Upgrade to remove ads
CIPP/US Practice Cards
Terms in this set (183)
What is the structure of the FTC?
Governed by a chairman and four commissioners. Decisions not under Presidents control.
What is the FTC's general authority?
To enforce against unfair and deceptive business practices
What are areas of the FTC's specific authority?
Children's privacy and commercial email marketing
Which agencies/statutes are involved in Medical Privacy?
HHS / HIPPA / GINA
Which agencies/statutes are involved in Financial Privacy?
CFPB; various regulators including the Fed. for those under GLBA
Which agencies/statutes are involved in Education Privacy?
Dept. of Education for Family Educational Rights and Privacy Act
Which agencies/statutes are involved in Telemarketing and marketing privacy?
FCC; FTC; under the Telephone Consumer Protection Act
Which agencies/statutes are involved in Workplace privacy?
What "other" agencies are involved in privacy?
1: Dept. of Commerce - administers E.U. Safe Harbor
2: State Dept. - Negotiates privacy issues with UN and OECD.
3: Dept. of Transp. - also enforces E.U. Safe Harbor
4: OMB - primary interpreter of Privacy Act (1947); issues guidance such as impact assessments
5: IRS - tax records and third-party disclosures
6: DHS - E-Verify for employees, air travel records (TSA), immigration (ICE).
7: Dept. Energy - Smart grid
Criminal enforcement actions must involve...
The FTC was founded to...but its mission became....
enforce antitrust laws
What is the "most important" piece of privacy law?
Section 5 of the FTC Act
Section 5 of the FTC Act provides that...
Unfair and deceptive business practices are unlawful
Under what act did the FTC begin bringing enforcement actions? What acts followed?
Fair Credit Reporting Act (FCRA). Children's Online Privacy Protection Act (COPPA), Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act.
What does Section 6 of the FTC Act provide?
The authority to conduct investigations and require businesses to submit investigatory reports under oath.
Section 5 of the FTC Act does not apply to?
Nonprofits and certain industries such as financial institutions and common carriers.
Who has the authority to issue rules under the Fair and Accurate Credit Transactions Act (FACTA)?
CFPB along with FTC
Who has the authority to issue rules under the GLBA?
CFPB along with the FTC
Who has rule-making and enforcement authority for COPPA?
Who has rule-making and enforcement authority for CAN-SPAM Telemarketing-Sales Rule?
FTC and FCC
Who has rule-making and enforcement authority for HITECH?
FTC and HHS
Does the FTC have rule making authority under the APA?
No. Attempts have failed in the congress.
How do FTC enforcement actions begin?
Claim of unfair/deceptive practice or violation. Information can come from any source.
When can the FTC forgo enforcement?
When the problem is minor
After...the FTC may initiate and enforcement action if...
It has reason to believe a law is being or has been violated
What are the steps in the FTC enforcement process?
1. FTC becomes aware of a potential unfair/deceptive practice
2. The FTC works to end the issue or initiates an investigation
3. The FTC issues a complaint, and can proceed to trial under an Administrative Law Judge
4. The ALJ decision can be appealed to the commission
5. That decision can be appealed to Fed. Dist. Ct.
An order by the FTC becomes final...
60 days after service.
Can the FTC assess civil penalties?
If an FTC ruling is ignored...
it can seek civil penalties in court and compensation for victims. Each violation is a separate offense. Injunction is available.
In an consent decree, the respondent does not...
Consent decrees are posted publicly to...
provide guidance to others
Consent decrees usually state...
what actions the respondent will/wont engage in. Proof of compliance common. Periodic audits common.
Incentives to negotiate consent decree include:
void cost of trial, making information public, increase use of good security practices, provides FTC w/ enforcement advantage if agreement violated
No, but many are under statutes like HIPPA, GLBA, and COPPA.
Name the Section 5 "deceptive" enforcement actions:
1. GeoCities - Misrepresented how PI would be used/sold. Kept children's PI w/o parental consent. Required to adhere to policy and obtain consent/
2. Eli Lilly - Accidentally mass-emailed PI to members. Required to adhere to its policy. First action requiring a privacy/security program.
3. Microsoft - Misrepresented who controlled data for single-signon service. Required to adhere, implement program, and undergo third-party audits.
Under FTC Section 5, a practice is unfair if it is:
2. Without offsetting benefits
3. One that consumers cannot reasonably avoid
Name the Section 5 "unfair" enforcement actions:
1. Gateway Learning (hooked-on-phonics) - Changed info. policy and sold info. without providing opt-out/notice. First enforcement on a change to information practices and first based on unfairness. Defined retroactive application of changes to be unfair. Required Gateway to get opt-in and relinquish money.
2. BJ's - Failed to protect data from identity theft. First action only unfair and not deceptive.
4. Facebook - Rapidly changed terms/services. Required to obtain consent before applying retroactive changes to privacy terms. Required to establish comprehensive privacy program. Agreed to audits.
Obama's White House Report argued for:
1. Individual control of data
3. Respect for the context the data was collected for
5. Access and Accuracy
6. Focused Collection
The "FTC Report" emphasizes:
1. Privacy by Design
2. Simplified Consumer Choice
What five areas did the "FTC Report" highlight for attention?
1. Do Not Tract
3. Data Brokers
4. Large Platform Providers
5. Promoting enforceable self-regulatory codes
Define: Unfair and Deceptive Acts and Practices (UDAP) statutes
State laws similar to Section 5 of FTC Act
UDAP laws are enforced by...
Most states have data breach notification laws because of...
CAN-SPAM allows State AGs to...
bring parallel enforcement actions
What are Prosser's Privacy Torts?
1. Intrusion upon seclusion
2. Appropriation of name or likeness,
3. Publicity given to private life
4. Publicity placing a person in a false light
Do State AGs coordinate?
Yes, through the National Association of Attorneys General Consumer Protection Project
What are the three stages of self-regulation?
For enforcement under Section 5 of the FTC, self-regulation only occurs at the...
legislation stage. (You can make your own rules but the govt. will enforce/adjudicate).
Give an example of self-regulation involving all three stages
"credit cards" or Payment Card Institute Data Security Standard; Digital Advertising.
True/False: Safe Harbor requires a company to name a compliance third party
Is self-regulation in US increasing or decreasing?
Cross-Border enforcement regimes include:
1. EU Safe Harbor
2. "OECD Recommendation"
What is the purpose of GPEN?
promote cross-border information sharing, investigation, and enforcement cooperation. FTC Participates.
What is the purpose of APEC-CPEA?
promote cross-border information sharing, investigation, and enforcement cooperation. FTC Participates.
Options for companies wishing to transfer personal data from EU to the US have options including:
1. Binding Corporate Rules
2. EU Safe Harbor approved contracts
The EU draft Data Protection Regulation provides for
jurisdiction over online sellers who operate only in the US
What are the risks of using PI improperly?
3. Operational - relationships/efficiency
What are the basic steps for information management?
1. Discover (issue identification and self-assessment)
2. Build (procedure development/verification, implementation)
3. Communicate (documentation, education)
4. Evolve (Affirmation, monitoring, adaptation)
What are the basic steps of managing data sharing and transfer?
1. Inventory data (may be required under GLBA-Safeguard Rule
3. Document data flows
4. Determine Data accountability
What are the basic aspects of Privacy/Disclosure Policy management?
1. Choosing one or multiple policies
2. Policy Renewal and Approval
4. Policy Version Control
Material retroactive changes to privacy representations require...
According to the FTC, a retroactive change to a privacy representation is "material" when it...
at a minimum includes sharing consumer information with third parties after committing at the time of collection not to share data
1. Making notice accessible in places of business
2. Making notice accessible online
3. Providing updates and revisions
4. Ensuring appropriate personnel are knowledgeable
Customer Service Representatives (call centers) should...
1. Receive script describing privacy notice, have a full copy of the notice, know how to escalate issues.
What is an example of "double opt-in"?
email marketers sending a confirmation email requiring a response for the subscriber before the subscriber receives actual marketing emails.
No opt-in/no consent is acceptable when...
involving commonly accepted practices such as customer PI being shared with the shipping company or credit processor to fulfill business.
(Information Management)Considerations for managing user preferences include
1. Scope of opt-out
2. Mechanism of opt-out
3. Linking of interactions with customer
4. Time period of interaction w/ customer
5. Third-party vendors
APEC Principles for customer access and redress generally call for individuals to be able to:
1. obtain information about them
2. communicated in a reasonable manner after proving their identity
3. Challenge the accuracy of the information
Precautions to consider incorporating into contracts with third-party vendors include
1. Confidentiality provision
2. No further use of shared information
3. Applicability to subcontractors
4. Requirement to notify and disclose breach
5. Information security provisions
Standards for selecting a third-party vendor include:
2. Financial Condition and insurance
3. Information security
4. Point of transfer
5. Disposal of information
6. Employee training and user awareness
7. Vendor incident response
Does preempt state privacy laws?
HIPPA covered entities include
Providers (conducting certain transactions electronically), insurers, and "business associates" who receive data from covered entities.
Define: PHI under HIPPA
individually identifiable health information transmitted or maintained in any form, held by covered entity, providing reasonable basis for identification, created or received by covered entity, relates to medical condition, treatment, or payment for care.
Define: ePHI under HIPPA
PHI transmitted or maintained in any electronic media. Fax and voice-to-voice communications don't count.
What was HIPPA's original purpose
Improve efficiency in healthcare delivery
Are doctors who only accept cash instead of billing insurance covered under HIPPA?
Under the HIPPA-Privacy Rule a Business Associate is...
any entity that performs services and activities for or on behalf of a covered entity, if such services/activities involve the use or disclosure of PHI
When a HIPPA covered entity engages a Business Associate, the Privacy Rule requires...
the covered entity to enter into a business associate contract. It must pass on privacy and security obligations.
What are the major "Rules" under HIPPA?
1. Transactions Rule
2. Privacy Rule
3. Security Rule
Which US law has the most detailed implementation of the Fair Information Privacy Practices?
What are the HIPPA Privacy Rule's key protections?
1. Privacy notices
2. Authorizations for uses and disclosures
3. "Minimum Necessary" use or disclosure
4. Access and accounting of disclosure
The HIPPA Privacy Rule regarding Privacy Notices generally require...
a covered entity to provide a detailed privacy notice at the date of first service delivery
Under the HIPPA Privacy Rule regarding Authorizations for uses and disclosures, and authorization is...
an independent document that may be required as a necessary condition for services
HIPPA authorizes the use and disclosure of PHI for
True/False, under the HIPPA Privacy Rule, individuals do not have the right to access and copy their own PHI.
The HIPPA Privacy Rule requires covered entities to implement what kinds of safeguards?
Physical, administrative, and technical.
A covered entity under HIPPA must designate...
a privacy official responsible for development and implementation of privacy protections.
Can the HHS assess civil penalties for violations of the Privacy Rule?
Limits on the HIPPA Privacy Rule include:
1. De-identified data not covered - remove enumerated data elements or certify that the risk is small
2. No consent required for research if approved by IRB
3. Public Health Activity/Law Enforcement not restricted
The HIPPA Security Rule establishes...
minimum security requirements for ePHI by requiring covered entities to implement "reasonable" security measures.
The HIPPA Security Rule requires covered entities to...
1. Ensure privacy/integrity/availability of ePHI
2. Protect against reasonable anticipated threats
3. Protect against reasonably anticipated disclosures
4. Ensure compliance
5. identify an individual responsible for the program
6. conduct initial and ongoing risk assessments
7. implement a security awareness and training program for its workforce.
Under the HIPPA Security Rule, what must a covered entity consider in developing its security program?
3. Threat assessment of ePHI
Under HITECH, in the event of a breach, a covered entity must...
1. conduct a risk assessment
2. notify individuals within 60 days of discovery if risk is significant
3. notify the covered entity if a business associate
4. notify HHS immediately if more than 500 people involved
5. Notify the media if involving more than 500 people in the same jurisdiction
Under HITECH, a breach only involves....information.
Generally, GINA prohibits...
health insurance companies from discriminating on teh basis of genetic predispositions in teh absence of manifest symptoms; requesting applicants receive genetic testing; employers from using genetic information in employment decisions
1. ERISA/SSA/Civil Rights Act
2. Public Health Service Act
Regarding employment, GINA prohibits...
Employers from requiring, requesting or purchasing genetif information about EEs or family members unless: purchased from a publicly available source, is part of an employer offered wellness program that the EE voluntarily participates in with written authorization, the use is legally mandated/acceptable.
True/False: GINA provides for a private right of action.
The Fair Credit Reporting Act (FCRA) was updated by...
the Fair and Accurate Credit Transactions Act (FACTA)
The general purpose of the GLBA is to...
provide the framework for the confidentiality of records in the financial services sector
The CFPB has rule-making authority for which statutes?
FCRA/FACTA and GLBA (shared with FTC)
The FCRA was enacted to...
regulate the consumer reporting industry and provide privacy rights for consumer reports
Define: Consumer Reporting Agency (CRA)
an entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to a third party for a fee. (Equifax, TransUnion, Experian).
Define: Consumer Report
1. A communication by a CRA relating to an individual's: Creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, mode of living
2. that is used in whole or in part as a factor in establishing a consumer's eligibility for credit, insurance, employment, or other business purpose.
Users of consumer reports must meet which requirements?
1. Third-party data for substantive decision making must be appropriately accurate, current, and complete.
2. Consumers must receive notice when third-party data is used to make adverse decisions about them
3. Consumer Reports may be used only for permissible purposes
4. Consumers must have access to their consumer reports and an opportunity to dispute/correct
The FCRA requires CRAs to:
1. Provide Access to the information, and the ability to dispute
2. Take reasonable steps to ensure accuracy
3. Not report negative information that is outdated (usually accounts over 7 years old or bankruptcies over 10 years old)
4. Provide reports only to entities with a permissible purpose
5. Maintain records regarding entities that received reports
6. Provide consumer assistance
Violations of the FCRA are enforced by...
the CFPB and State AGs.
True/False: Under the FCRA, individuals have a private right of action.
Permissible purposes for the use of Credit Reports include:
1. as ordered by a court or federal grand jury subpoena
2. as instructed by the customer in writing
3. when initiated by the consumer for credit, underwriting, legitimate business need
4. For employment purposes when the consumer has given written permission
5. Enumerated police powers
True/False: An entity must certify that it has a permissible purpose before obtaining a consumer report.
Users of Consumer Reports must notify consumers when...
adverse actions are taken.
Notification of an adverse action resulting from a Consumer Report must include:
1. contact information for the CRA
2. A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made
3. Statement explaining the consumer's right to obtain a free disclosure of the file if requested within 60 days
4. Statement explaining consumer's right to dispute accuracy or completeness
Employers who use Consumer Reports are required to:
1. Make clear written notification, in a separate document, to consumer before report is obtained
2. Obtain prior written consumer authorization to obtain report
3. Certify to CRA that use is permissible and compliant
4. Before taking adverse action, provide a copy of the report to the consumer and summarize their rights.
Define: Investigative consumer report
A Consumer Report that contains information about a consumer's character, general reputation, personal characteristics and mode of living.
Users of Investigative Consumer Reports are required to:
1. Inform the consumer that such report may be obtained
2. be in writing and delivered no later than three days after report issued
3. include a statement informing consumer of their rights and ability to request additional disclosures
4. certify to the CRA that procedure has been followed
5. Upon written request, make complete disclosure of the nature and scope of investigation
6. Nature/Scope disclosed in written statement
Any user of a Consumer Report who receives medical information...
shall not disclose to any other entity unless exceptions are met.
Risk-based pricing notices must be provided to consumers when...
in connection with an application (for credit, etc.) on terms less favorable than on average
Creditors and insurers can obtain limited consumer report information in connection with firm unsolicited offers of credit or insurance in certain circumstances
What are the requirements for using Prescreened lists?
1. before the offer is made, establish criteria
2. maintain such criteria for 3 years
3. Include a clear statement that information in a CRA file was used; consumer received offer because criteria satisfied
4. Credit/insurance may be denied based on other factors
5. Consumer can prohibit use of information in future prescreened offers by contacting CRA
True/False: FACTA does not preempt stricter state laws.
False. It does preempt.
What are FACTA's primary rules?
1. Disposal Rule: An entity that uses information derived from a consumer report must dispose of it in a way that prevents misuse.
2. Red Flags Rule: Requires entities to develop and implement written identity theft detection programs that identify and respond to the "red flags" of identity theft.
Define: Disposal under FACTA
Is any discarding, donation, sale, abandonment, etc. The disposal must be reasonable to protect against unauthorized access.
The FACTA Red Flags Rule covers...
Financial Institutions: All banks, savings and loan associations and credit unions. All entities that hold a consumer's "transaction account". Does not include creditors that extend credit only for expenses incidental to a service.
The purpose of the GLBA was...
to codify and consolidate the banking, securities, and insurance industries.
Describe: The first major GLBA-related case
Bancorp/MemberWorks. Involved providing detailed bank account info to marketers. Enrolled consumers in services unless they opted out.
Under GLBA, FIs are required to:
1. Store personal financial information securely
2. Provide notice of policies regarding sharing personal financial information
3. Provide opt-out for some of that sharing
True/False: GLBA preempts state laws.
State AGs [can/can't] enforce GLBA.
FIs that fail to comply with GLBA may be subject to penalties under...
What entity has enforcement authority for the GLBA Privacy and Safeguard rules?
CFPB under Dodd-Frank
There [is/is not] a private right of action under GLBA.
Major components of the GLBA Privacy Rule include that FIs must:
1. Provide customers with clear notice of info. sharing policies when relationship is established
2. Provide opt-out of having non-public personal info. shared with nonaffiliated third parties (subject to exceptions)
3. Refrain from disclosing to a nonaffiliated third-party marketer, other than a CRA, an account number or similar code
4. Comply with regulatory standards established to protect security/privacy; and protect against unauthorized access to data
The GLBA Privacy Rule provides that notice must include:
1. How information is protected/shared/collected, and
2. how a customer can reasonably opt out.
If requirements met, FI can share data with affiliated companies/joint marketing partners.
In order for a FI to provide information to nonaffiliated third-parties under GLBA, the FI must...
disclose practices and provide opt-out. FIs cannot disclose account numbers to nonaffiliated third parties for telemarketing or direct mail(or email).
Under GLBA, the consumer has no right to opt out if:
1. A FI shares info with third-parties providing essential services (e.g. data processing)
2. disclosure is legally required
3. info. is shared with company that markets the FIs products/services
Does the GLBA model privacy notice satisfies...
the statutory requirements of compliance
The GLBA Safeguards Rule requires...
FIs to develop and implement a comprehensive "information security program," which contains "administrative, technical, and physical safeguards" to protect the security/privacy/integrity of customer information.
Under the GLBA Safeguards Rule, a FI's security program must...
be appropriate for the circumstances and include a designated employee to coordinate the program, audit systems, and determine risks.
Under the GLBA Safeguard Rule, a FI must provide what types of security for consumer information?
1. Administrative (program definition, employee training, vendor oversight)
2. Technical (computer systems, access, and encryption
Under the GLBA Safeguards rule, security measures must be...
reasonably designed to 1) ensure security, 2) protect against anticipated threats, and 3) protect against unauthorized access/use that could result in substantial harm or inconvenience
The GLBA Safeguards rule requires that security programs have what basic elements?
1. Designated employee to coordinate
2. Identify and assess risks to info. and current protections in each relevant area of operation
3. Design, implement, and regularly monitor/test a Safeguard program
4. Select appropriate service providers and ensure their compliance
5. Evaluate and adjust program in light of relevant circumstances
The California Financial Information Privacy Act ("California SB-1") [contracts/expands] GLBA's protections.
California SB-1 requires:
1. Written opt-in/out to share info. with nonaffiliated third-parties
2. Opt-in must be presented in an enumerated format in simple English.
3. Opt-out of info. sharing between their FIs and affiliates not in the same line of business.
*no consent required to share non-medical info with wholly owned subsidiaries in the same line of business if subject to same functional regulator.
The CFPB's general authority includes:
1. rule-making authority for FCRA, GLBA, and Fair Debt Collection Practices Act
2. Enforcement authority over all non-depository institutions and all depository institutions with over $10b in assets
3. Unfair/deceptive acts and practices
4. Abusive acts and practices
Define: Abusive act or practice under the CFPB/Dodd-Frank
1. Materially interferes with the ability of a consumer to understand a term or condition of a financial product or service or
2. Takes unreasonable advantage of the consumer's
a. Lack of understanding
b. inability to protect their interests in selecting/using the product/service
c. reasonable reliance on a covered person to act in the consumer's interest
CFPB's enforcement authority includes:
1. ability to conduct investigations, issue subpoenas, hold hearings, and commence civil actions.
2. Assess civil penalties.
True/False: State AGs cannot bring civil enforcement actions under CFPB/Dodd-Frank.
False. They CAN.
The Bank Secrecy Act (BSA) authorizes the treasury secretary to...
issue regulations imposing extensive record-keeping and reporting requirements on FIs(defined differently than in the GLBA) and other entities such as banks, money services, telegraph companies, casinos, etc.
The BSA generally requires:
1. record keeping and reporting on types of financial transaction (including in excess of $10k)
2. recording the name, contact, and SSN (and DST/valu info.) of persons purchasing instruments such as money orders and cashier's checks for more than $3k
The primary purpose of the BSA is...
The BSA requires records to be maintained if they have...
a high degree of usefulness
Records maintained under the BSA must include:
name, address, credit amount, purpose of credit. Must be maintained for 5 years.
The BSA requires record keeping for what types of transactions?
1. Credit accounts
2. Deposit accounts
3. CDs (over $100)
4. Wire transfers (over $100)
5. money order/cashier's check type instruments (over $3k)
A Suspicious Activity Report (SAR) must be issued when:
1. financial institution suspects an insider is committing/aiding a crime
2. entity detects a possible crime involving $5k or more and has a substantial basis for identifying a suspect
3. When the entity detects a possible crime involving more than $25k
4. When the entity suspects currency transactions aggregating $5k or more that involve laundering/violations
(Patriot Act modifications to the BSA) For covered entities, the major compliance issues Patriot Act modifications to the BSA are group into the categories of:
1. Info. sharing and anti-laundering cooperation
2. "know your customer" rules
3. formal anti-laundering programs
4. BSA expansions
The Family Educational Rights and Privacy Act (FERPA) generally prevents...
Schools from divulging education record information, such as grades and behavior, to parties other than the student, without consent.
FERPA applies to...
all educational institutions that receive federal funding.
FERPA provides students with the right to...
1. control disclosure of ed. records
2. Review and correct ed. records
3. Receive annual notice of rights
4. File complaints
Define: Education Record
any information directly related to the student and maintained by the school or a third party on the school's behalf. Includes grades, Fin. Aid, disciplinary, etc.
Does NOT include: Campus police records; employment records; treatment records; applicant records; alumni records; Grades on peer-graded papers
Under FERPA, disclosure is permitted only if...
one of the following are met:
1. information not personally identifiable
2. information is directory information not blocked by student
3. student provided consent
4. disclosure made to the student
5. Statutory exception applies (e.g. police power)
Define: Personally identifiable information under FERPA
Includes but is not limited to: name; family member's names; contact info; SSN; Student ID; DOB; information alone or in combination that can identify the student with reasonable certainty; information requested by a person reasonably believed to know the identity of the student to which the record applies
FERPA requires that students be able to [opt-in/opt-out] of ... information.
Under FERPA, valid student consent must...
be signed and identify the records to be disclosed, the purpose of disclosure, and to whom the disclosure is being made.
Exceptions to the FERPA consent requirements include disclosure:
1. to school officials who have a "legitimate and educational interest" in the records. Such an interest exists where relevant and necessary to their responsibilities. To third-parties that provide services and are under the school's direct control regarding the record
2. to educational institutions in which the student intends to enroll/is enrolled, when related to that enrollment.
3. in connection with financial aid or accreditation
4. to law enforcement or on court order
5. to appropriate parties for health and safety purposes. (Rational basis test applies)
Under FERPA, once a student has issued a request to review records...
the school must provide access within 45 days.
Under FERPA, student's don't have a right to view...
the financial records of their parents, protected (e.g. medical/legal) info., info. revealing protected information of other students.
Under FERPA, if a request to amend records is denied, the student has a right to a hearing which must meet the requirements that:
1. the student receives prior and reasonable notice
2. it must be held within a reasonable time
3. Conducted by a party without direct interest
4. the student is afforded "full and fair" opportunity to present their case
5. The decision is based on evidence presented at the hearing. If the student wins, the record must be amended. If the student loses, they can place a statement in the record.
FERPA was amended by the Protection of Pupil Rights Amendment (PPRA) which provides certain rights to parents of minors regarding the collection of information about things such as:
1. Political affiliations
2. Mental and physiological health
4. Illegal, antisocial, etc. type behavior
5. Legally recognized privileged relationships
The No Child Left Behind Act broadened the PPRA to require schools to:
1. enact policies regarding the collection of info. for commercial purposes
2. allow parents to access/inspect surveys before administered to students
3. Provide advance notice to parents for these activities
4. Provide parents right to opt-out for surveys or other sharing
The PPRA expansions of FERPA do not apply to...
post secondary schools
Intrusion on seclusion imposes liability on
one who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns. Plaintiff must show that "the intrusion would be highly offensive to a reasonable person."
Define: Telemarketing under the Telemarketing Sales Rule (TSR)
a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate call
The Do Not Call (DNC) registry is enforced by...
The FTC, FCC, and State AGs.
Violators of the DNC are subject to...
civil penalties and injunctions
Telemarketers/sellers are required to...
access the registry prior to making any phone-based solicitation. Update their lists every 31 days.
The operational structure of the DNC requires sellers/telemarketers to...
obtain an account number and provide information
The DNC rules do NOT apply to:
1. nonprofits calling on their own behalf
2. Calls to customers with an existing relationship within 18 months
3. Inbound calls, provided there is no "upsell"
4. Most business-to-business calls
Define: Existing Business Relationship (EBR) exception to DNC rules
An EBR exists if the consumer has purchased/rented/leased the sellers goods or services within the preceding 18 months. An EBR exists with a prospect if the consumer has made an application or inquiry regarding the sellers goods/services
Regarding the DNC, exceptions based on consent must...
be in writing. NOt be deceptive. "please call" buttons not pre-checked.
The DNC-Safe Harbor reduces liability for sellers/telemarketers when:
1. its a mistake
2. they have established written procedures, and
3. they have trained their employees, and
4. maintains a do-not-call list, and
5. maintains procedures to prevent violations, and
6. monitors and enforces compliance
THIS SET IS OFTEN IN FOLDERS WITH...
CIPP/US Practice Questions
YOU MIGHT ALSO LIKE...
Fundamentals of Law for Health Informatics and Inf…
OTHER SETS BY THIS CREATOR
Government and Court Access to Private-sector Info…
State Privacy Laws
RHIA prep 2