CIPP/US EXAM REVIEW QUESTIONS AND ANSWERS

CIPP/US EXAM REVIEW QUESTIONS AND ANSWERS What is the focus of early privacy and security enforcement actions? -Answer-Deceptive practices What did the FTC add to its enforcement scope in 2004? -Answer-Unfair practices, as well as the previously-enforced deceptive practices. Where is the scope of the term "unfairness" clarified? -Answer-In a 1980 policy statement and in 1994 amendments to the FTC Act. What three things are required for an injury to be considered "unfair"? -Answer-The injury caused must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid. What was the first instance of the FTC basing an enforcement action on a company's material change to its PI-handling practices, as well as the first privacy case based on unfairness? -Answer-In the matter of Gateway Learning Corp, in 2004. What are the facts of Gateway? -Answer-Gateway Learning Corporation marketed and sold popular educational aids under the "Hooked on Phonics" product line. it's website privacy notice stated that Gateway Learning would not sell, rent, loan any PI without explicit customer consent. It also stated that Gateway would provide consumers with an opportunity to opt out of having their info shared in this practice changed. Gateway then began renting personal customer info to third-party marketers and advertisers without providing the opt-out. It later revised its website privacy notice to allow for disclosing to third-party advertisers and continued to rent consumer information without providing notice to customers about the change in policy. What was the outcome of the Gateway case? -Answer-The consent decree stated that thte retroactive application of material changes to the company's data sharing policy was an unfair trade practice. The settlement prohibited Gateway from sharing any PI collected from users under its initial privacy notice unless it obtained an affirmative opt-in from users. It also required Gateway to relinquish the money earned from renting consumer info. In what 2005 enforcement action did the FTC allege that a company did not engage in reasonable security practices to protect the personal and financial information of its consumers? -Answer-In the Matter of BJ's Wholesale Club, Inc. What security flaws caused the enforcement action against BJ's? -Answer-The complaint stated that BJ's failed to encrypt the information and failed to secure wireless networks to prevent unauthorized access, among other security lapses. What are the facts of the BJ's case? -Answer-The security flaws caused substantial injury to consumers and resulted in almost eight hundred cases of customer identity theft.