with respect to online behavioral advertising.
True/false: The future of the DAA's self-regulatory program is closely linked to ongoing policy debates about whether and how a Do Not Track program will be instituted.
Is the US moving closer to the EU model of external regulation or closer to the self-regulatory model?
self-regulatory model, which allows the industry with greater expertise about their systems to create, establish and enforce the rules. The White House emphasizes a multistakeholder approach, including the consumer groups and other stakeholders outside the industry.
Name one trend and one example of cross-border enforcement.
"Trend: enforcement agencies in different countries must engage in closer cooperation.
Example: In 2007, the OECD adopted the Recommendation on Cross Border Co-operation in the Enforcement of Laws Protecting Privacy."
What is the focus/content of the OECD's 2007 Recommendation?
It focuses on the need to address common privacy issues on a global scale, rather than focusing on country-by-country differences in law or enforcement power.
What are member countries asked to do by the 2007 OECD Recommendation
"1. Discuss the practical aspects of privacy law enforcement cooperation.
2. share best practices in addressing cross-border challenges
3. work to develop shared enforcement priorities
4. support joint enforcement initiatives and awareness campaign"
In response to the OECD Recommendation, what did the FTC do?
The FTC, along with enforcement authorities globally, established the Global Privacy Enforcement Network (GPEN) in 2010.
What is the purpose of the GPEN?
To promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world.
Name another cross-border enforcement cooperation effort.
Asia-Pacific Economic Cooperation (APEC). The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to establish a framework for participating members to share info and evidence in cross-border investigations and enforcement actions in the APJ region; it also facilitates cooperation and communication between APEC and non-APEC members.
True/false: the FTC is not a CPEA participant.
When can cross-border conflicts arise?
When the privacy laws in one country prohibit disclosure of information, but laws in a different country compel disclosure.
Give an example of a cross-border conflict.
The US generally permits a greater range of discovery in litigation than EU courts, with a party to the litigation in the US potentially facing fines or contempt of court if it does not product records. In contrast, the EU Data Protection Directive and laws of EU member states may prohibit disclosure of the same records.
What did the International Chamber of Commerce release in early 2012?
A policy statement entitled "Cross-border Law Enforcement access to Company Data - Current Issues Under Data Protection and Privacy Law." It highlights problems that may arise when law enforcement compliance requirements conflict with data protection and privacy commitments, provides analysis of these issues, and recommendations for law enforcement bodies facing these challenges.
True/false: there is uncertainty about the extent to which the EU and other jurisdictions will bring enforcement actions against companies that operate only in the US.
Which companies are subject to the EU data laws?
Companies with assets and employees in the EU, who also operate in the EU, are subject to the EU data protection laws.
What does the 1998 Data Protection Directive say about whether a non-EU company is subject to enforcement there.
It is ambiguous. Companies wishing to transfer data from the EU to the US have various lawful options. They - and other multinational corporate entities with a presence in Europe - may draft binding corporate rules (BCR), subject to review and authorization by member states.
What are other options for multinational corporations with an EU presence?
Participation in the US - EU Safe Harbor program; using contracts for data export that have been approved by a data protection authority.
Where are the limits on trans-border data flows found?
In Articles 25 and 26 of the Data Protection Directive.
What did the EU Council introduce in early 2012?
A draft Data Protection Regulation with provisions that would replace the Data Protection Directive.
What does Article 3 of the draft Data Protection Regulation suggest?
It has language suggesting that EU law applies to online sellers who operate only in the US: "The Regulation applies where processing activities are related to (a) the offering of goods or services to such data subjects in the Union, or (b) the monitoring of their behavior; this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law."
THIS SET IS OFTEN IN FOLDERS WITH...
CIPP/US Practice Cards
YOU MIGHT ALSO LIKE...
Business Law Anderson's 22nd Edition Chapter 1-4
BLA 361 test 1
Bus Law Exam 1
OTHER SETS BY THIS CREATOR
Government and Court Access to Private-sector Info…
State Privacy Laws
RHIA prep 2