The use of cookies on a website by a service provider is generally not deemed a ‘sale’ of personal information by CCPA, as long as which of the following conditions is met?

A.

The third party stores personal information to trigger a response to a consumer’s request to exercise their right to opt in.

B.

The analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.

C.

The service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.

D.

The information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.

What is the most likely reason that states have adopted their own data breach notification laws?

A.

Many states have unique types of businesses that require specific legislation 

B.

Many lawmakers believe that federal enforcement of current laws has not been effective 

C.

Many types of organizations are not currently subject to federal laws regarding breaches

D.

Many large businesses have intentionally breached the personal information of their customers

SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state’s Do Not Call list, as well as the people on it. “If they were really serious about not being bothered,” Evan said, “They’d be on the national DNC list. That’s the only one we’re required to follow. At SunriseLynx, we call until they ask us not to.”
Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call “another time.” This, to Larry, is a clear indication that they don’t want to be called at all. Evan doesn’t see it that way.
Larry believes that Evan’s arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan’s political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan’s leadership.Larry has also been dismayed to overhear discussions about his coworker, Sadie.
Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker’s belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In what area does Larry have a misconception about private-sector employee rights?

A.

The applicability of federal law

B.

The enforceability of local law

C.

The strict nature of state law

D.

The definition of tort law

A company based in United States receives information about its UK subsidiary’s employees in connection with the centralized HR service it provides.
How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?

A.

By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.

B.

By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.

C.

By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.

D.

By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.

Which of the following accurately describes the purpose of a particular federal enforcement agency?

A.

The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).

B.

The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.

C.

The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites’ posted privacy disclosures.

D.

The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.

The Video Privacy Protection Act of 1988 restricted which of the following?

A.

Which purchase records of audio visual materials may be disclosed

B.

When downloading of copyrighted audio visual materials is allowed

C.

When a user’s viewing of online video content can be monitored

D.

Who advertisements for videos and video games may target

Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) “Privacy Rule”?

A.

Office for Civil Rights.

B.

Office of Social Services.

C.

Office of Inspector General.

D.

Office of Public Health and Safety.

What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

A.

The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.

B.

The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.

C.

The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.

D.

The encryption of all personal information of Massachusetts residents when stored on portable devices.

U.S. federal laws protect individuals from employment discrimination based on all of the following EXCEPT?

A.

Age.

B.

Pregnancy.

C.

Marital status.

D.

Genetic information.

Which action is prohibited under the Electronic Communications Privacy Act of 1986?

A.

Intercepting electronic communications and unauthorized access to stored communications

B.

Monitoring all employee telephone calls

C.

Accessing stored communications with the consent of the sender or recipient of the message

D.

Monitoring employee telephone calls of a personal nature