1
Q
What is the purpose of a privacy notice?
A
To inform consumers about how their data is collected, used, shared, and protected.
2
Q
What are privacy notices typically used for?
A
External, public-facing communication to educate consumers.
3
Q
What does the FTC enforce under UDAP?
A
Unfair or deceptive acts or practices under Section 5(a).
4
Q
What makes a privacy notice legally significant?
A
- It can be considered a contract
- Non-compliance may be a breach
5
Q
What U.S. regulatory agencies and entities can enforce against violations of a privacy notice?
A
- FTC
- State Attorneys General
6
Q
What key elements should a privacy notice include?
A
- Organization name
- Privacy contact
- Data practices
- Rights
- Third parties
- Cookies
7
Q
What is the notice life cycle?
A
- Development
- Approval
- Publication
- Review (annual or as needed)
8
Q
What technologies must be disclosed in privacy notices?
A
Persistent tracking technologies
E.g., cookies
9
Q
What are the 3 main types of privacy notices?
A
- Layered
- Just-in-time
- Dashboard
10
Q
What is a layered notice?
A
A short summary at the top with detailed legal language below.
11
Q
What additional notice requirements does CCPA impose?
A
- Notice at point of collection
- Opt-out of sale
- Incentives disclosure
12
Q
What is a just-in-time notice?
A
A notice given immediately before or at point of data collection.
13
Q
When does CCPA require just-in-time notices?
A
For mobile device data collection.
14
Q
What is a badge or icon notice?
A
Visual indicators like buttons showing data collection and opt-out choice.
15
Q
What are examples of badge/icon notice frameworks?
A
- AdChoices
- WebChoices
- AppChoices from NAI and DAA
16
Q
What is a privacy dashboard?
A
A consumer-facing tool to control privacy settings and personalize features.
17
Q
What is the gold standard for consent under GDPR?
A
- Specific
- Voluntary
- Informed
- Unambiguous
18
Q
What are the 6 lawful bases for data collection under GDPR?
A
- Consent
- Contract
- Legal obligation
- Vital interest
- Public interest
- Legitimate interest
19
Q
What is a mnemonic for the 6 lawful bases under GDPR?
A
Crazed Clowns Vandalize Long Purple Limo
20
Q
Why is notice-and-consent considered inadequate?
A
- Information overload
- No real choice
- Vague use
- Cumulative impact
- Power imbalance
21
Q
What is a dark pattern?
A
A technique that manipulates or deceives users into compromising their privacy.
22
Q
What are 3 examples of inappropriate consent practices?
A
- Pre-ticked boxes
- Cookie blocks
- Dark patterns
23
Q
What are 2 examples of potentially appropriate consent methods on a mobile device?
A
- Swiping a bar
- Waving in front of a smartphone
24
Q
What is opt-in consent?
A
Explicit, active permission required before data is collected or processed.
25
What is **opt-out consent**?
**Assumes** permission unless individual **actively declines** or withdraws.
26
What must **GDPR notices** for **children** consider?
* Vocabulary
* Tone
* Language appropriate for children
27
What **UN guidance** is relevant to child notices?
UN Convention on the Rights of the Child in Child-Friendly Language
28
What is the UK's **Age Appropriate Design Code** also called?
The Children's Code
29
What does the UK's Children's Code **enforce**?
GDPR principles with **default geolocation off** and **age-based design**.
30
What does **COPPA** require **from parents**?
* Consent for children under 13
* Rights to access, amend, delete data
31
What is required under **CCPA** for children's data?
* Parental consent for under 13
* Affirmative consent from children 13-16
32
What is the **Canadian OPC's** stance on child consent?
Notices must **align** with the child's **developmental maturity**.
33
What is the **default GDPR age of consent**?
16; member states may lower it to 13.
34
What age is used in the **UK** for **child consent**?
Up to age 17.
35
What is the **age threshold** under **Australia's OAIC**?
15 and older may provide valid consent.
36
What **rights** are granted under the **FCRA**?
* Access and amendment of credit report
* Free annual report
* Notice of adverse actions
* Employment consent
37
What are employers **required to do** under the **FCRA** before obtaining a credit report?
**Obtain consent** from the individual.
38
What **individual rights** are provided under **HIPAA**?
* Right to obtain records (30 days)
* Amend records (60 days)
* Request a disclosure list
39
What is the **Do Not Call Registry** part of?
The **Telemarketing Sales Rule**
| (TSR)
40
What does the Do Not Call Registry **allow** individuals to do?
Register to stop telemarketing calls.
41
What does **CAN-SPAM** regulate?
Commercial messages and marketing emails.
42
What can individuals do under CAN-SPAM?
**File complaints** with the FTC.
43
What **recourse** does the **Privacy Act of 1974** provide?
Individuals may bring **civil actions** against agencies.
44
What does **FOIA** allow?
| (Freedom of Information Act)
**Requests** for records/information from federal agencies.
45
What are 3 common FOIA **exemptions**?
* National security
* Personal privacy
* Law enforcement
46
What does **CalOPPA** require?
| (California Online Privacy Protection Act)
Privacy notice on commercial websites collecting CA resident PII.
47
What **disclosures** must CalOPPA notices include?
* PII collected
* Material change notifications
* Do Not Track adherence
48
What does **DOPPA** stand for?
Delaware Online Privacy Protection Act
49
What are DOPPA's **key requirements**?
* Conspicuous privacy policy
* Protect e-book users
* Restrict harmful marketing to children
50
What is a **shared requirement** of CalOPPA and DOPPA?
Disclosure of how **Do Not Track requests** are handled.
51
What does the **Nevada Privacy Law** require?
Disclose if **third parties track consumers** across time and websites.
52
What **right** does the **CA Shine the Light Law** provide?
Right to **request notice** on how data **is shared** for direct marketing.
53
What is the **enforcement mechanism** under the Shine the Light Law?
Private right of action.
54
What does the **CA Online Eraser Law** allow minors to do?
Request **removal of data** they posted.
55
What is an **exception** under the **Online Eraser Law**?
No requirement to delete **third-party posted content**.
56
What are the **rights** under **Virginia's CDPA**?
* Confirm data
* Amend
* Delete
* Portability
* Opt-out of profiling
* Targeted ads
* Sale
57
What types of data are **regulated as sensitive** under **VCDPA**?
* Biometrics
* Children's data
* Geolocation
* Religion
* Sexual Orientation
58
What must businesses do to **process sensitive data** under **VCDPA**?
Obtain consumer consent.
59
What rights does the **Colorado Privacy Act** provide?
* Access
* Amendment
* Deletion
* Opt-out of sale and processing
60
What is **NPICICA** and **what rights does it provide**?
**Nevada law** allowing **opt-out of sale** to data brokers/third parties.
61
**How long** do businesses have to respond under **NPICICA**?
60 days
62
What is a **biometric**?
A **unique measurable trait** used to identify a person -- physical or behavioral.
63
What are some examples of **physical** biometric identifiers?
* Fingerprint
* Facial geometry
* Palm geometry
* Retina
* Iris
* DNA
64
What are some examples of **behavioral** biometric identifiers?
* Voice print
* Signature
* Gait
65
What does BIPA **require** organizations to do?
| (Biometric Information Privacy Act)
* Notify of collection
* State purpose/retention
* Obtain written authorization
66
Which U.S. **states** have biometric privacy laws?
* Illinois (BIPA)
* Washington (H.B. 1493)
* Texas (CUBI)
67
What conditions **justify erasure** under the **GDPR**?
* Data no longer needed
* Consent withdrawn
* Objection to processing
* Unlawful processing
* Legal requirement
68
What are **grounds for denying erasure** under the GDPR?
* Freedom of expression
* Legal obligations
* Legal claims
* Backups
69
When might **processing be restricted** under the GDPR?
If data subject contests data's:
* Accuracy
* Legality
* Necessity
70
What are **examples** of **machine-readable formats** for data portability?
* CSV
* PDF
* XML
* XLS
* JSON
* RTF
71
What must **controllers** do under the GDPR if a **data subject objects to processing**?
**Stop processing** unless legitimate interest overrides individual's rights.
72
What **legal sources** form the foundation of privacy rights in **China**?
* Constitution Article 40
* Criminal Law
* Civil Law
* NPCSC Decision
73
What is the **PI Security Specification** in China?
Guideline with 7 principles:
* Consistency
* Purpose
* Choice
* Use limitation
* Transparency
* Security
* Participation
74
Who **developed** China's PI Security Specification?
Chinese National Information Security Standardization Technical Committee (**TC260**).
75
What is **Japan**'s main privacy law?
Act on the Protection of Personal Information
| (APPI)
76
What global framework does Japan's APPI **resemble**?
GDPR
77
What is **Malaysia**'s privacy law?
Personal Data Protection Act
| (PDPA, 2010)
78
What is the **response time** for access requests in Malaysia?
21 days
79
What is **Singapore**'s main privacy law?
Personal Data Protection Act
| (PDPA, 2012)
80
How does Singapore's PDPA **compare to** Malaysia's?
It mirrors Malaysia's but **allows 30 days** for access requests.
81
What **law governs privacy** in South Korea?
Personal Information Protection Act
82
What are **key features** of **South Korea**'s privacy law?
Strict, requires **detailed notices** and **explicit consent**.
83
What is **Thailand**'s privacy law?
Personal Data Protection Act
| (PDPA, 2019)
84
What rights are **limited** under Thailand's PDPA?
* No right to amend data
* Can request anonymization if deletion isn't possible
85
What data subject rights are provided under **Australian law**?
* Access and amendment (30 days)
* Organizations may charge for DSARs
86
What law governs privacy in **Canada**?
PIPEDA
| (Personal Information Protection and Electronic Documents Act)
87
What is **CASL** in Canada?
Canada's Anti-Spam Legislation
88
What common rights are found across **Latin America**?
* Notice
* Access
* Amendment
* Halt/object to processing
89
What **rights** does Brazil's LGPD provide?
* Access
* Amendment
* Halt/object to processing
* Portability
90
What is **New Zealand**'s privacy law?
Privacy Act of 2020
91
What **data subject rights** exist under New Zealand's law?
* Access and amendment (20 days)
* 'Statement of correction' if denied
92
**When** can access be denied in New Zealand?
If it **reveals third-party info** or is deemed arbitrary.
93
What are the **3 core controller obligations** for DSARs?
* Verify identity
* Acknowledge request
* Respond within 1-3 months
94
When does the DSAR response **clock start**?
Once the data subject's **identity is verified**.
95
How should controllers handle **children's DSARs**?
Consider maturity and communication method.
96
What should be done if a DSAR includes **other people's data**?
Redact non-requestor data.
97
How can DSARs be submitted **via proxy**?
Through a third party with authority, such as power of attorney.
98
Can controllers **charge fees** for DSARs?
Yes, **if** the request is **burdensome or excessive**.
99
What must be **documented** when denying a DSAR?
Communications **explaining the denial**.
## Footnote
e.g., to correct or amend data
100
What is an "**event**" in incident response?
An **observable occurrence** in a system or network, benign or malicious.
101
What is an "**incident**"?
A **potential violation** of confidentiality, integrity, or availability (CIA).
102
What is a **data breach**?
**Unauthorized** modification, access, deletion, or exfiltration (**MADE**) of data.
103
Why is the term '**data breach**' legally significant?
It triggers legal obligations.
## Footnote
Legal counsel should determine if it applies.
104
What is an "**attack**" in cybersecurity?
A **malicious attempt** to violate a security perimeter.
105
What is a **vulnerability**?
A specific **weakness that can be exploited**.
## Footnote
E.g., unpatched app or zero-day
106
What is **incident response**?
A **planned approach** to address and manage security incidents.
107
What is the **difference** between preparedness and prevention?
* **Preparedness**: how to respond (fire drill)
* **Prevention**: policies to stop breaches
108
What are the **5 steps** of incident preparedness?
* Plan creation
* Stakeholders
* Training
* Insurance
* Vendor management
109
What is the **first step** in incident response **plan creation**?
**Gather data** about org, policies, processes, procedures.
110
What should guide **drafting** the incident response plan?
**Legal** and **regulatory** requirements.
111
What **factors** should be considered in **plan creation**?
* PII inventory
* Data processes
* Third-party roles
* Past breaches
* Legal privilege
112
Which **stakeholders** should be included in incident planning?
* IT
* Cybersecurity
* Compliance
* Customer/shareholder mgmt
* Public affairs
* Union
* Finance
* C-suite
* Board
113
Why is **incident response** training important?
* Builds muscle memory
* Exposes knowledge gaps
* Builds competence
* Reduces liability
114
What services can **cyber-liability insurance** cover?
* Forensics
* Legal counsel
* Call center
* PR
* Notifications
* Credit monitoring
* ID theft protection
115
What should **vendor contracts include** for incident response?
* Reporting responsibilities
* Notification requirements
* PII inventory
* Vendor preparedness
116
What is the **role** of the **board of directors** in incident response?
Oversee company:
* Security
* Privacy
* Response
* Resiliency
117
What are **key responsibilities** of **business development** during incidents?
* Manage large accounts
* Deliver bad news
* Maintain client relationships
118
What role does the **C-suite** play in incident response?
* Establish importance of incident response program
* Allocate resources
* Ensure buy-in
* Issue public statements
* Engage regulators
119
What are **compliance team responsibilities** in incident response?
Maintain:
* PII inventory
* PIAs
* Data flow maps
120
Why is **customer service** important in incident response?
* Handle sensitive data
* Detect suspicious activity
* Respond to inquiries, use scripts
121
What is the function of **Cybersecurity/IT** during incidents?
* Serve as CERT
* Manage systems
* Detect and remediate incidents
* Collect forensics
## Footnote
**CERT**: Computer Emergency Response Team
122
What are **finance**'s responsibilities during incident response?
* Manage sensitive data
* Cyber-liability
* Track costs
* SLAs
* Post-breach decisions
123
What does **CGL** stand for?
**Commercial General Liability** insurance for general business risks.
124
What are **HR**'s responsibilities in incident response?
* Protect employee data
* Deliver training
* Facilitate investigatory interviews
125
What are **legal**'s responsibilities during a breach?
* Understand legal requirements
* Manage reporting
* Provide privileged advice
* Prepare contracts
126
How does legal help **reduce liability**?
* Requesting forensics
* Reviewing contracts
* Ensuring compliance
127
What are **marketing and PR's** roles in a breach?
Manage:
* Client data communication
* Public messaging
* Media relations
* Crisis management
128
What is the **AFL-CIO**?
A federation of 60+ unions with 12.5 million members in the U.S.
129
What is **union leadership's** role in incident response?
Engage in **employee communication** and **coordination** during incidents.
130
What '**other teams**' support incident response efforts?
* Printing services
* Call centers
* Credit monitoring
* ID theft protection
131
What is a **Business Continuity Plan**?
| (BCP)
A document outlining **how business continues** during **unplanned disruptions**.
132
What does a **BCP** include?
* Risk assessment
* Impact analysis
* Recovery strategies
* Plan activation
* Emergency response
* IT recovery
* Testing
133
How does an incident response plan **contribute** to BCP?
Via tabletop exercises (TTX), post-mortems, and training.
134
What is a **Tabletop Exercise**?
| (TTX)
A **simulated activity** testing the org's incident response plan and readiness.
135
What are **components** of a TTX?
* Simulation
* Role-play
* Facilitation
* Objectives
* Discussion
* Documentation
* Debrief
136
What is the **purpose** of a TTX **post-mortem**?
* Summarize outcomes
* Create 'after action' report
* Identify training/action items
137
What **strategic benefits** come from BCP and IR programs?
* Close program gaps
* Boost security
* Cut liabilities and costs
* Improve brand reputation
138
What are BCP **best practices**?
* Keep BCP updated
* Allocate funding
* Run training and TTX regularly
139
What are the **main activities** in managing incidents?
* Detection
* Stakeholder notification
* Investigation
* Legal consultation
* Reporting
* Remediation/recovery
140
What are **internal methods** of incident detection?
* Technology
* Employee reports
* IDS and IPS
141
What are **external detection** sources?
* Hackers
* Customers
* News media
142
What **fields** should an **incident report form** include?
* Reporter contact
* Date/time
* Data format
* Involved devices/apps
* Incident description
143
Why should security training be **documented**?
To maintain records in personnel files.
144
What are the **4 components** of incident investigation?
* Investigation
* Containment
* Legal
* Stakeholder notification
145
What does **forensic investigation** involve?
* Capture system image
* Collect/analyze evidence
* Determine remediation
146
What are **containment actions**?
* Limit access
* Patch vulnerabilities
* Isolate affected systems
* Segment networks
147
Why is **documentation** important during containment?
To ensure **process transparency** and support review.
148
What are **legal responsibilities** during an incident?
* Define event
* Preserve evidence
* Maintain chain of custody
149
What is **legal privilege** in incident response?
* **Confidentiality** of attorney-client communications
* **Protects** legal strategy
150
Why consult **external counsel** during a breach?
* To preserve privilege
* Control disclosure
* Mitigate risks
151
What should be reviewed under **cyber-liability insurance**?
* Coverage for notification
* Public relations
* Credit monitoring
* Data recovery
152
What **third parties** may assist with investigations?
* Forensic experts
* Insurance providers
153
What is the difference between **escalation** and **notification**?
* Escalation alerts supervisors
* Notification informs affected individuals
154
What are the **main components** of a notification process?
* Verify individuals/addresses
* Prepare letters
* Set up support
* ID protection
* Credit monitoring
155
What factors make an **incident reportable**?
Data was:
* Unencrypted
* Misused
* Or otherwise exposed
## Footnote
Be sure to confirm with your organization's legal team.
156
What factors make an incident **not reportable**?
* Data encrypted
* No misuse
* Legal team confirms
157
What is a **key factor** in determining notification timelines?
Timelines **vary by jurisdiction**.
158
What is the **principle** behind **internal incident communications**?
* Need-to-know basis
* Prevent rumor and detail leaks
159
What should be **designated** for internal communications?
* A press contact
* Employees should defer to them
160
What helps manage **employee communications**?
Internal FAQ documents.
161
What should **external communications** coordinate with?
* Call center
* Legal team
* Possibly a crisis management firm
162
What's a **key principle** of external messaging?
Be consistent.
163
What are **best practices** for **notification letters**?
* Include remediation offer
* Enrollment instructions
* Legal approval
* Branding
* Return address
164
What are the **key parties** involved in breach remediation?
* Remediation organization
* Letter provider
* Call center
165
What are examples of **breach remediation metrics**?
* Deadlines met
* Letters sent
* Calls received
* Enrollments
166
What is the purpose of an **after-action report**?
To **evaluate response effectiveness** and **identify lessons learned**.
167
What types of **costs** are considered in incident recovery?
* Legal, fines
* Public relations
* Forensics
* Call center
* Equipment
* Insurance
* Training
* Remediations
