CIPP US PRACTICE SOLUTION 2026 SOLVED
ITEMS CONFIRMED A+
◉ Preemption. Answer: The right of a federal law or a regulation to
preclude enforcement of a state or local law or regulation.
◉ Privacy Notice. Answer: An external communication from an
organization to consumers, customers or users to describe an
organization's privacy practices.
◉ When should choice and consent solicitations be made?. Answer:
at the point of collection or as soon as practical afterwards
◉ OECD - Purpose Specification. Answer: The purposes for which
personal data are collected should be specified not later than at the
time of collection and the subsequent use limited to the fulfilment of
those purposes as specified o each occasion of change of purpose.
◉ Information Life Cycle Phases. Answer: 1. Collect/Derive
2. Use/Process
3. Disclose/Transfer
4. Store/Retain/Archive/Delete
,◉ Privacy Policy. Answer: Internal, detailed statement for users of
personal information that defines handling practices
◉ What is privacy?. Answer: Appropriate use of Personal
Information under the circumstances.
An individual's right to control the collection, use and disclosure of
personal information.
◉ Data Controller. Answer: someone who determines why and how
personal data is processed
◉ data processor. Answer: An individual or organization, often a
third-party outsourcing service, that processes data on behalf of the
data controller.
◉ Example of Processing Personal Data. Answer: Anything you do
with PI.
Use, retrieval, consultation, erasure, destruction, recording,
dissemination, organization, linking, storage, updating, collection
,◉ Choice. Answer: The ability to specify whether personal
information will be collected and/or how it will be used or disclosed.
Choice can be express or implied.
◉ Difference between opt-in and opt-out. Answer: Out-In is express.
Must give permission.
Out-out is implied. No permission needed, failure to answer means
PI will be shared.
◉ Access. Answer: Ability to view personal information held by an
organization
◉ CA Security Breach Notification Law SB1386. Answer: Personal
Information = Name
plus one or more: SSN, DL#, ID#, Credit Card #
◉ Medical Privacy Laws. Answer: Office for Civil Rights, Dept of
health & Human Services (HHS)
Health Insurance Portability & Accountability Act (HIPPA)
◉ Financial Privacy. Answer: CFPB
Federal Reserve
, Office of the Comptroller of the Currency
Gramm-Leach-Bliley Act
◉ Education Privacy. Answer: Dept of Education for the Family
Educational Rights and Privacy Act
◉ Telemarketing/Marketing Privacy. Answer: Federal
Communications Commission and FTC
Telephone Consumer Protection Act
◉ Workplace Privacy. Answer: Equal Employment Opportunity
ADA
◉ FTC Section 5. Answer: Unfair and Deceptive Acts or Practices in
or affecting commerce are unlawful
◉ GeoCities, Inc. Answer: 1st FTC Internet Privacy Action
Offered websites to users, promised information would not be sold
without consent.
Two FTC actions for Unfair and Deceptive Practices
ITEMS CONFIRMED A+
◉ Preemption. Answer: The right of a federal law or a regulation to
preclude enforcement of a state or local law or regulation.
◉ Privacy Notice. Answer: An external communication from an
organization to consumers, customers or users to describe an
organization's privacy practices.
◉ When should choice and consent solicitations be made?. Answer:
at the point of collection or as soon as practical afterwards
◉ OECD - Purpose Specification. Answer: The purposes for which
personal data are collected should be specified not later than at the
time of collection and the subsequent use limited to the fulfilment of
those purposes as specified o each occasion of change of purpose.
◉ Information Life Cycle Phases. Answer: 1. Collect/Derive
2. Use/Process
3. Disclose/Transfer
4. Store/Retain/Archive/Delete
,◉ Privacy Policy. Answer: Internal, detailed statement for users of
personal information that defines handling practices
◉ What is privacy?. Answer: Appropriate use of Personal
Information under the circumstances.
An individual's right to control the collection, use and disclosure of
personal information.
◉ Data Controller. Answer: someone who determines why and how
personal data is processed
◉ data processor. Answer: An individual or organization, often a
third-party outsourcing service, that processes data on behalf of the
data controller.
◉ Example of Processing Personal Data. Answer: Anything you do
with PI.
Use, retrieval, consultation, erasure, destruction, recording,
dissemination, organization, linking, storage, updating, collection
,◉ Choice. Answer: The ability to specify whether personal
information will be collected and/or how it will be used or disclosed.
Choice can be express or implied.
◉ Difference between opt-in and opt-out. Answer: Out-In is express.
Must give permission.
Out-out is implied. No permission needed, failure to answer means
PI will be shared.
◉ Access. Answer: Ability to view personal information held by an
organization
◉ CA Security Breach Notification Law SB1386. Answer: Personal
Information = Name
plus one or more: SSN, DL#, ID#, Credit Card #
◉ Medical Privacy Laws. Answer: Office for Civil Rights, Dept of
health & Human Services (HHS)
Health Insurance Portability & Accountability Act (HIPPA)
◉ Financial Privacy. Answer: CFPB
Federal Reserve
, Office of the Comptroller of the Currency
Gramm-Leach-Bliley Act
◉ Education Privacy. Answer: Dept of Education for the Family
Educational Rights and Privacy Act
◉ Telemarketing/Marketing Privacy. Answer: Federal
Communications Commission and FTC
Telephone Consumer Protection Act
◉ Workplace Privacy. Answer: Equal Employment Opportunity
ADA
◉ FTC Section 5. Answer: Unfair and Deceptive Acts or Practices in
or affecting commerce are unlawful
◉ GeoCities, Inc. Answer: 1st FTC Internet Privacy Action
Offered websites to users, promised information would not be sold
without consent.
Two FTC actions for Unfair and Deceptive Practices
