You are on page 1of 103

1-a

Term: Term:

The U.S. Constitution establishes what What establishes the three branches of
three branches of government? the U.S. Government?

Term: Term:

What is the purpose of the What similarities are found between


three-branch government design? state and federal government?

Term: Term:

What is the legislative branch's What does the legislative branch do?
make-up?

Term: Term:

What are the duties of the executive Who makes up the executive branch?
branch?
1-b

Definition: Definition:

The U.S. Consitution Legislative, Executive, Judicial

Definition: Definition:

The three branches are also often To provide a separation of powers


found at the state and often the local with a system of check and balances
levels. among the branches.

Definition: Definition:

Congress confirms presidential The legislative branch is made up of


appointees, and can override vetoes. elected representatives who write and
pass laws. It includes the Congress
(House and Senate).

Definition: Definition:

The President, Vice President, The executive branch's duties are to


cabinet, and federal agencies (such as enforce and administer the law.
the FTC).
2-a

Term: Term:

What can the executive branch do? What can the judicial branch do?

Term: Term:

What is the judicial branch? What two parts make up the U.S.
Congress?

Term: Term:

What can Congress do when enacting What laws has Congress enacted
legislation? involving the FTC?

Term: Term:

Does the executive branch include What do federal agencies in the


federal agencies that report directly to executive branch do?
the President?
2-b

Definition: Definition:

The Judicial branch determines President appoints federal judges. It


whether the laws are constitutional. It can veto laws passed by Congress.
also interprets laws, the meaning of a
law, and how it is applied. It can also
examine the intent behind a law's
creation.

Definition: Definition:

The Senate and the House of The Federal Courts.


Representatives (legislative branch)

Definition: Definition:

Congress has enacted several laws Congress can delegate the power to
that give the U.S. Federal Trade promulgate regulations to federal
Commission the authority to issue agencies (such as the FTC).
regulations to implement the laws.

Definition: Definition:

They implement the laws through rule Yes


making and enforce the laws through
civil and criminal procedures.
3-a

Term: Term:

What are the lowest courts called in Cases decided by a district court can
the federal court system (judicial be referred to what?
branch)?

Term: Term:

What do federal circuit courts do? The federal appeals courts are divided
into how many circuits?

Term: Term:

What are the other federal courts What is the top court in the judicial
called? branch?

Term: Term:

What does the U.S. Supreme Court In what circumstances do federal


do? agencies wield power that is
characteristic of all three branches of
government?

Term: Term:

What are the sources of law in the What is the supreme law in the U.S.?
U.S.?
3-b

Definition: Definition:

A federal appellate court (also called District Courts. These serve as


a "circuit court"). federal trial courts.

Definition: Definition:

12 regional circuits; each district They are not trial courts; they serve as
court is assigned to a appeals court appeals courts for federal cases.
which decides the appeals for that
circuit.

Definition: Definition:

The U.S. Supreme Court. Special courts include the U.S. Court
of Federal Claims and the U.S. Tax
Court.

Definition: Definition:

When they are given authority by Hears appeals from the circuit courts
Congress to promulgate and enforce and decides questions of federal law;
rules pursuant to law. This means also interprets the U.S. Constitution.
they operate under statutes that give May also hear appeals from the
them legislative power to issue rules, highest state courts or function as a
executive power to investigate and trial court in rare instances.
enforce violations of rules/statutes,
and judicial power to settle particular
disputes.

Definition:

Federal and state constitutions,


legislation, case law (contracts and
torts), and agency-issued regulations.

Definition:

The Constitution.
4-a

Term: Term:

Who drafted the Constitution and True/False: The U.S. Constitution


when? does not contain the word "Privacy".

Term: Term:

Which parts of the Constitution Which Supreme Court decisions affect


directly affect privacy? privacy?

Term: Term:

What are other sources of law Which state expressly recognizes a


affecting privacy? right to privacy in its constitution?

Term: Term:

What areas are regulated by laws How is law-making power distributed


enacted by federal Congress and state in the U.S.?
legislatures?

Term: Term:

What does the U.S. Constitution say When do states have the power to
about laws under the Constitution? make laws?
4-b

Definition: Definition:

True. The Constitutional Convention drafted


the Constitution in 1787.

Definition: Definition:

The S.C. has held that a person has a The Fourth Amendment limits on
right to privacy over personal issues government searches.
such as contraception and abortion,
arising from more general protections
of due process of law.

Definition: Definition:

California. State constitutions may create


stronger rights than are provided in
the U.S. Constitution.

Definition: Definition:

Law-making power is shared between applications of information (use of


the national and state governments. information for marketing or
pre-employment screening), certain
industries (such as financial
institutions or healthcare providers),
certain data elements (SSNs or
driver's license info), or specific
harms (identity theft or children's
online privacy)

Definition:

It states that the Constitution and the


laws passed pursuant to it, is "the
supreme law of the land."

Definition:

Where federal law does not prevent it,


states have the power to make law.
5-a

Term: Term:

Which Amendment to the Constitution What is one area of law where states
states "the powers not delegated to the may pass privacy/other laws with
United States by the Constitution, nor stricter requirements than federal
prohibited by it to the States, are law?
reserved to the States respectively, or
to the people."?

Term: Term:

In which areas do federal laws What is the CAN-SPAM Act?


pre-empt state laws, preventing states
from passing stricter provisions?

Term: Term:

Aside from the ability to make and What are two key areas of the common
enforce laws and regs, what does the law?
U.S. legal system rely on?

Term: Term:

What regulatory agencies are required What do rules and regulations passed
by law to issue regulations and rules by regulatory agencies do?
5-b

Definition: Definition:

HIPAA medical privacy rule. The Tenth Amendment to the


Constitution.

Definition: Definition:

Controlling the Assault of Limits on commercial e-mails in the


Non-Solicited Pornography and CAN-SPAM Act.
Marketing Act.

Definition: Definition:

Contracts and torts. 1. Legal precedent based on court


decisions
2. Doctrines implicit in legal
precedent
3. Customs and uses of legal
precedent

Definition: Definition:

These rules and regulations place FTC (Federal Trade Commission) or


specific compliance expectations on the FCC (Federal Communications
the marketplace. Commission).
6-a

Term: Term:

In what year was the CAN-SPAM Act Which entity passed the CAN-SPAM
passed? Act?

Term: Term:

What does the CAN-SPAM Act Which agencies enforce the


require? CAN-SPAM Act?

Term: Term:

What does the CAN-SPAM Act allow What is case law?


the FTC and FCC to do?

Term: Term:

How is case law utilized by the What is common law?


courts?

Term: Term:

True/false: common law contrasts What is stare decisis?


with law created by statute.
6-b

Definition: Definition:

U.S. Congress. 2003.

Definition: Definition:

FTC and FCC. CAN-SPAM Act requires the senders


of commercial e-mail messages to
offer an "opt-out" option to recipients
of those messages.

Definition: Definition:

Case law refers to the final decisions It provides the FTC and the FCC with
made by judges in court cases. the authority to issue regulations that
set forth exactly how the opt-out
mechanism must be offered and
managed.

Definition: Definition:

Common law refers to legal principles When similar issues arise in the
that have developed over time in future, judges look to past decisions as
judicial decisions (case law), often precedents and decide the new case in
drawing on social customs and a manner consistent with past
expectations. decisions.

Definition: Definition:

It refers to a following of past True.


precedent; stare decisis is a Latin term
meaning "to let the decision stand."
7-a

Term: Term:

How do precedents handle the passing What are common law's rules in
of time? regards to privacy?

Term: Term:

Name two special privilege rules. What is a judgment entered by consent


of the parties whereby the defendant
agrees to stop alleged illegal activity?

Term: Term:

Does a consent decree typically admit How are the courts involved in a
guilt or wrongdoing? consent decree?

Term: Term:

What does a consent decree What are the contents of the consent
accomplish? decree?
7-b

Definition: Definition:

Common law upholds special privilege As time passes, precedents often


rules, even in the absence of statutes change to reflect technological and
protecting that confidentiality. societal changes in values and laws.

Definition: Definition:

Consent Decree. 1. Doctor-patient privilege


2. attorney-client confidentiality.

Definition: Definition:

The document is approved by a judge. No.

Definition: Definition:

It describes the actions that the It formalizes an agreement reached


defendant will take and the decree between a federal or state agency and
may be subject to a public comment an adverse party.
period.
8-a

Term: Term:

How much power does a consent In what area has the FTC entered into
decree hold? numerous consent decrees with
companies as a result of alleged
violations of privacy laws.

Term: Term:

What services do federal agencies How are agency opinions interpreted


provide? and used?

Term: Term:

What is a legally binding agreement What provisions might a privacy


enforceable in a court of law? contract contain?

Term: Term:

True/false: Every agreement is a What are the three factors required to


legally binding contract. form a contract?
8-b

Definition: Definition:

COPPA has allowed for several Once approved, the consent decree
consent decrees, which require has the effect of a court decision.
violators to pay money to the
government and agree not to violate
the relevant law in the future.

Definition: Definition:

They do not carry the weight of law, 1. promulgate rules and enforce them;
but do give specific guidance to 2. provide guidance in the form of
interested parties trying to interpret opinions.
agency rules and regulations.

Definition: Definition:

data useage, data security, breach Contract


notification, jurisdiction, and
damages. (A contract b/w an EU
company and a US data processor
might include provision requiring US
co to be safe harbor certified/abide by
framework)

Definition: Definition:

Offer, Acceptance, Consideration. False. There are three fundamental


requirements for forming a binding
contract.
9-a

Term: Term:

What is the proposed language to Which terms of the offer must be


enter into a bargain? specific and definite?

Term: Term:

What ends the original offer? What actions must be taken with an
offer for it to qualify to form a
contract?

Term: Term:

What is acceptance? What requirements must the


acceptance meet?

Term: Term:

What is the bargained-for exchange? What is consideration?

Term: Term:

What forms does consideration True/False: An agreement without


typically take? consideration is not a contract.
9-b

Definition: Definition:

Price, quantity, and description. Offer

Definition: Definition:

The offer must be communicated to A counteroffer.


another person and remain open until
it is accepted, rejected, retracted or
has expired.

Definition: Definition:

The acceptance must comply with the The assent or agreement by the person
terms of the offer and must be to whom the offer was made that the
communicated to the person who offer is accepted.
proposed the deal.

Definition: Definition:

The legal benefit received by one Consideration.


person and the legal detriment
imposed on the other person.

Definition: Definition:

True. Consideration usually takes the form


of money, property or services.
10-a

Term: Term:

When may a privacy notice constitute What is a tort?


a contract?

Term: Term:

What are the goals of tort law? What are the three tort categories?

Term: Term:

What is an Intentional tort? Give an example of an intentional tort.

Term: Term:

What is a negligent tort? Give an example of a negligent tort.


10-b

Definition: Definition:

Torts are civil wrongs recognized by If a consumer provides data to a


law as the grounds for lawsuits. These company based on the company's
wrongs are those that result in an promise to use the data in accordance
injury or harm that constitutes the with the terms of the notice.
basis for a claim by the injured party.

Definition: Definition:

Intentional torts, negligent torts, and a. provide relief for damages


strict liability torts. incurred;
b. deter others from committing the
same wrongs.

Definition: Definition:

Intentionally hitting a person or These are wrongs that the defendant


stealing personal information. knew / should have known would
occur through their actions or
inactions.

Definition: Definition:

Causing a car accident by not obeying These occur when the defendant's
traffic rules or not having appropriate actions were unreasonably unsafe.
security controls.
11-a

Term: Term:

What is a strict liability tort? What are some examples of strict


liability torts?

Term: Term:

When did the concept of a personal What are some current privacy torts?
privacy tort enter U.S. jurisprudence?

Term: Term:

What is a defense to some of the What are some other, more recent,
traditional privacy torts? privacy-related torts considered by
courts?

Term: Term:

Define "person". Define "jurisdiction"


11-b

Definition: Definition:

Product liability torts (concern These are wrongs that don't depend on
potential liability for making and the degree of carelessness by the
selling defective products without the defendant, but are established when a
need for the plaintiff to show particular action causes damage.
negligence by the defendant).

Definition: Definition:

a. intrusion on seclusion; The late 1890s.


b. public revelation of private facts;
c. interfering with a person's right to
publicity;
d. casting a person in a false light.

Definition: Definition:

Allegations that a company was The speaker is exercising free speech


negligent for failing to provide rights under the First Amendment.
adequate safeguards for PI, thus
causing harm due to disclosure of the
data. Lack of adequate safeguards
therefore may expose a company to
damages under tort law.

Definition: Definition:

authority of a court to hear a An entity with legal rights, including


particular case an individual ("natural person") or a
corporation ("legal person")
12-a

Term: Term:

What two areas of the case must the What is subject matter jurisdiction?
court have jurisdiction over?

Term: Term:

What is personal jurisdiction? True/false: Government agencies do


not have jurisdictional limits.

Term: Term:

Define "Preemption" Give an example of pre-emption.

Term: Term:

Define "private right of action" Define "Notice"


12-b

Definition: Definition:

Jurisdiction over the type of dispute / 1. subject matter jurisdiction


cause of action. 2. personal jurisdiction

Definition: Definition:

False Jurisdiction over the parties (often


based on their location)

Definition: Definition:

the U.S. federal government has A superior government's ability to


mandated that state governments have its laws supersede those of an
cannot regulate e-mail marketing; the inferior government
federal CAN-SPAM Act preempts state
laws that might impose greater
obligations on senders of commercial
electronic messages.

Definition: Definition:

description of an organization's Ability of an individual harmed by a


information management practices. violation of a law to file a lawsuit
against the violator.
13-a

Term: Term:

What are the two purposes of a What does the typical notice contain?
notice?

Term: Term:

True/false: U.S. privacy laws have Who can legally enforce the promises
additional notice requirements. made in a company's privacy notice?

Term: Term:

What are two other names for privacy Define Privacy Policy.
notices?

Term: Term:

Define Privacy Notice. Define Choice.


13-b

Definition: Definition:

It tells the individual what information 1. consumer education


is collected, how the information is 2. corporate accountability
used and disclosed, how to exercise
any choices about uses or
disclosures,and whether the individual
can access or update the information.

Definition: Definition:

Federal Trade Commission and states. True.

Definition: Definition:

Often used to refer to the internal a. privacy statements


standards used within the b. privacy policies (however, often
organization. internal only)

Definition: Definition:

The ability to specify whether personal Refers to an external communication,


information will be collected and/or issued to consumers, customers, or
how it will be used or disclosed. users.
14-a

Term: Term:

In what two forms is choice Define "opt-in"


recognized?

Term: Term:

Give an example of "opt-in" behavior. Define "opt-out"

Term: Term:

Given an example of "opt-out" What defines "meaningful" choice?


behavior

Term: Term:

Define "access." What can be used to supplement


access?
14-b

Definition: Definition:

an affirmative indication of choice express or implied.


based on an express act of the person
giving the consent.

Definition: Definition:

a choice can be implied by the failure A person opts in if he says yes when
of the person to object to the use or asked, "May we share your
disclosure. information?" Failure to answer
would result in the information not
being shared.

Definition: Definition:

Where choice is offered, it should be A company says "Unless you tell us


meaningful, which is that it should be not to, we may share your
based on a real understanding of the information." The person then has the
implication of the decision. ability to opt out of the sharing by
saying no. Failure to answer would
result in the information being shared.

Definition: Definition:

Updates or corrections to the Access is the ability to view personal


information may be allowed. information held by an organization.
15-a

Term: Term:

What do U.S. laws often require At the federal level, which agencies
around access? engage in regulatory activities
concerning the private sector?

Term: Term:

What role does the Department of What authority does the FTC have re:
Commerce play in privacy? privacy in the private sector?

Term: Term:

In which areas does the FTC have Who brings privacy-related


specific regulatory authority? enforcement actions at the state level?

Term: Term:

On what basis are state privacy What role does the State Attorney
enforcement actions brought? General serve?
15-b

Definition: Definition:

FTC, federal banking regulatory They often provide for access and
agencies (Consumer Financial correction when the information is
Protection Bureau, Federal Reserve, used for any type of substantive
Office of the Comptroller of the decision making, such as for credit
Currency), the FCC, DOT, Dept. of reports.
Health and Human Services through
its Office for Civil Rights.

Definition: Definition:

General authority to enforce against The DOC doesn't have regulatory


"unfair and deceptive trade practices." authority for privacy, but often plays a
role in privacy policy for the executive
branch.

Definition: Definition:

State Attorneys General 1. marketing communications;


2. children's privacy

Definition: Definition:

Serves as the chief legal advisor to the pursuant to state laws prohibiting
state government and as the state's unfair and deceptive practices.
chief law enforcement officer
16-a

Term: Term:

Which states have successfully Give examples of self-regulatory


pursued privacy actions related to regimes.
unfair and deceptive practices?

Term: Term:

True/false: some trade associations Give an example of a regulatory


issue rules or codes of conduct for setting where government-created
members. rules expect companies to sign up for
self-regulatory oversight.

Term: Term:

What six questions are necessary to What are some reasons for knowing a
understand a law, statute, or law's scope when you don't have to
regulation? follow it?

Term: Term:

Give an example of a time when the In which state was the first security
costs of compliance with a law might breach notification law enacted?
exceed the risks of noncompliance for
a period of time.

Term: Term:

What does the CA law regulate? To whom does the CA law apply?
16-b

Definition: Definition:

Network Advertising Initiative, Direct Minnesota and Washington.


Marketing Association, Children's
Advertising Review Unit.

Definition: Definition:

The Safe Harbor for companies that True.


transfer personal information from the
EU to the US.

Definition: Definition:

1. the law may suggest good practices 1. Who is covered by this law?
that you want to emulate 2. What types of information (and
2. it may provide an indication of legal what uses of information) are
trends covered?
3. i may provide a proven way to 3. What exactly is required or
achieve a particular results (i.e. prohibited?
protecting individuals in a given 4. Who enforces the law?
situation) 5. What happens if I don't comply?
6. Why does this law exist?

Definition: Definition:

California. If a system that is not appropriately


compliant with a new law, but is going
to be replaced in a few months, a
company may decide that the risks of
noncompliance outweigh the costs and
risk of trying to accelerate the system
transition.
Definition:
The CA Data Breach Notification Law
regulates entities that do business in
CA and that own or license
computerized data, including PI.
Definition:
It applies to natural persons, legal
persons, and government agencies.
17-a

Term: Term:

True/false: if you do business only in Even if you do business in this CA,


Montana or NY, you are still subject to what is required for this law to apply
this CA law. to you?

Term: Term:

What does the CA data breach law What is PI?


cover?

Term: Term:

True/False: If your databases contain True/False: If your database contains


only names and addresses, you are not only encrypted information, you are
subject to the CA law. not subject to the CA law.

Term: Term:

What does the CA Data Breach Define "breach of the security of the
Notification law require or prohibit? system".
17-b

Definition: Definition:

You must have computerized data. False

Definition: Definition:

Personal information - an individual's It regulates computerized PI of CA


name in combination with any one or residents.
more of (1) SSN, (2) CA identification
card number, (3) Driver's License
number, (4) financial account number
or credit or debit card number in
combination with any required
security code, access code or
password that would permit access to
an individual's financial account,
when either the name or the data
elements are not encrypted.

Definition: Definition:

True. True.

Definition: Definition:

Unauthorized acquisition of It requires you to disclose any breach


computerized data that compromises of system security to any resident of
the security, confidentiality or CA whose unencrypted personal
integrity of personal information information was or is reasonably
maintained by the person. believed to have been acquired by an
unauthorized person.
18-a

Term: Term:

How must disclosure be carried out? What is the exception to the CA law?

Term: Term:

When is a delay in providing notice Who enforces the CA law?


permissible?

Term: Term:

True/false: the law provides for a What happens if one doesn't comply
private cause of action. with the CA law?

Term: Term:

Why does the CA data notification law What is the FTC?


exist?
18-b

Definition: Definition:

There is an exception for the good The disclosure must be made "in as
faith acquisition of PI by an employee expedient a manner as possible."
or agent of the business, provided the
PI is not used or subject to further
unauthorized disclosure.

Definition: Definition:

The CA Attorney General enforces the When a delay is requested by law


law. enforcement.

Definition: Definition:

The CA attorney general or any citizen True.


can file a civil lawsuit against you,
seeking damages and forcing you to
comply.

Definition: Definition:

The Federal Trade Commission is an SB 1386 was enacted because there is


independent agency governed by a a fear that security breaches of
chairman and four other computerized databases cause identity
commissioners. theft and individuals should be
notified about the breach so that they
can take steps to protect themselves. If
you have a security breach that puts
people at real risk of identity theft, you
should consider notifying them even if
you are not subject to this law.
19-a

Term: Term:

True/False: The FTC's decisions are What authority does the FTC have?
under the president's control.

Term: Term:

What are some of the ways that the Are there other federal agencies
FTC has played a prominent role in involved in privacy enforcement?
the development of US privacy
standards?

Term: Term:

What is civil litigation? What is an injunction?

Term: Term:

What are important categories of civil Describe a possible civil litigation


litigation? scenario involving contracts.
19-b

Definition: Definition:

Authority to enforce against "unfair False


and deceptive trade practices", as well
as specific statutory responsibility for
issues such as (a) children's privacy
online and (b) commercial e-mail
marketing.

Definition: Definition:

Yes, although the FTC plays a leading The FTC conducts public workshops
role. on privacy issues, and reports on
privacy policy and enforcement.

Definition: Definition:

A court order mandating the Civil litigation occurs in the courts,


defendant to stop engaging in certain when one person (plaintiff) sues
behaviors. Maybe awarded to plaintiff another person (defendant) to redress
in civil litigation. a wrong. Plaintiff often seeks
monetary judgment from defendant.
Plaintiff may also seek an injunction.

Definition: Definition:

A plaintiff might sue for breach of a Contracts and torts.


contract that promised confidential
treatment of personal information.
20-a

Term: Term:

Describe a possible civil litigation Do privacy rights ever create private


scenario involving torts. rights of action?

Term: Term:

What does the Fair Credit Reporting What is criminal litigation?


Act allow?

Term: Term:

How is criminal litigation different Who prosecutes criminal laws?


from civil litigation?

Term: Term:

What are administrative enforcement Where are the rules found for agency
actions? enforcement actions in the federal
government?
20-b

Definition: Definition:

Yes, and this allows an individual A plaintiff might sue for invasion of
plaintiff to sue based on violations of privacy where defendant
the statute. surreptitiously took pictures in a
changing room and broadcast the
pictures to the public.

Definition: Definition:

Criminal lit involves lawsuits brought It has a private right of action, which
by the government for violations of allows a person to sue a company if
criminal laws. his consumer reports have been used
inappropriately.

Definition: Definition:

Department of Justice in the federal Civil lit involves an effort by a private


government. For states, the state party to correct specific harms.
attorney general and local officials Criminal prosecution, brought by gov,
(district attorney) usually have can lead to imprisonment and criminal
criminal prosecutorial power. fines.

Definition: Definition:

the Administrative Procedure Act These are carried out pursuant to the
(APA). statutes that create and empower an
agency, such as the FTC.
21-a

Term: Term:

What does the APA contain? What is the appeals process for
agency enforcement actions?

Term: Term:

True/false: A federal agency may sue Which agencies are responsible for
a party in federal court, with the medical privacy?
agency as the plaintiff in a civil action.

Term: Term:

Which agencies oversee financial Which agencies are responsible for


privacy? educational privacy?

Term: Term:

Which agencies oversee telemarketing Which agencies are responsible for


and marketing privacy? workplace privacy?
21-b

Definition: Definition:

Federal agency adjudications can The APA sets forth basic rules for
generally be appealed to federal court. adjudication within an agency, where
court-like hearings may take place
before an administrative law judge.

Definition: Definition:

Office for Civil Rights in the True.


Department of Health and Human
Services (HHS), for the Health
Insurance Portability and
Accountability Act (HIPAA)

Definition: Definition:

Department of Education for the Consumer Financial Protection


Family Educational Rights and Bureau for financial consumer
Privacy Act. protection issues generally; federal
financial regulators such as the
Federal Reserve and the Office of
Comptroller of the Currency, for
institutions under their jurisdiction
under the Gramm-Leach-Bliley Act
(GLBA)

Definition: Definition:

Equal Employment Opportunity Federal Communications Commission


Commission for the Americans with (along with the FTC) under the
Disabilities Act and other Telephone Consumer Protection Act
anti-discrimination statutes. and other statutes.
22-a

Term: Term:

Which agency plays a leading role in Which federal department has been
federal privacy policy development increasingly active in privacy,
and administers the Safe Harbor negotiating internationally on privacy
agreement between the US and EU? issues with other
countries/multinational groups such
as the UN and OECD?

Term: Term:

Which agency is responsible for What is the name of the lead agency
transportation companies under its for interpreting the Privacy Act of
jurisdiction and for enforcing 1974?
violations of Safe Harbor agreement
between US and EU?

Term: Term:

What are some of the other functions To which agencies does the Privacy
of the OMB? Act of 1974 apply?

Term: Term:

Which Department is subject to Describe one way in which other parts


privacy rules concerning tax records, of the Department of Treasury are
including disclosures of such records also involved with financial records
in the private sector? issues.
22-b

Definition: Definition:

State Department. Department of Commerce.

Definition: Definition:

US Office of Management and Budget Department of Transportation.


(OMB)

Definition: Definition:

federal agencies and private sector OMB also issues guidance to agencies
contractors to those agencies. and contractors on privacy and
information security issues, such as
data breach disclosure and privacy
impact assessments.

Definition: Definition:

They are involved in Internal Revenue Service (IRS)


money-laundering rules at the
Financial Crimes Enforcement
Network.
23-a

Term: Term:

What are some of the privacy issues What agencies are affected by the
faced by the Department of Homeland increasing development of smart grid?
Security?

Term: Term:

Which agency is affected by the True/false: Almost every agency in


increasing use of Unmanned Aerial the federal government is or may soon
Vehicles (drones)? become involved with privacy in some
manner within that agency's
jurisdiction.

Term: Term:

What is the sole federal agency to Name one statue that provides for both
bring criminal enforcement actions civil and criminal enforcement
which can results in imprisonment or
criminal fines?

Term: Term:

Where a statute provides for both civil When was the FTC founded?
and criminal enforcement, how is
jurisdiction apportioned?
23-b

Definition: Definition:

Smart grid development is making E-Verify program for new employees,


privacy an important issues for the rules for air traveler records
electric utility system, involving the (Transportation Security
Department of Energy. Administration), and immigration and
other border issues (Immigration and
Customs Enforcement)

Definition: Definition:

True. The surveillance implications have


raised issues for the Federal Aviation
Administration (FAA).

Definition: Definition:

HIPAA. Department of Justice.

Definition: Definition:

1914 Procedures exist for the roles of both


HHS and the Department of Justice (in
HIPAAs case)'
24-a

Term: Term:

For what purpose was the FTC What changes to the FTC mission
founded? were affected in 1938?

Term: Term:

True/False: today, the FTC focuses on True/false: Today's FTC does not
both antitrust law enforcement, and include privacy and computer security
consumer protection issues as an important part of its work.

Term: Term:

What does it mean that the FTC is an What is the single most important
"independent" agency? piece of US privacy law?

Term: Term:

What does Section 5 of the FTC Act Does FTC Act Section 5 say anything
state: specifically about privacy or
information security?

Term: Term:

True/false: The application of Section What marks the beginning of the


5 to privacy and information security FTC's enforcement of privacy
is clearly established today violations?
24-b

Definition: Definition:

a statutory change caused the FTC FTC was founded to enforce antitrust
mission to shift to a consumer laws.
protection focus.

Definition: Definition:

False True.

Definition: Definition:

Section 5 of the FTC Act. It is governed by the decisions of its


chairman and four other
commissioners, instead of falling
under the direct control of the
president.

Definition: Definition:

No. "Unfair or deceptive acts or practices


in or affecting commerce are hereby
declared unlawful."

Definition: Definition:

The Fair Credit Reporting Act of True.


1970.
25-a

Term: Term:

When did the FTC begin bringing Name the ways in which Congress
privacy enforcement cases under its added privacy-related responsibilities
powers to address unfair and to the FTC over time.
deceptive practices?

Term: Term:

What does Section 6 of the FTC Act To what does the FTC Act Section 5
do? apply and not apply?

Term: Term:

What other issues does the FTC retain Until the creation of which agency did
authority over? the FTC issue rules and guidance for
the Fair Credit Reporting act and
Gramm-Leach-Bliley Act?

Term: Term:

What amended the Fair Credit What authorities does the CFPB hold?
Reporting Act?
25-b

Definition: Definition:

The Children's Online Privacy During the 1990s.


Protection Act (COPPA) of 1998 and
the Controlling the Assault of
Non-Solicited Portnography and
Marketing (CAN-SPAM) Act of 2003.

Definition: Definition:

It applies to "unfair and deceptive It vests the commission with the


practices in commerce" and does not authority to conduct investigations
apply to nonprofit organizations. It's and to require businesses to submit
powers also do not extend to certain investigatory reports under oath.
industries, such as banks and other
federally regulated financial
institutions, as well as common
carriers such as transportation and
communications industries.

Definition: Definition:

Consumer Financial Protection In addition to the authority granted


Bureau (CFPB) under Section 5, the FTC retains
separate and specific authority over
privacy and security issues under
other federal statutes.

Definition: Definition:

Authority to issues rules and guidance The Fair and Accurate Credit
for the FCRA and GLBA, and shares Transactions Act of 2003.
enforcement authority with the FTC
for financial institutions that are not
covered by a separate financial
regulator.
26-a

Term: Term:

Who is the rule-making and With which agency does the FTC
enforcement agency for COPPA? share rule-making and enforcement
power under the Telemarketing Sales
Rule and the CAN-SPAM Act?

Term: Term:

With which agency does the FTC Describe FTC's regulation-issuing


share rule-making and enforcement authority?
power for data breaches related to
medical records under the Health
Information Technology for Economic
and Clinical Health (HITECH) Act of
2009?

Term: Term:

Because the FTC's regulations re: True / false: as of recently, the FTC
unfair and deceptive acts are not has not put forth any privacy or
promulgated under the usual information security regulation under
procedures of the Administrative its Magnuson-Moss authority.
Procedure Act, describe how they are
handled?

Term: Term:

Describe the situation surrounding What begins the typical FTC


FTC and the APA rule-making enforcement action?
authority.
26-b

Definition: Definition:

The FCC. FTC.

Definition: Definition:

The FTC has general authority to HHS.


issue regulations to implement
protections against unfair and
deceptive acts and practices.

Definition: Definition:

True. Any such regulation must comply with


the more complex and lengthy
procedures under the Magnuson-Moss
Warranty Federal Trade Commission
Improvement Act of 1975.

Definition: Definition:

A claim that a company has committed FTC has supported congressional


an unfair or deceptive practice OR has proposals to provide the FTC with
violated a specific consumer APA rule-making authority; such
protection law. proposal shave not been successful to
date, in part due to opposition from
companies that are against increased
regulation.
27-a

Term: Term:

In what ways can the enforcement What options might the FTC exercise
action be brought to the FTC's if the complaint is minor?
attention?

Term: Term:

In what situations will the FTC What are some actions allowed under
proceed to full enforcement? the FTC's broad investigative
authority?

Term: Term:

What may the commission do after an What happens after the commission
investigation? issues a complaint?

Term: Term:

Can the Administrative Law Judge's Can the decision of the five
opinion be appealed? commissioners on appeal be
appealed?

Term: Term:

When does an order by the True/False: The FTC can assess civil
commission become final? penalties.
27-b

Definition: Definition:

FTC may work with the company to 1. press reports covering the
resolve the problem without launching questionable practices
a formal investigation. 2. complaints from consumer groups
of competitors

Definition: Definition:

1. subpoenas of witnesses Where the violation is significant or


2. civil investigative demands there is a pattern of noncompliance.
3. requirements for businesses to
submit written reports under oath

Definition: Definition:

An administrative trial can proceed The commission may initiate an


before an administrative law judge enforcement action if it has reason to
(ALJ). believe a law is being or has been
violated. It issues a complaint.

Definition: Definition:

Yes, it can be appealed to the federal Yes, it can be appealed to the five
district court. commissioners.

Definition: Definition:

False, the FTC lacks authority to 60 days after it is served on the


assess civil penalties. company.
28-a

Term: Term:

What can the FTC do if its ruling is True/False: Each violation of such an
ignored? order is treated as a separate offense.

Term: Term:

True/False: Each day the violator fails What can the court do if consumers
to comply with the order is considered are harmed by the act or practice?
a separate offense.

Term: Term:

Can additional penalties be assessed if How have FTC privacy enforcement


a company does not respond to a actions been settled in practice?
complaint or order?

Term: Term:

What is a consent decree? Where are consent decrees posted?


28-b

Definition: Definition:

True. It can seek civil penalties in federal


court of up to $16,000 per violation
and can seek compensation for those
harmed by the unfair or deceptive
practices.

Definition: Definition:

The court can order "redress" or True.


mandate an injunction against a
violator.

Definition: Definition:

Through consent decrees and Yes.


accompanying consent orders.

Definition: Definition:

Publicly on the FTC's website. In a consent decree, the respondent


does not admit fault, but promises to
change its practices.
29-a

Term: Term:

What can the details of these consent Once an individual or company has
decrees be used to do? agreed to a consent decree, what can
violations of that decree lead to?

Term: Term:

What can the federal court grant? Which FTC division monitors and
litigates violates of consent decrees in
cooperation with the Department of
Justice?

Term: Term:

True/false: Consent decree terms vary What does the consent decree usually
depending on the violation. state?

Term: Term:

What does the consent decree require Can FTC respondents face civil
of the respondent? penalties for noncompliance with a
consent decree?
29-b

Definition: Definition:

Following an FTC investigation, it can The details of these decrees provide


lead to enforcement in the federal guidance about what practices the
district court, including civil penalties FTC considers inappropriate.
as discussed above.

Definition: Definition:

The FTC's Enforcement Division It can grant injunctions and other


within the Bureau of Consumer forms of relief.
Protection.

Definition: Definition:

What affirmative actions the True


respondent needs to take and which
practices their respondent must
refrain from engaging in.

Definition: Definition:

Yes. To maintain proof of compliance with


the decree; inform all related
individuals of the consent decree
obligations; provide the FTC with
confirmation of its compliance with
the decree; inform the FTC if company
changes will affect the respondent's
ability to adhere to its terms.
30-a

Term: Term:

What are companies increasingly True/False: Over time, consent


subjected to or required to do re: decrees have become more specific in
privacy cases? nature.

Term: Term:

What do the company and FTC have Why would the company have
incentive to do? incentives to negotiate?

Term: Term:

Why would the FTC have incentives to What methods were used before the
negotiate? FTC began to use consent decrees in
privacy cases?

Term: Term:

True/false: Review of nonprivacy What motivated the FTC and


decrees can be instructive for lawyers Commerce Department to begin
or others who seek to understand the convening public workshops and
FTC's approach to and priorities for conduction other activities to highlight
consumer protection consent decrees. the importance of privacy protection
on websites?
30-b

Definition: Definition:

True. Companies are subject to periodic


outside audits or reviews of their
practices, or they may be required to
adopt and implement a comprehensive
privacy program.

Definition: Definition:

The company avoids a prolonged trial, Both have incentives to negotiate a


as well as negative, ongoing publicity; consent decree rather than proceed
it also avoids the details of its business with a full adjudication process.
practices being exposed to the public.

Definition: Definition:

the FTC's Bureau of Consumer It (1) achieves a consent decree that


Protection negotiated such decrees for incorporates good privacy and
other consumer protection issues security practices, (2) avoids the
under Section 5 of the FTC Act. expense and delay of a trial, and (3)
gains an enforcement advantage, due
to the fact that monetary fines are
much easier to assess in federal court
if a company violates a consent
decree.

Definition: Definition:

An increase in commercial activity on True.


the Internet that became significant in
the mid-1990s.
31-a

Term: Term:

When did organizations begin to post What purpose do privacy notices


public privacy notices on their serve?
websites?

Term: Term:

How do privacy notices help with Is there an omnibus federal law


enforcement? requiring companies to have public
privacy notices?

Term: Term:

What does California require of Where there is no legal requirement to


companies and organizations doing do so, do the vast majority of
in-state business? commercial websites post privacy
websites?

Term: Term:

What does the FTC investigate when a What was the first FTC Internet
company posts a privacy notice? privacy enforcement action?
31-b

Definition: Definition:

Help inform customers about how Mid-1990s.


their PI was being collected and used,
as well as helping with enforcement
purposes.

Definition: Definition:

No, Sector-specific statutes such as If a company promised a certain level


HIPAA, GLBA, and COPPA impose of privacy or security on a company
notice requirements website or elsewhere, and the
company did not fulfill its promise,
then the FTC considered that breach
of promise a "deceptive" practice
under Section 5 of the FTC Act.

Definition: Definition:

Yes, according to an FTC survey To post privacy policies on their


conducted in 2000. websites.

Definition: Definition:

In the Matter of GeoCities, Inc. Whether they adhere to their own


policies; if not, the FTC will bring an
enforcement action for deceptive trade
practices.
32-a

Term: Term:

What are the facts of the GeoCities What was the basis of the GeoCities
case? action brought by the FTC?

Term: Term:

What was the outcome of the When did FTC bring an action against
GeoCities action? Eli Lilly & Co?
32-b

Definition: Definition:

Enforcement actions was for two GeoCities operated a website that


separate unfair and deceptive provided an online community through
practices. First, the FTC alleged that which users could maintain personal
GeoCities misrepresented how it home pages. To register and become
would use info collected from its users a member of GeoCities, users were
by reselling the information to third required to fill out an online form that
parties, which violated its privacy requested PI, with which GeoCities
notice. Second GeoCities collected created an extensive info database.
and maintain children's PI without GeoCities promised on its website that
parental consent. the collected information would not be
sold or distributed without user
consent.

Definition: Definition:

2004. GeoCities settled the action and the


FTC issued a consent order, which
required GeoCities to post and adhere
to a conspicuous online privacy notice
that disclosed to users how it would
collect and use PI. It was also
required to obtain parental or
guardian consent before collective
information from children 12 years of
age or under.
33-a

Term: Term:

What are the facts of Eli Lilly & Co What was the basis of the enforcement
case? action against Eli Lilly by the FTC?

Term: Term:

Before the Eli Lilly case, what had the When did the FTC bring an
FTC required of companies? enforcement action against Microsoft
Corp?
33-b

Definition: Definition:

It reuslted in settlement terms, which Eli Lilly is a pharaceutical


required Eli Lilly to adhere to manufacturer that maintained a
representations about how it collects, website where users would provide PI
uses and protects user information. It for messages and updates reminding
also required, for the first time in an them to take their medication. The
online privacy and security case, that website included a privacy notice that
Eli Lilly develop and maintain an made promises about the security and
information privacy and security privacy of the info provided. When Eli
program. Lilly ended the program, it sent
subscribers an e-mail announcement,
inadvertently addressed to and
revealing the e-mail addresses of all
subscribers.

Definition: Definition:

In 2002. Only that they stop the current unfair


and deceptive practices; after the
settlement, it became clear that the
scope of settlement terms had
expanded to include implementation
and evaluation of security programs.
34-a

Term: Term:

What was the basis of the FTC action What are the facts of the Microsoft
against Microsoft? action?

Term: Term:

How did the Microsoft action resolve? What is the focus of early privacy and
security enforcement actions?

Term: Term:

What did the FTC add to its Where is the scope of the term
enforcement scope in 2004? "unfairness" clarified?
34-b

Definition: Definition:

MS Passport was an online service The action concerned MS's security


that allowed customers to use single representations about info collected
sing-in to access multiple web through its "passport" website service.
services. MS made claims about the FTC alleged that representations of
high level of security used to protect high level online security were
users' personal and financial misleading because the security of the
information, as well as Passport's PI was within the control, not of MS.
parental controls for its children's but of MS's vendors and biz partners.
services. FTC also asserted that the Passport
service collected and shared more info
than disclosed in its privvacy notice
and claimed that the access controls
for the children's website were
inadequate.

Definition: Definition:

Deceptive practices MS settled the action with the FTC.


MS was prohibited from making future
misrepresentations about the security
and privacy of its products and was
required to adopt and implement a
comprehensive info sec program. MS
was required to undergo a biannual
third-party audit to ensure compliance
with its program terms.

Definition: Definition:

In a 1980 policy statement and in Unfair practices, as well as the


1994 amendments to the FTC Act. previously-enforced deceptive
practices.
35-a

Term: Term:

What three things are required for an What was the first instance of the FTC
injury to be considered "unfair"? basing an enforcement action on a
company's material change to its
PI-handling practices, as well as the
first privacy case based on
unfairness?

Term: Term:

What are the facts of Gateway? What was the outcome of the Gateway
case?

Term: Term:

In what 2005 enforcement action did What security flaws caused the
the FTC allege that a company did not enforcement action against BJ's?
engage in reasonable security
practices to protect the personal and
financial information of its
consumers?
35-b

Definition: Definition:

In the matter of Gateway Learning The injury caused must be (1)


Corp, in 2004. substantial, (2) without offsetting
benefits, and (3) one that consumers
cannot reasonably avoid.

Definition: Definition:

The consent decree stated that thte Gatewya Learning Corporation


retroactive application of material marketed and sold popular
changes to the company's data sharing educational aids under the "Hooked
policy was an unfair trade practice. on Phonics" product line. it's website
The settlement prohibited Gateway privacy notice stated that Gateway
from sharing any PI collected from Learning would not sell, rent, loan any
users under its initial privacy notice PI without explicit customer consent.
unless it obtained an affirmative opt-in It also stated that Gateway would
from users. It also required Gateway provide consumers with an
to relinquish the money earned from opportunity to opt out of having their
renting consumer info. info shared in this practice changed.
Gateway then began renting personal
customer info to third-party marketers
and advertisers without providing the
opt-out. It later revised its website
privacy notice to allow for disclosing
to third-party advertisers and
continued to rent consumer
information without providing notice
to customers about the change in
policy.

Definition: Definition:

The complaint stated that BJ's failed In the Matter of BJ's Wholesale Club,
to encrypt the information and failed Inc.
to secure wireless networks to prevent
unauthorized access, among other
security lapses.
36-a

Term: Term:

What are the facts of the BJ's case? What was the outcome of the BJ's
case?

Term: Term:

What did BJ's establish for all future True/false: More recent actions
FTC enforcement case scopes? indicate the FTC's willingness to
impose stringent information-handling
practices.

Term: Term:

What were the charges in the FTC's What are the facts of the Google case?
2010 case against Google?
36-b

Definition: Definition:

In the settlement, the consent decree The security flaws caused substantial
required BJ's to implement a injury to consumers and resulted in
comprehensive inofsec program, almost eight hundred cases of
including regular audits. This was the customer identity theft.
first time the FTC alleged only unfair,
and not deceptive, practices for the
basis of a privacy or infosec case.

Definition: Definition:

True. In addition to consent decrees FTC established its view that failing to
with Google and Facebook, in 2010 implement basic security controls to
Twitter entered a consent decree protect consumer info alone
promising to protect privacy and constitutes an enforceable unfair trade
security and to implement a practice, without any need for the FTC
comprehensive security program to allege deception. Even without
subject to outside audit. heightened security requirements
under sector-specific statutes (HIPAA,
COPPA, GLBA), companies not face
potential enforcement action based on
the FTC's Section 5 unfairness
authority.

Definition: Definition:

Google Buzz was a social networking The charges were that Google
service integrated with Google's engaged in deceptive trade practices
e-mail service, Gmail. When it and violated its own privacy policies
launched, consumers were with the launch of its Google Buzz
automatically enrolled in Buzz social networking service.
services without having to provide
consent. Buzz also exposed PI
harvested from Gmail to the public
without making this clear to users.
These actions conflicted without
Google's privacy notice on tis site.
37-a

Term: Term:

What were the FTC assertions in their Name one reason the Google
charges? settlement was noteworthy.

Term: Term:

Name a second reason the Google When did the FTC settle an
settlement was noteworthy. enforcement action for deceptive
practices with Facebook?
37-b

Definition: Definition:

This consent decree was the first in FTC alleged that automatic
which a company agreed to implement enrollment without prior notice and
a "comprehensive privacy program." explicit consent was a deceptive trade
As of 2012, it was not clear what exact practice. It also asserted that Google
elements a "comprehensive" program was in violation of the US-EU Safe
should contain. However the term Harbor Framework, which provides a
"comprehensive" seems to signal that method for US companies to transfer
the FTC believes privacy should be personal data from the EU to the US
thoroughly integrated with product in compliacne with UE Data
development and implementation. To protection requirements.
enforce, Google agreed to undergo
independent third-party privacy audits
on a biannual basis.

Definition: Definition:

2011. The Google consent decree was the


first substantial US-EU Safe Harbor
enforcement by the FTC. Complaint
stated that Google had represented it
would use PI only for the purposes for
which it was initially collected or
consented to by users. The complaint
stated that Google violated Section 5
and failed to live up to its promise to
comply with the notice and choice
principles of Safe Harbor.
38-a

Term: Term:

What did the FTC's 8-count complaint What did the FB settlement require?
allege, among other things, against
Facebook?

Term: Term:

What does the FB case indicate? In what year did the Obama
administration issue a report titled
"Consumer Data Privacy in a
Networked World: A Framework for
Protecting Privacy and Promoting
Innovation in the Global Digital
Economy"

Term: Term:

What report did the FTC issue that, What was the FTC's primary method
together with the Obama framework, of enforcement used in the late 1990s?
illustrates the evolution from earlier
methods of privacy enforcement to
current approaches?
38-b

Definition: Definition:

Required FB to provide users with FB deceived consumers by repeatedly


clear notice and obtain user consent making changes to services so that
before making retroactive changes to information designated as private was
material privacy terms, and barred FB made public. This violated promises
from making any further deceptive FB made in its privacy notice.
privacy claims. FB was also required
to establish and maintain a
comprehensive privacy program. FB
must obtain biannual independent
third-party audits of its privacy
program for the next 20 years.

Definition: Definition:

Early 2012. Broader government efforts to hold


companies accountable for
information handling practices.

Definition: Definition:

"notice and choice approach" - "Protecting Consumer Privacy in an


emphasis was placed on having Era of Rapid Change:
companies provide privacy notices on Recommendations for Businesses and
their websites and offering choice to Policy makers."
consumers about whether info would
be shared with third parties.
Enforcement actions were based on
deception and the failure to comply
with a privacy promise rather than
specific, tangible harm to consumers.
39-a

Term: Term:

What enforcement method was When did the FTC begin to include the
adopted by Chairmen Muris and requirement of a comprehensive
Majoris in the mid-2000s? privacy program in consent decrees?

Term: Term:

The Obama report defines the Define "individual control."


"Consumer Privacy Bill of Rights for
commercial uses of Personal Data as
encompassing what 7 rights?

Term: Term:

Define "transparency" Define "respect for context"

Term: Term:

Define "security" Define "access and accuracy"


39-b

Definition: Definition:

Under Chairman Leibowitz in 2009, "harm-based model" - used in the


as referenced in the Obama and FTC Gateway and BJ's cases; placed new
reports of 2012. emphasis on addressing substantial
injury, as required under the FTC's
unfiarness authority.

Definition: Definition:

Consumers have a right to exercise 1. individual control;


control over what personal data 2. transparency;
companies collect from them and how 3. respect for context;
they use it. 4. security;
5. access and accuracy;
6. focused collection;
7. accountability.

Definition: Definition:

Consumers have a right to expect that Consumers have a right to easily


companies will collect, use, and understandable and accessible
disclose personal data in ways that information about privacy and
are consistent with the context in security practices.
which consumers provide the data.

Definition: Definition:

Consumers have a right to access and Consumers have a right to secure and
correct personal data in usable responsible handling of personal data.
formats, in a manner that is
appropriate to the sensitivity of the
data and the risk of adverse
consequences to consumers if the data
is inaccurate.
40-a

Term: Term:

Define "focused collection" Define "accountability"

Term: Term:

What does the Obama report What 3 areas does the FTC emphasize
recommend re: these 7 rights? as themes?

Term: Term:

Privacy by Design is what? What is Simplified Consumer Choice?

Term: Term:

When should companies obtain What is Transparency?


affirmative express consent?
40-b

Definition: Definition:

Consumers have a right to have Consumers have a right to reasonable


personal data handled by companies limits on the personal data that
with appropriate measures in place to companies collect and retain.
assure they adhere to the Consumer
Privacy Bill of Rights.

Definition: Definition:

1. Privacy by Design; That they be included in federal


2. Simplified consumer choice; legislation with the use of
3. Transparency. multistakeholder processes to develop
enforceable codes of conduct until
legislation is passed, emphasizing
achieving international
interoperability, including with
trans-border cooperation on privacy
enforcement (utilizing FTC).

Definition: Definition:

Companies should simplify consumer Companies should promote consumer


choices; they don't need to provide privacy throughout their org and at
choice before collecting and using every stage in the development of their
consumer data for practices that are products and services. Companies
consistent with the context of the should incorporate substantive
transaction or the company's privacy protections into their
relationship with the consumer, or are practices, such as data security,
required or specifically authorized by reasonable collection limits, sound
law. Where appropriate, companies retention and disposal practices, and
should offer the choice at a time and data accuracy.
in a context in which the consumer is
making a decision about his/her data.

Definition:

Before (1) using consumer data in a


materially different manner than
claimed when the data was collected,
or (2) collecting sensitive data for
certain purposes.

Definition:

Privacy notices should be clearer,


shorter and more standardized to
enable better comprehension and
comparison of privacy practices.
Companies should provide reasonable
access to the consumer data they
maintain; the extent of access should
be proportionate to the sensitivity of
the data and the nature of its use.
41-a

Term: Term:

What are the FTC's five priority areas What does "do not track" encompass?
for attention?

Term: Term:

True/false: the FTC encourages What is the FTC's priority around


greater self-regulation around Data brokers?
location and other mobile-related
services.

Term: Term:

Explain the FTC's prioritization of What provisions do most states have in


large platform providers. place?

Term: Term:

In addition to covering unfair and Who enforces UDAP statutes?


deceptive practices, what do some
state statutes allow?
41-b

Definition: Definition:

The FTC has encouraged industry to 1. Do No Track;


create a mechanism for consumers to 2. Mobile;
signal if they do not wish to be tracked 3. Data Brokers;
for online behavioral advertising 4. Large platform providers;
purposes. 5. Promoting enforceable
self-regulatory codes.

Definition: Definition:

The FTC supports targeted legislation True.


to provide consumers with access to
info held about them by data brokers
who are not already covered by the
Fair Credit Reporting Act.

Definition: Definition:

Each state has a law roughly similar The FTC is examining special issues
to Section 5 of the FTC Act, commonly raised by very large online companies
known as Unfair and Deceptive Acts that may do what the FTC calls
and Practices (or UDAP) statutes. "comprehensive" tracking.

Definition: Definition:

State attorney generals, who serve as Enforcement against


the chief legal officers of each state. "unconscionable" practices, a contract
law term for a range of harsh seller
practices.
42-a

Term: Term:

What do some federal statutes, such as What has driven the recent
CAN-SPAM, allow state attorneys prominence of state enforcement of
general to do? info sec lapses?

Term: Term:

What has happened since CA passed States have other specialized statues
the first breach notification law in protecting privacy in what other
2002? sectors?

Term: Term:

What is happening on a state level in True/false: State common law is not a


relation to the smart grid? source of privacy enforcement
42-b

Definition: Definition:

Data breach notifications. To bring enforcement actions along


with relevant federal agencies; some
states allow private rights of action
under their state UDAP laws, so
individuals can bring suit against
violators.

Definition: Definition:

Medical, financial, and workplace. Almost every state has passed a


similar breach notification law, many
of which require orgs to furnish the
state attorney general with reports
about breaches when they occur.
They also impose enforcement
responsibility on state attorney
generals if they breach notification
reveals the implementation of
inadequate security controls.

Definition: Definition:

False. Plaintiffs can sue under the State public utilities commissions have
privacy torts, which traditionally have started to set rules for PI collected in
been categorized as intrusion upon connection with the smart grid.
seclusion, appropriation of name or
likeness, publicity given to private life
and publicity placing a person in a
false light. Plaintiffs may also sue
under a contract theory in some
situations.
43-a

Term: Term:

Give an example of when someone Which project helps coordinate the


could sue under state common law on work of state attorneys general?
a contract theory.

Term: Term:

What are three ways that To what does legislation in


self-regulation can occur? self-regulation refer?

Term: Term:

To what does enforcement in To what does adjudication in


self-regulation refer? self-regulation refer?
43-b

Definition: Definition:

The National Association of Attorneys When a physician, financial institution


General Consumer Protection Project, or other entity holding sensitive
which works to improve the information breaches a promise of
enforcement of state and federal confidentiality and causes harm.
consumer protection laws by State
Attorneys General, as well as
multistate consumer protection
enforcement efforts. It also promotes
info exchange among the states with
respect to investigations, litigation,
consumer education, and both federal
and state legislation.

Definition: Definition:

Legislation refers to the question of It can occur through the 3 traditional


who should define appropriate rules separation of powers components:
for protecting privacy. legislation, enforcement and
adjudication.

Definition: Definition:

Adjudication refers to the question of Enforcement refers to the question of


who should decide whether a company who should initiate enforcement
has violated the privacy rules and with actions.
what penalties.
44-a

Term: Term:

True/False: For enforcement under Describe how self-regulation occurs


Section 5 of the FTC Act or state under Section 5 of the FTC Act.
UDAP laws, self-regulation only
occurs at the legislation stage.

Term: Term:

Give an example of a self-regulatory Give examples of third-party privacy


system that goes through all 3 stages seal and certification programs that
without government agency provide assurances that companies
involvement. are complying with self-regulatory
programs.

Term: Term:

True/false: The US - EU Safe Harbor COPPA authorizes the FTC to confirm


Framework requires participating what?
companies to name a compliance third
party.
44-b

Definition: Definition:

A company writes its own privacy True.


policy or an industry group drafts a
code of conduct that companies agree
to follow. Under Sec 5, the FTC can
then decide whether to bring an
enforcement action, and adjudication
can occur in front of an administrative
law judge, with appeal to federal
court. Although it's called
"self-regulation", a government
agency is involved at the enforcement
and adjudication stage.

Definition: Definition:

TRUSTe, Better Business Bureau. The PCI DSS provides an enforceable


security standard for PCI; the rules
were drafted by the Payment Card
Industry Security Standards Council,
which built on previous rules written
by the various credit ard companies.
Compliance with the standard
requires hiring a third party to
conduct security assessments and
detect violations; failure to comply
can lead to exclusion from Visa,
MasterCard or other major payment
card systems, as well as penalties of
$5,000 to $100,000 per month.

Definition: Definition:

That certification programs are in True


compliance with the law.
45-a

Term: Term:

What is the DAA and how does it's True/false: The future of the DAA's
icon program serve as a self-regulatory program is closely
self-regulatory effort? linked to ongoing policy debates about
whether and how a Do Not Track
program will be instituted.

Term: Term:

Is the US moving closer to the EU Name one trend and one example of
model of external regulation or closer cross-border enforcement.
to the self-regulatory model?

Term: Term:

What is the focus/content of the What are member countries asked to


OECD's 2007 Recommendation? do by the 2007 OECD
Recommendation

Term: Term:

In response to the OECD What is the purpose of the GPEN?


Recommendation, what did the FTC
do?
45-b

Definition: Definition:

True. Digital Advertising Alliance is a


coalition of media and advertising
organizations; it developed an icon
program to inform consumers about
how they can exercise choice with
respect to online behavioral
advertising.

Definition: Definition:

Trend: enforcement agencies in self-regulatory model, which allows


different countries must engage in the industry with greater expertise
closer cooperation. about their systems to create, establish
Example: In 2007, the OECD adopted and enforce the rules. The White
the Recommendation on Cross Border House emphasizes a multistakeholder
Co-operation in the Enforcement of approach, including the consumer
Laws Protecting Privacy. groups and other stakeholders outside
the industry.

Definition: Definition:

1. Discuss the practical aspects of It focuses on the need to address


privacy law enforcement cooperation. common privacy issues on a global
2. share best practices in addressing scale, rather than focusing on
cross-border challenges country-by-country differences in law
3. work to develop shared enforcement or enforcement power.
priorities
4. support joint enforcement initiatives
and awareness campaign

Definition: Definition:

To promote cross-border information The FTC, along with enforcement


sharing as well as investigation and authorities globally, established the
enforcement cooperation among Global Privacy Enforcement Network
privacy authorities around the world. (GPEN) in 2010.
46-a

Term: Term:

Name another cross-border True/false: the FTC is not a CPEA


enforcement cooperation effort. participant.

Term: Term:

When can cross-border conflicts Give an example of a cross-border


arise? conflict.

Term: Term:

What did the International Chamber True/false: there is uncertainty about


of Commerce release in early 2012? the extent to which the EU and other
jurisdictions will bring enforcement
actions against companies that
operate only in the US.
46-b

Definition: Definition:

False. Asia-Pacific Economic Cooperation


(APEC). The APEC Cross-border
Privacy Enforcement Arrangement
(CPEA) aims to establish a framework
for participating members to share
info and evidence in cross-border
investigations and enforcement
actions in the APJ region; it also
facilitates cooperation and
communication between APEC and
non-APEC members.

Definition: Definition:

The US generally permits a greater When the privacy laws in one country
range of discovery in litigation than prohibit disclosure of information, but
EU courts, with a party to the laws in a different country compel
litigation in the US potentially facing disclosure.
fines or contempt of court if it does
not product records. In contrast, the
EU Data Protection Directive and
laws of EU member states may
prohibit disclosure of the same
records.

Definition: Definition:

True. A policy statement entitled


"Cross-border Law Enforcement
access to Company Data - Current
Issues Under Data Protection and
Privacy Law." It highlights problems
that may arise when law enforcement
compliance requirements conflict with
data protection and privacy
commitments, provides analysis of
these issues, and recommendations for
law enforcement bodies facing these
challenges.
47-a

Term: Term:

Which companies are subject to the What does the 1998 Data Protection
EU data laws? Directive say about whether a non-EU
company is subject to enforcement
there.

Term: Term:

What are other options for Where are the limits on trans-border
multinational corporations with an EU data flows found?
presence?

Term: Term:

What did the EU Council introduce in What does Article 3 of the draft Data
early 2012? Protection Regulation suggest?
47-b

Definition: Definition:

It is ambiguous. Companies wishing Companies with assets and employees


to transfer data from the EU to the US in the EU, who also operate in the EU,
have various lawful options. They - are subject to the EU data protection
and other multinational corporate laws.
entities with a presence in Europe -
may draft binding corporate rules
(BCR), subject to review and
authorization by member states.

Definition: Definition:

In Articles 25 and 26 of the Data Participation in the US - EU Safe


Protection Directive. Harbor program; using contracts for
data export that have been approved
by a data protection authority.

Definition: Definition:

It has language suggesting that EU A draft Data Protection Regulation


law applies to online sellers who with provisions that would replace the
operate only in the US: "The Data Protection Directive.
Regulation applies where processing
activities are related to (a) the offering
of goods or services to such data
subjects in the Union, or (b) the
monitoring of their behavior; this
Regulation applies to the processing
of personal data by a controller not
established in the Union, but in a
place where the national law of a
Member State applies by virtue of
public international law."