CIPP-US Exam Dumps : Certified Information Privacy Professional/United States (CIPP/US)

According to the Family Educational Rights and Privacy Act (FERPA), a policy of “no consumer choice” or “no option” means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer’s financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer’s consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices. References: CCPA (Section 1798.150), IAPP CIPP/US Study Guide (p. 63-64)

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws