CIPP-US > State Privacy Laws (Part 1) > Flashcards

State Privacy Laws (Part 1) Flashcards

Explore foundational state-level privacy laws, including the CCPA and other comprehensive consumer data protections. (76 cards)

Study These Flashcards
1
Q

What does CPPA stand for?

A

California Privacy Protection Agency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What law does the CPPA enforce?

A

California Consumer Privacy Act

(CCPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How was the CPPA created?

A

Via the California Privacy Rights Act

(CPRA)

Also known as Proposition 24.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When was CPRA approved?

A

November 2020

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is the CPPA governed?

A

A 5-member board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the responsibilities of the CPPA?

A
  • Public awareness
  • Issue regulations
  • Enforce CCPA
  • Ensure compliance
  • Investigate violations
  • Coordinate with other agencies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What SSN usage restrictions exist in California?

A
  • Bans public posting
  • Printing on mail/ID/membership cards
  • Unencrypted transmission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the Social Security Number Fraud Prevention Act?

A

A 2017 federal law restricting mailing full SSNs unless waived.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the SSN Fraud Prevention Act require for mailing?

A

SSN must not be visible from outside the envelope.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is data destruction?

A

Making information unreadable/undecipherable to prevent unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How is paper data destroyed?

A

By burning or shredding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How is electronic data destroyed?

A

By deleting, erasing, purging, or sanitizing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does North Carolina’s law require for data destruction?

A
  • Reasonable measures like shredding or erasing
  • Due diligence for subcontractors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which institutions are exempt under NC law?

A

Those that fall under:

  • GLBA
  • HIPAA
  • FCRA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What factors guide ‘reasonable’ disposal under FTC rules?

A
  • Data sensitivity
  • Cost-benefit
  • Available tech
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is California AB 1950?

A

A 2004 law requiring businesses with CA resident PII to use ‘reasonable security’ practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What year did CA first pass a security breach notification law?

A

2003

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What must businesses also require of third-party data processors under AB 1950?

A

Implement reasonable security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What qualifies as personal information under AB 1950?

A

Name and:

  • SSN
  • Driver’s license
  • Financial or medical data
  • License plate reader info
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What types of data are excluded from AB 1950?

A

Publicly available and encrypted data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which businesses are exempt from AB 1950?

A

Entities already under stricter laws like HIPAA or GLBA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is considered ‘reasonable security’ under AB 1950?

A

The minimum standard is alignment with the Center for Internet Security (CIS) Critical Security Controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is 201 CMR 17?

A

Massachusetts regulation considered the strictest state information security law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does 201 CMR 17 define as personal information?

A

MA resident’s name + sensitive data like SSN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are **key requirements** of 201 CMR 17?
* Designate security lead * Risk mitigation, policies * Unauthorized access prevention
26
What are **technical mandates** under 201 CMR 17?
* Authentication * Access control * Encryption * Monitoring * Firewalls * Patching * Training
27
What **third-party requirements** are in 201 CMR 17?
Third parties must **contractually maintain** similar information security practices.
28
Which **states** have adopted PCI-DSS standards?
* Washington (WA) * Minnesota (MN) * Nevada (NV)
29
What is **WA HB 1149**?
WA law allowing financial institutions to **recover breach costs** if due to processor negligence.
30
When is a processor **not liable** under WA HB 1149?
If data was **encrypted** and the processor was **PCI-DSS certified** in the last year.
31
What are **biometric identifiers** under BIPA?
* Retina * Iris scan * Fingerprint * Voiceprint * Face/hand geometry
32
What is **biometric information** under BIPA?
Info **based on biometric identifiers** used to identify individuals.
33
What must businesses do **before collecting** biometric data?
Obtain written consent.
34
What **policy** must businesses have under BIPA?
Written policy for retention and data disposal.
35
How must biometric data be **protected** under BIPA?
Using a **reasonable standard of care**.
36
What is **Washington's biometric privacy** law called?
Revised Code of Washington (RCW) **19.375**.
37
Under which **act** is Washington's biometric law enforced?
Consumer Protection Act
38
What does Washington **define** as biometric identifiers?
* Fingerprint * Voiceprint * Retina/iris scan * Other unique biological patterns
39
What does Washington **exclude** from biometric identifiers?
Photos, video, or audio generated **under HIPAA**.
40
What is **Texas' biometric privacy law** called?
Capture or Use of Biometric Identifier | (CUBI)
41
Where is Texas' CUBI law **codified**?
Business and Commerce Code, **Chapter 503**.
42
What biometric data is covered **under Texas CUBI**?
* Retina/iris scan * Fingerprint * Voiceprint * Hand or face geometry
43
What do both **WA** and **TX** biometric laws **require**?
* Notice and consent * No disclosure/sale without consent * Data security * Destruction policy
44
What rights does the **CCPA** provide to consumers?
* Disclosure * Access to specific data * Deletion * Opt-out of sale * Non-discrimination
45
What are CCPA's **criteria** to be considered a business?
* For-profit * Operates in CA * Meets revenue or data processing thresholds
46
What types of entities are **excluded** from CCPA scope?
* Non-profits * Those not determining data use * Not doing business in CA
47
Who is considered a '**consumer**' under CCPA?
A natural person who is **a California resident**.
48
What is '**personal information**' under CCPA?
Any data linked or linkable to a consumer **or household**.
49
What constitutes a '**sale**' under CCPA?
Disclosure of personal info **for any value** to another business or third party.
50
What must an **initial notice** under CCPA include?
* Info collected * Purpose * Any indirect collection
51
What must a **website notice** include?
* Consumer rights * Data collected and disclosed * Annual updates
52
What is required for the **right to opt out** under CCPA?
A clear link: '**Do Not Sell My Personal Information**'.
53
What are exceptions to CCPA **deletion right**?
* To provide services * Prevent fraud * Debug * Legal compliance * Research * Compatible internal use
54
What protections are afforded **to consumers that opt-out** under **the CCPA's** non-discrimination right?
* No denial of goods/services * Price discrimination * Quality reduction for exercising CCPA rights
55
What conditions make a business **liable** for a data breach under CCPA?
Breach must result from **failure to use reasonable security**.
56
What must individuals do **before suing** under the CCPA?
Provide **30-day written notice** and allow time for business to respond.
57
What are the **two types of exemptions** in privacy laws?
* Entity-level * Data-based ## Footnote **Entity-level**: e.g., non-profits **Data-based**: e.g., HIPAA-covered data
58
What factors determine whether an organization is a '**business**' under state laws? ## Footnote Under comprehensive state-level privacy statutes.
* Gross revenue * Number of consumers affected
59
What is the **consumer** data threshold in CA, CO, CT, and VA?
Processes data of more than **100,000** consumers.
60
Which state has the **narrowest definition** of 'business'?
Utah
61
What are the **revenue-from-sale** thresholds in CT and VA?
* **CT**: 25% or more * **VA**: 50% or more from sale
62
How do state privacy laws define a '**consumer**'?
As **a resident of the state**, not necessarily someone who makes purchases.
63
What **unique data** types does **California** include in its PI definition?
Household data and employment data.
64
What data is **excluded** from state privacy laws?
* Deidentified * Federally regulated * Publicly available * Aggregate * Employee data
65
What **unique sensitive data categories** does California include?
* Union membership * Philosophical beliefs * Message content (e-mail, mail, text)
66
What does California include under '**sharing**'?
Transferring personal info for **cross-context behavioral advertising**, even without money exchanged.
67
What **core rights** do all 5 state privacy laws provide? | States: CA, CO, CT, UT, VA
* Access * Data portability * Opt-out * Non-discrimination
68
How do consumers **exercise** privacy rights?
By submitting requests to the business.
69
What is the **standard response time** for requests?
**45 calendar days**, plus 45 more if reasonably necessary.
70
What is the **CCPA's timeline** for opt-out requests?
Must be fulfilled within **15 business days**.
71
How does **CT** regulate children's data?
* Opt-in for ages 13-15 to sell or advertise * Under 13 is sensitive data
72
Which state does **not require** purpose limitation?
Utah
73
When are **risk assessments** required?
* Processing that poses heightened risk * Targeted ads * Profiling, data sales * Sensitive data
74
What are the **security requirements** under state laws?
Reasonable administrative, physical, and technical controls to protect CIA.
75
What is the general **penalty range** for violating state privacy laws?
Fines range from $2,500 to $20,000 per violation.
76
What is a '**cure period**'?
Time given to a business to fix a violation before penalties.
CIPP-US
flashcards
Decks in class (12)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions