TreatiseAnswer Book

Privacy Law Answer Book (2018 Edition)

 by Debevoise & Plimpton LLP, Jeremy Feigelson
 
 Copyright: 2017

 Product Details >> 

Product Details

  • ISBN Number: 9781402429781
  • Page Count: 540
  • Number of Volumes: 1
  •  

Privacy Law Answer Book answers key questions related to the evolving collection, use, and storage of consumers’ personal information.

The Q&A-formatted guide makes clear sense of the patchwork of federal, state and international laws and regulations, with expert guidance on privacy policies, COPPA, financial privacy, medical privacy, and more.

Edited by Jeremy Feigelson (Debevoise & Plimpton LLP), the Answer Book will help readers keep clients and companies one step ahead of the data privacy challenges of tomorrow.
  Foreword
  Preface
  Table of Contents
  Table of Abbreviations
Chapter 1: Overview of U.S. Information Privacy Law
  • : The Basics1-3
  • : Definitions1-3
  • Q 1.1 : What is information privacy law?1-3
    • Q 1.1.1 : What types of information do information privacy laws protect?1-4
  • Q 1.2 : How does information privacy law define “personally identifiable information”?1-4
  • Q 1.3 : What is “sensitive information”?1-5
  • Q 1.4 : What is “non-personal information”?1-5
  • Q 1.5 : What is a “persistent identifier”?1-5
  • : General Principles for Privacy Policies and Practices1-6
  • Q 1.6 : When should a company design its information privacy policies and practices?1-6
  • Q 1.7 : What are the general principles that a company must keep in mind when designing its information privacy policies and practices?1-7
  • : Notice1-8
  • Q 1.8 : How should a company provide notice to users of its information privacy practices?1-8
  • : Consumer Choice and Consent1-9
  • Q 1.9 : What does “consumer choice and consent” mean?1-9
    • Q 1.9.1 : When must a company provide users with a choice concerning the use of their PII?1-9
    • Q 1.9.2 : When is consumer consent to a company’s information practices required?1-10
  • : Access and Review1-10
  • Q 1.10 : What access to their PII must a company provide to consumers?1-10
  • : Data Security1-11
  • Q 1.11 : What should a company do to keep customer data secure?1-11
  • : Enforcement1-11
  • Q 1.12 : What types of actions constitute violations of information privacy laws?1-11
    • Q 1.12.1 : Which agencies take enforcement action against privacy violations?1-12
  • : Privacy by Design1-12
  • Q 1.13 : What is privacy by design?1-12
    • Q 1.13.1 : What are the basic principles of privacy by design?1-13
    • Q 1.13.2 : How should a company implement privacy by design?1-13
  • : Legislative and Regulatory Framework1-14
  • : Federal Regulation1-14
  • Q 1.14 : What laws does the United States have concerning information privacy?1-14
    • Q 1.14.1 : What are “general applicability” laws?1-14
  • Q 1.15 : What is the FTC?1-15
    • Q 1.15.1 : What authority does the FTC have to regulate privacy or bring privacy enforcement cases?1-15
  • Q 1.16 : What are “unfair” acts or practices?1-15
  • Q 1.17 : What are “deceptive” acts or practices?1-16
  • : State Regulation1-16
  • Q 1.18 : What state laws apply to information privacy issues?1-16
  • : Industry-Specific Regulation1-17
  • Q 1.19 : What types of industry-specific laws apply to information privacy issues?1-17
  • : Technology-Specific Regulation1-18
  • Q 1.20 : Are there any information privacy laws that apply specifically to audio-visual products?1-18
  • Q 1.21 : Are there any information privacy laws or guidelines that apply specifically to mobile devices and applications?1-18
  • : Foreign Regulation1-19
  • Q 1.22 : Do other countries have laws about information privacy with which U.S.-based companies must comply?1-19
  • : Guidance and Best Practices1-20
  • : Privacy Certifications1-20
  • Q 1.23 : What are privacy certifications, and are they necessary?1-20
  • : Industry Guidelines and Codes of Conduct1-21
  • Q 1.24 : In addition to federal and state law, what guidance on information privacy should companies review and consider?1-21
    • Q 1.24.1 : What best practices are included in the FTC report Protecting Consumer Privacy in an Era of Rapid Change?1-22
    • Q 1.24.2 : What guidance is provided by the White House’s “Consumer Privacy Bill of Rights”?1-23
  • : Social Media1-24
  • Q 1.25 : What privacy concerns are raised for a company that integrates social media into its business plans?1-24
  • : Future Outlook1-25
  • Q 1.26 : What does the future hold for information privacy laws?1-25
Chapter 2: Privacy Policies
  • : Overview: Legislative and Regulatory Framework; Best Practices2-3
  • : Statutory Requirements2-3
  • Q 2.1 : Is a privacy policy required by law?2-3
  • : Posting Requirements2-4
  • Q 2.2 : Where should a company post its online privacy policy?2-4
  • : Policy Scope and Content2-5
  • Q 2.3 : If a company operates several websites, can it use the same privacy policy for all of them?2-5
  • Q 2.4 : Is there an “off-the-shelf” privacy policy that a company can use as its own privacy policy?2-5
  • : Privacy Policy for Mobile Apps2-6
  • Q 2.5 : Does a company need a separate privacy policy for its mobile applications?2-6
  • : Multilayered Policy2-7
  • Q 2.6 : What is a multilayered policy?2-7
  • : Privacy Policy Provisions2-8
  • : Terms and Disclosures2-8
  • Q 2.7 : What terms should a company include in its privacy policy?2-8
    • Q 2.7.1 : What other disclosures should a company include in its privacy policy?2-10
  • : Anticipating Future Information Practices2-11
  • Q 2.8 : Can a company’s privacy policy cover future uses of personal information even though it currently does not use information in those ways?2-11
  • : Preparing the Privacy Policy2-12
  • : Developing an Initial Draft2-12
  • Q 2.9 : How should a company begin to draft its privacy policy?2-12
    • Q 2.9.1 : Who should participate in the preparation of the privacy policy?2-12
  • : Format, Style, Language2-13
  • Q 2.10 : How should a privacy policy be formatted?2-13
  • : Revising/Updating the Privacy Policy: Notification and Consent Requirements2-13
  • Q 2.11 : What are the most important considerations for a company when changing or updating its privacy policy?2-13
    • Q 2.11.1 : How should a company notify users of policy changes and (if necessary) obtain consent?2-13
    • Q 2.11.2 : Are companies subject to any legal requirements regarding updating privacy policies?2-15
  • : Obtaining User’s Affirmative Consent2-16
  • : Generally2-16
  • Q 2.12 : Can a company assume users have consented to its information practices by disclosing them in its privacy policy?2-16
  • : Sharing User Information with Vendors/Affiliates2-18
  • Q 2.13 : Does a company need to obtain users’ affirmative consent before sharing their personal information with affiliates or vendors?2-18
  • : Sharing User Information for Advertising/Marketing Purposes2-18
  • Q 2.14 : Is a user’s affirmative consent required to share personal information with third parties for advertising or marketing purposes?2-18
  • : Sharing User Information for Litigation Purposes2-20
  • Q 2.15 : Is user consent required to produce personal information in connection with litigation or in response to a request or subpoena from the government?2-20
  • : Material Changes to the Privacy Policy2-20
  • Q 2.16 : Is affirmative consent from users required each time a company changes or updates its privacy policy?2-20
    • Q 2.16.1 : What is a “material change” to a privacy policy?2-21
  • Q 2.17 : What should a company do if a customer does not consent to the new privacy policy?2-21
  • : Sharing User Information in the Event of Merger/Sale2-22
  • Q 2.18 : Is affirmative consent required to transfer personal information to a third party in the event of a merger, sale, or similar transaction?2-22
  • : Enforcement of a Privacy Policy2-22
  • : Unfair and Deceptive Acts and Practices2-22
  • Q 2.19 : Is a privacy policy enforceable?2-22
    • : Government Agency Enforcement Actions2-23
    • Q 2.19.1 : What are common types of enforcement actions brought against companies regarding their privacy policies?2-23
    • : Private Actions; Class Actions2-26
    • Q 2.19.2 : What are common types of private actions brought against companies connected to their privacy policies?2-26
Chapter 3: The Children’s Online Privacy Protection Act (COPPA)
  • : Overview: COPPA and the COPPA Rule3-3
  • : Definitions3-3
  • Q 3.1 : What is COPPA?3-3
  • : “Website or Online Service Directed to Children”3-4
  • Q 3.2 : Who is subject to COPPA?3-4
  • Q 3.3 : What is an “online service” under COPPA?3-4
  • Q 3.4 : What factors make a website or online service “directed to children”?3-5
    • Q 3.4.1 : Can a website or online service that is designed for or is frequented by multiple audiences, including children under thirteen, be considered “directed to children”?3-6
    • Q 3.4.2 : What is a “general-audience” website or online service?3-6
    • Q 3.4.3 : Can one part of a website be “directed to children” under COPPA while another part of the same website is not?3-7
    • Q 3.4.4 : Is the use of students’ personal information, as opposed to children’s information, restricted by COPPA?3-7
  • : Collection and Disclosure of Personal Information3-8
  • Q 3.5 : What constitutes “personal information” under COPPA?3-8
  • Q 3.6 : What constitutes “collection” of personal information under COPPA?3-9
    • Q 3.6.1 : Does COPPA regulate the collection of personal information about children, or only the collection of personal information from children?3-10
  • Q 3.7 : What constitutes “disclosure” of personal information under COPPA?3-10
  • : Obligations for Covered Operators3-11
  • Q 3.8 : What obligations does COPPA impose on operators of sites that collect personal information from children?3-11
  • : Operators Not Ordinarily Subject to COPPA3-12
  • Q 3.9 : When is an operator of a general-audience website or online service subject to COPPA, and what are the operator’s obligations in those circumstances?3-12
    • Q 3.9.1 : When is a website operator deemed to have “actual knowledge” that it has collected personal information from children younger than thirteen years old?3-12
  • Q 3.10 : Is the operator of a general-audience website or online service subject to COPPA if it collects personal information from the users of a third party’s child-directed website or online service?3-13
  • Q 3.11 : Does COPPA apply to websites or online services operated by nonprofit organizations?3-14
  • Q 3.12 : Does COPPA apply to foreign-based (non-U.S.) websites or online services?3-14
  • : Special Considerations for Child-Directed Websites and Online Services3-15
  • : Conduct of Third Parties3-15
  • Q 3.13 : Can an operator of a website or online service that is directed to children be held liable for third parties’ collection of personal information on the operator’s website or online service?3-15
    • Q 3.13.1 : Is an operator of a website or online service that is directed to children required to notify third parties that the site or service is directed to children?3-16
  • : Online Advertising Considerations3-16
  • Q 3.14 : How can online advertising trigger COPPA obligations?3-16
    • Q 3.14.1 : Are there uses of persistent identifiers that are acceptable under COPPA?3-17
  • : File Uploading/Sharing3-17
  • Q 3.15 : Does permitting children to upload files to or share personal information on a child-directed website or online service trigger COPPA obligations?3-17
  • : Age Screening3-17
  • Q 3.16 : How might an operator of a website or online service age-screen its users?3-17
  • Q 3.17 : Can an operator of a child-directed website or online service age-screen users younger than thirteen years old?3-18
    • Q 3.17.1 : Does COPPA permit an operator of a general-audience website to block all users who are younger than thirteen years old?3-18
  • Q 3.18 : Does an operator of a general-audience website or online service have any obligations under COPPA when children lie about their ages during an age-screening process?3-19
  • : Privacy Policies and Direct Notices3-19
  • : Generally3-19
  • Q 3.19 : What information must a website or online service that is directed to children include in its privacy policy?3-19
  • Q 3.20 : Does COPPA require operators to create a separate privacy policy on the collection of information from children?3-20
  • : Privacy Policy Posting Requirements3-20
  • Q 3.21 : Where and in what manner should a website that is directed to children post links to its privacy policy?3-20
  • Q 3.22 : Where should a child-directed mobile application provide its privacy policy?3-21
  • : Direct Notice Requirements3-21
  • Q 3.23 : What is “direct notice” under COPPA, and when is it required?3-21
    • Q 3.23.1 : What constitutes a “material change” in information practices?3-22
  • Q 3.24 : What must be included in a direct notice?3-22
  • Q 3.25 : What methods should be used to deliver direct notice to parents?3-25
  • : Verifiable Parental Consent3-26
  • : General Requirement3-26
  • Q 3.26 : When must an operator obtain verifiable parental consent?3-26
  • : Methods for Verifiable Parental Consent3-26
  • Q 3.27 : What are the methods for obtaining verifiable parental consent?3-26
    • Q 3.27.1 : What is the “email-plus” method for obtaining verifiable parental consent?3-27
    • Q 3.27.2 : Can an operator use consent methods for obtaining verifiable personal consent outside those recommended by the COPPA Rule?3-28
    • Q 3.27.3 : Can an operator of a child-directed website or online service use a third party to obtain verifiable parental consent on the operator’s behalf?3-29
  • : No Verifiable Parental Consent Obtained3-29
  • Q 3.28 : What actions must an operator of a child-directed website or online service take if a parent does not respond to a direct notice or give verifiable consent?3-29
  • Q 3.29 : Can an operator of a child-directed website or online service bar access to its website or service if the operator does not receive verifiable parental consent?3-30
  • Q 3.30 : Can an operator of a child-directed website or online service rely upon a school to provide consent to its collection of personal information from students or use or disclosure of such information?3-30
  • : Exceptions to Prior Parental Consent3-31
  • Q 3.31 : Are there circumstances in which prior parental consent is not required?3-31
  • : “One-Time Contact” Exception3-34
  • Q 3.32 : Under what circumstances might an operator of a child-directed website or online service use the “one-time contact” exception?3-34
    • Q 3.32.1 : How does the “one-time contact” exception work in practice?3-34
  • : “Multiple-Contact” Exception3-34
  • Q 3.33 : Under what circumstances might an operator of a child-directed website or online service use the “multiple-contact” exception?3-34
    • Q 3.33.1 : How does the “multiple-contact” exception work in practice?3-35
  • : “Support for Internal Operations” Exception3-35
  • Q 3.34 : What constitutes “support for the internal operations of the Web site or online service”?3-35
    • Q 3.34.1 : How does the “support for internal operations” exception to the verifiable parental consent requirement work in practice?3-36
    • Q 3.34.2 : Can any activities other than those expressly listed in the definition of “support for the internal operations of the Web site or online service” be considered activities performed in support for internal operations under the exception?3-36
    • Q 3.34.3 : Does the “support for internal operations” exception permit a website operator or a third party to perform site analytics?3-37
    • Q 3.34.4 : Does the “support for internal operations” exception allow personalized advertisements to be run on child-directed websites?3-37
  • : Parental Right of Review3-38
  • Q 3.35 : What rights do parents have to access information collected online from their children?3-38
  • : Security Obligations3-39
  • Q 3.36 : What security measures must an operator of a website or online service take to protect children’s personal information?3-39
  • : Safe Harbor Programs3-40
  • Q 3.37 : What is the COPPA safe harbor program?3-40
  • Q 3.38 : What is the safe harbor process?3-40
    • Q 3.38.1 : What are the benefits of participation in an FTC-approved COPPA safe harbor program?3-41
    • Q 3.38.2 : Has the FTC approved any COPPA safe harbor programs?3-41
  • : Enforcement3-42
  • : Generally3-42
  • Q 3.39 : Who enforces COPPA?3-42
  • Q 3.40 : Is there a private right of action under COPPA?3-42
  • : Violations/Penalties3-42
  • Q 3.41 : What are the penalties for violation of the COPPA Rule?3-42
  • : FTC Enforcement Actions3-43
  • Q 3.42 : What kinds of enforcement actions does the FTC take under COPPA?3-43
  • : State Enforcement3-44
  • Q 3.43 : Do the states enforce COPPA?3-44
Chapter 4: Financial Privacy
  • : Overview4-2
  • Q 4.1 : What are the principal laws and regulations governing privacy in the financial industry?4-2
  • : The Gramm-Leach-Bliley Act4-3
  • : The Basics4-3
  • Q 4.2 : What role does the GLBA play in protecting consumer financial privacy?4-3
  • Q 4.3 : What does the GLBA Privacy Rule provide?4-3
  • Q 4.4 : Have agencies issued any official guidance on compliance with the GLBA Privacy Rule on which companies can rely?4-4
  • : Individuals and Information Protected by the GLBA4-4
  • Q 4.5 : Whom does the GLBA protect?4-4
    • Q 4.5.1 : Who is a “consumer” for GLBA purposes?4-5
    • Q 4.5.2 : Who is a “customer” for GLBA purposes?4-5
    • Q 4.5.3 : Who is a “former customer” for GLBA purposes?4-5
  • Q 4.6 : What constitutes “nonpublic personal information” under the GLBA Privacy Rule?4-5
    • Q 4.6.1 : What are examples of information that is NPI and information that is not NPI?4-6
    • Q 4.6.2 : Is all personally identifiable financial information covered?4-6
  • : Companies Subject to the GLBA4-7
  • Q 4.7 : Which companies must comply with the GLBA Privacy Rule?4-7
  • Q 4.8 : What is a “financial institution”?4-7
    • Q 4.8.1 : What are “financial activities”?4-7
    • Q 4.8.2 : What are some examples of businesses that are considered “financial institutions”?4-8
    • Q 4.8.3 : What are some examples of businesses that are not considered “financial institutions”?4-9
    • Q 4.8.4 : Can web-based companies be financial institutions under the GLBA?4-9
    • Q 4.8.5 : Are law firms financial institutions?4-9
  • Q 4.9 : Are any financial institutions exempt from compliance with the GLBA Privacy Rule?4-10
  • Q 4.10 : If a company is not a financial institution, does it have to be concerned with the GLBA Privacy Rule?4-10
  • : Privacy Policies and Notices4-10
  • Q 4.11 : What types of notices are financial institutions required to provide?4-10
    • Q 4.11.1 : Is there an official model privacy notice?4-11
    • Q 4.11.2 : What information must financial institutions include in their privacy notices?4-11
    • Q 4.11.3 : Does a company need to provide annual notice to former customers?4-12
    • Q 4.11.4 : Does a company need to provide consumers with a privacy notice and an opportunity to opt out if it is sharing NPI only with affiliated companies?4-12
    • Q 4.11.5 : Can a company and its affiliates jointly provide a single privacy notice?4-12
    • Q 4.11.6 : Does a company need to provide a different privacy notice for each type of relationship it has with customers?4-13
  • Q 4.12 : How should a financial institution provide its privacy notice?4-13
    • Q 4.12.1 : Where on a company’s website should privacy and opt-out notices be posted?4-14
    • Q 4.12.2 : Must a privacy notice meet any formatting requirements?4-14
  • Q 4.13 : If a company’s privacy notice is lengthy, does it need to send the entire policy to customers or consumers?4-14
    • Q 4.13.1 : What is a short-form privacy notice?4-14
    • Q 4.13.2 : What is a simplified privacy notice?4-15
  • Q 4.14 : When must a privacy notice be delivered?4-15
    • Q 4.14.1 : Are there any exceptions to the requirement to mail customers an annual privacy notice?4-15
  • : Opt-Out Notices4-16
  • Q 4.15 : What must a company’s privacy notice say regarding a customer or consumer’s right to opt out of disclosure of NPI?4-16
    • Q 4.15.1 : What is a reasonable amount of time to give consumers and customers to opt out?4-17
    • Q 4.15.2 : What opt-out methods should a company provide to its consumers?4-17
  • Q 4.16 : When can a covered individual opt out?4-17
    • Q 4.16.1 : For how long is an opt-out valid?4-17
  • Q 4.17 : Is there any information that a company may never disclose, even if a consumer does not opt out?4-18
  • : Statutory Exceptions to Notice Requirements4-18
  • Q 4.18 : Are there exceptions to a financial institution’s obligations to provide privacy and opt-out notices?4-18
    • Q 4.18.1 : What are the obligations of a company if it only discloses NPI pursuant to a section 13, section 14, or section 15 exception?4-18
    • Q 4.18.2 : What are the obligations of a company if it only discloses NPI pursuant to a section 14 or section 15 exception?4-19
  • Q 4.19 : What kinds of agents or service providers are covered by the section 13 exception?4-19
    • Q 4.19.1 : Does a company need to do anything in particular to qualify for a section 13 exception?4-19
  • Q 4.20 : What does it mean for a company to disclose information in order to “effect, administer, or enforce a transaction” under section 14?4-19
  • Q 4.21 : What does the section 15 exception cover?4-20
  • : Reuse and Redisclosure4-21
  • Q 4.22 : Are there limitations on what nonaffiliated third-party recipients may do with NPI that a financial institution provides?4-21
    • Q 4.22.1 : What restrictions exist on the redisclosure of NPI received pursuant to a section 14 or section 15 exception?4-21
  • : Enforcement of the GLBA4-22
  • Q 4.23 : Which agencies have enforcement responsibilities for the GLBA Privacy Rule?4-22
  • Q 4.24 : Is there a private right of action to sue for failure to comply with the GLBA?4-22
  • : The Fair Credit Reporting Act4-23
  • : The Basics4-23
  • Q 4.25 : What is the Fair Credit Reporting Act?4-23
    • Q 4.25.1 : What is a “consumer” under the FCRA?4-23
  • Q 4.26 : What is a “credit reporting agency”?4-23
  • Q 4.27 : What is a “consumer report”?4-24
    • Q 4.27.1 : Is a consumer report limited to nonpublic information?4-25
    • Q 4.27.2 : What is an “investigative consumer report”?4-25
  • Q 4.28 : What is considered personally identifiable information for purposes of the FCRA?4-26
  • Q 4.29 : How does the FCRA limit the use of consumer report information?4-26
  • : Duties of Users of Consumer Report Information4-27
  • Q 4.30 : Under the FCRA, does a user of consumer report information owe any duty to the CRA that provides the report?4-27
    • Q 4.30.1 : Does a company have a responsibility to notify a consumer about how it uses his consumer report?4-28
    • Q 4.30.2 : Do users of consumer reports have an obligation to protect the consumer’s information?4-28
  • Q 4.31 : May a user of consumer reports also provide consumer report information to a third party without becoming a CRA?4-29
    • Q 4.31.1 : May a user of consumer reports share consumer report information with its affiliates?4-29
    • Q 4.31.2 : How can “other information” be shared among affiliated companies?4-29
  • Q 4.32 : Do companies that use consumer reports for employment purposes have additional duties?4-30
    • Q 4.32.1 : What other state or federal laws should a company looking to use background check information for employment purposes be aware of?4-31
  • Q 4.33 : Do employers taking adverse action based on non-consumer report information have to notify the employee?4-32
  • Q 4.34 : Are investigative consumer reports treated differently?4-32
  • Q 4.35 : Do furnishers of consumer report information to CRAs have additional obligations under the FCRA?4-33
  • : Prescreened Offers of Credit or Insurance4-34
  • Q 4.36 : What is a prescreened offer?4-34
    • Q 4.36.1 : Does the FCRA permit the use of consumer report information to make a prescreened offer?4-34
    • Q 4.36.2 : What is a firm offer of credit?4-35
    • Q 4.36.3 : Can a company combine a firm offer of credit with an offer for products and services?4-35
  • Q 4.37 : What disclosures are users of prescreening services required to make?4-37
    • Q 4.37.1 : What requirements regarding format and content must prescreen opt-out notices meet?4-37
    • Q 4.37.2 : Are there special considerations for electronic prescreened notices?4-38
  • : The Affiliate Marketing Rule4-39
  • Q 4.38 : What is the Affiliate Marketing Rule?4-39
    • Q 4.38.1 : What is “eligibility information”?4-39
    • Q 4.38.2 : What does it mean to “make a solicitation”?4-40
  • Q 4.39 : Is Internet marketing considered a solicitation under the Affiliate Marketing Rule?4-41
    • Q 4.39.1 : Can a company market to consumers based on information accessed from a database shared among affiliates?4-41
    • Q 4.39.2 : What is constructive sharing?4-42
  • Q 4.40 : What form of notice is required by the Affiliate Marketing Rule?4-42
    • Q 4.40.1 : Can companies consolidate affiliate marketing notices with notices required by other laws or regulations?4-44
    • Q 4.40.2 : Which affiliate must provide notice?4-44
    • Q 4.40.3 : What content is required in the notice?4-45
    • Q 4.40.4 : For which affiliates is a consumer’s opt-out effective?4-46
    • Q 4.40.5 : Can an opt-out notice be provided in electronic form, and if so, how?4-47
  • Q 4.41 : Are there exceptions to the Affiliate Marketing Rule?4-47
    • Q 4.41.1 : When do a company and a consumer have a pre-existing relationship?4-48
    • Q 4.41.2 : Does a consumer’s response to a free promotional offer create a pre-existing business relationship?4-48
    • Q 4.41.3 : Can servicing rights create a pre-existing relationship with a consumer?4-49
  • : The Identity Theft Red Flag Rules4-49
  • Q 4.42 : What are the Identity Theft Red Flag Rules?4-49
    • Q 4.42.1 : What companies are covered by the Red Flag Rules?4-49
  • Q 4.43 : What elements are required in an Identity Theft Prevention Program?4-51
    • Q 4.43.1 : How should a company’s Identity Theft Prevention Program identify relevant red flags?4-51
    • Q 4.43.2 : How should a company’s Identity Theft Prevention Program comply with its obligation to detect red flags?4-52
    • Q 4.43.3 : How should a company’s Identity Theft Prevention Program respond to detected red flags?4-52
    • Q 4.43.4 : What are a company’s obligations with respect to updating its Identity Theft Prevention Program?4-53
    • Q 4.43.5 : What are a company’s obligations with respect to oversight and administration of its Identity Theft Prevention Program?4-53
  • : Enforcement of the FCRA4-53
  • Q 4.44 : Which agencies enforce the FCRA?4-53
    • Q 4.44.1 : How do the CFPB and FTC enforce a violation of the FCRA?4-54
    • Q 4.44.2 : Can the CFPB or FTC assess a penalty or fine against a company for a violation of the FCRA?4-54
    • Q 4.44.3 : Can state authorities also enforce the FCRA?4-54
  • Q 4.45 : Is there a private right of action for failure to comply with the FCRA?4-55
  • : State Financial Privacy Regulation4-56
  • Q 4.46 : Are there any state laws that protect personal financial information?4-56
  • Q 4.47 : Aren’t state financial privacy laws preempted by the federal laws?4-56
  • Q 4.48 : Do any states impose greater privacy duties on financial institutions than those provided for by federal law?4-58
    • Q 4.48.1 : What is the California Financial Privacy Act (SB1)?4-59
    • Q 4.48.2 : What is New York’s “Cybersecurity Requirements for Financial Services Companies”?4-60
  • Q 4.49 : What are some important considerations regarding state regulation of privacy for companies that do business in multiple states?4-61
  • : Payment Card Transactions4-62
  • : Overview4-62
  • Q 4.50 : Are there specific financial privacy issues related to payment card transactions?4-62
  • Q 4.51 : Who is involved in a payment card transaction?4-62
    • Q 4.51.1 : Who are card associations?4-62
    • Q 4.51.2 : Who is an issuer bank?4-63
    • Q 4.51.3 : Who is an acquirer bank?4-63
    • Q 4.51.4 : Who is a payment processor?4-63
  • : Processing Payment Card Transactions: Authorization; Clearing and Settlement4-63
  • Q 4.52 : How is a payment card transaction processed?4-63
    • Q 4.52.1 : How does the payment card authorization process work?4-64
    • Q 4.52.2 : How does the payment card clearing and settlement process work?4-64
    • Q 4.52.3 : How are the issuer and acquirer paid?4-64
  • : Industry Standards4-65
  • Q 4.53 : What responsibilities do parties involved in payment card transactions have?4-65
    • Q 4.53.1 : Are there additional rules that apply to companies that accept payment through e-commerce websites?4-65
  • Q 4.54 : What is the PCI Security Standards Council?4-66
  • Q 4.55 : What do the PCI DSS require?4-67
    • Q 4.55.1 : What are the consequences of noncompliance with PCI DSS?4-67
  • Q 4.56 : Are there additional standards for mobile transactions?4-67
  • : Liability4-68
  • Q 4.57 : Who bears the loss for a fraudulent payment card transaction?4-68
  • Q 4.58 : Who bears the loss in the event of a data breach?4-69
Chapter 5: Medical Privacy
  • : Introduction5-2
  • Q 5.1 : What is medical privacy?5-2
  • Q 5.2 : What are the principal laws and regulations relating to medical privacy?5-2
  • : HIPAA5-3
  • : Overview5-3
  • Q 5.3 : What is HIPAA?5-3
    • Q 5.3.1 : What aspects of health information are governed by the Privacy Rule?5-4
    • Q 5.3.2 : . . . by the Security Rule?5-4
    • Q 5.3.3 : . . . by the Breach Notification Rule?5-5
  • : Protected Health Information5-5
  • Q 5.4 : How does HIPAA define “health information”?5-5
    • Q 5.4.1 : What information does HIPAA protect?5-6
    • Q 5.4.2 : What is PHI?5-6
    • Q 5.4.3 : What is individually identifiable health information?5-6
    • Q 5.4.4 : What is de-identified health information?5-6
    • Q 5.4.5 : What types of health information are not protected by HIPAA?5-7
  • : Entities Subject to HIPAA5-7
  • Q 5.5 : What types of organizations are regulated by HIPAA?5-7
  • Q 5.6 : What is a “covered entity” under HIPAA?5-7
    • Q 5.6.1 : What is a “covered transaction”?5-7
    • Q 5.6.2 : What health plans are covered entities?5-8
    • Q 5.6.3 : What healthcare clearinghouses are covered entities?5-8
    • Q 5.6.4 : What healthcare providers are covered entities?5-8
    • Q 5.6.5 : How can a company determine whether it is a covered entity?5-9
  • Q 5.7 : What is a “business associate”?5-9
  • : Obligations of and Relating to Business Associates5-10
  • Q 5.8 : What obligations apply to business associates under HIPAA?5-10
  • Q 5.9 : Under what conditions can a business associate receive PHI from a covered entity?5-10
    • Q 5.9.1 : What conditions must be included in a business associate agreement?5-10
    • Q 5.9.2 : Are there model business associate agreements that a company can use for guidance?5-11
  • Q 5.10 : What are the obligations of subcontractors to a business associate?5-12
  • Q 5.11 : Are covered entities responsible for the HIPAA violations of their business associates and their subcontractors?5-12
  • : Use and Disclosure of PHI Under the Privacy Rule5-12
  • Q 5.12 : What restrictions does the Privacy Rule apply to the use or disclosure of PHI?5-12
    • Q 5.12.1 : What is a personal representative?5-13
    • Q 5.12.2 : What is the difference between consent and written authorization?5-13
  • Q 5.13 : When is a covered entity required to disclose PHI?5-13
  • Q 5.14 : When is a business associate required to disclose PHI?5-14
  • Q 5.15 : When is a covered entity or business associate permitted (but not required) to use or disclose PHI?5-14
    • Q 5.15.1 : Can an individual place restrictions on how PHI is used and disclosed by a company for treatment, payment, and healthcare business operations?5-14
    • Q 5.15.2 : Is an individual’s consent required for use or disclosure of PHI for treatment, payment, and healthcare business operations?5-15
    • Q 5.15.3 : Can PHI ever be used or disclosed after an individual has been given an opportunity to object and does not do so?5-15
    • Q 5.15.4 : May additional PHI be used and disclosed incident to an otherwise permitted use or disclosure? If so, under what circumstances?5-16
    • Q 5.15.5 : When is it permissible for PHI to be used and disclosed in the public interest or benefit?5-17
    • Q 5.15.6 : Can a covered entity resist disclosing PHI in response to a subpoena?5-18
    • Q 5.15.7 : Can a covered entity or business associate use and disclose PHI for research, public health issues, or healthcare business operations?5-19
    • Q 5.15.8 : When must a company obtain written authorization to use or disclose PHI?5-20
    • Q 5.15.9 : What are the requirements for a valid authorization?5-20
    • Q 5.15.10 : How are psychotherapy notes treated under HIPAA?5-21
    • Q 5.15.11 : Can a company use or disclose PHI for marketing purposes? What are the requirements to do that?5-22
    • Q 5.15.12 : Can a company sell PHI? What are the requirements to do that?5-22
  • : The “Minimum Necessary Standard”5-23
  • Q 5.16 : Can a company use or disclose an individual’s PHI in its entirety, or are there limitations on its use?5-23
    • Q 5.16.1 : Are there any circumstances in which the “minimum necessary standard” is not applicable?5-23
  • Q 5.17 : Are there limitations with respect to which individuals within an organization can access and use PHI?5-23
  • Q 5.18 : What policies are required under the minimum necessary standard?5-24
  • Q 5.19 : Does a company always need to evaluate whether requests for disclosures comply with the minimum necessary standard?5-24
  • : Privacy Notices and Individual Rights5-25
  • Q 5.20 : Must a covered entity provide notice to individuals with respect to the use and disclosure of PHI?5-25
  • Q 5.21 : Must a business associate provide notice to individuals with respect to the use and disclosure of PHI?5-26
  • Q 5.22 : How must notice be provided?5-26
    • Q 5.22.1 : If a company operates in an electronic environment, can it provide HIPAA privacy notices electronically?5-26
    • Q 5.22.2 : Does a company have to provide notice on its website?5-26
    • Q 5.22.3 : Are there model HIPAA privacy notices that a company can use for guidance?5-27
  • Q 5.23 : Does a company need to obtain acknowledgments from individuals that they have received HIPAA privacy notices?5-27
  • Q 5.24 : What rights do individuals have with respect to their PHI?5-27
    • Q 5.24.1 : What rights do individuals have to access their PHI?5-27
    • Q 5.24.2 : What rights do individuals have to amend inaccurate or incomplete PHI?5-28
    • Q 5.24.3 : What rights do individuals have to request an accounting of PHI disclosures?5-28
    • Q 5.24.4 : What rights do individuals have to restrict PHI use or disclosure?5-29
    • Q 5.24.5 : What rights do individuals have to request specific modes of communications regarding PHI?5-29
  • : Privacy Practices5-30
  • Q 5.25 : If a covered entity is a small company and/or has limited resources, is it granted any flexibility in implementing HIPAA privacy practices?5-30
  • Q 5.26 : What are the minimum administrative requirements a company must satisfy?5-30
  • Q 5.27 : Is assistance available to a company in complying with the Privacy Rule?5-32
  • : State Laws5-32
  • Q 5.28 : Does the Privacy Rule preempt state law governing health information privacy?5-32
  • : HIPAA Enforcement and Private Remedies5-33
  • Q 5.29 : Who has enforcement authority for violations of the HIPAA Privacy Rule?5-33
  • Q 5.30 : What are the civil penalties for violating the Privacy Rule?5-34
    • Q 5.30.1 : What is reasonable cause?5-35
    • Q 5.30.2 : What is reasonable diligence?5-35
    • Q 5.30.3 : What is willful neglect?5-35
  • Q 5.31 : What criminal penalties may be imposed in connection with HIPAA violations?5-35
  • Q 5.32 : Is there a private right of action for violations of HIPAA or the Privacy Rule?5-36
Chapter 6: Mobile Privacy
  • : The Basics6-3
  • : Definitions6-3
  • Q 6.1 : What is mobile privacy?6-3
  • Q 6.2 : What are mobile applications?6-3
  • Q 6.3 : Who are the relevant players in the mobile ecosystem?6-4
  • : Specific Privacy Concerns6-5
  • Q 6.4 : What privacy concerns does the use of mobile apps raise?6-5
  • : Personal Information and Other Data6-5
  • Q 6.5 : Does any PII have a special definition in the mobile ecosystem?6-5
  • Q 6.6 : What types of persistent identifiers are significant in the mobile ecosystem?6-6
  • : Regulatory Framework6-7
  • : Statutory Requirements and Best Practices6-7
  • Q 6.7 : What is the U.S. legal framework governing mobile information privacy?6-7
    • : Agency and Industry Guidance6-8
    • Q 6.7.1 : What formal guidance exists for app developers?6-8
  • Q 6.8 : Are there additional privacy obligations on a company if its mobile app collects payment information?6-11
  • Q 6.9 : What restrictions exist on the ability to market mobile apps, or a company’s products and services more generally, via a mobile device?6-11
  • : Compliance: Privacy by Design6-12
  • Q 6.10 : What steps should a company take, as a mobile app developer, to ensure that its apps are compliant with privacy law and best practices?6-12
    • Q 6.10.1 : How should a company implement the FTC’s recommendation of privacy by design in mobile app development?6-13
  • : Mobile App Privacy Policies6-13
  • : Generally6-13
  • Q 6.11 : If a company already has an online privacy policy, is it necessary to have a separate privacy policy for its mobile apps?6-13
  • : Policy Terms, Disclosures6-14
  • Q 6.12 : What terms should a company include in its mobile app privacy policy?6-14
  • : Posting Requirements6-15
  • Q 6.13 : Where should a company post its mobile app privacy policy?6-15
  • : Short Form Notices6-16
  • Q 6.14 : Is a company also required to provide a “Short Form Notice” of its information practices?6-16
    • Q 6.14.1 : What format should a Short Form Notice take?6-16
    • Q 6.14.2 : What terms should be included in a Short Form Notice?6-16
  • : Just-In-Time Disclosures and User Consent6-17
  • : Requirements6-17
  • Q 6.15 : When should a mobile application use just-in-time disclosures?6-17
    • Q 6.15.1 : What is an “unexpected use” of PII?6-17
  • Q 6.16 : What terms should be included in a mobile application’s just-in-time disclosure?6-19
  • : Implementation and Compliance6-19
  • Q 6.17 : What are the consequences of failing to provide users with adequate notice before collecting sensitive information or PII for unexpected purposes?6-19
  • Q 6.18 : How can an app developer make adequate disclosures about the collection of sensitive information such as a user’s geolocation?6-20
  • Q 6.19 : Can an app developer rely on just-in-time disclosures provided by the app platform?6-21
  • : Sharing PII with Third Parties6-22
  • : Generally6-22
  • Q 6.20 : May app developers share with third parties the PII that they collect via their mobile apps?6-22
  • : Requirements6-22
  • Q 6.21 : If an app developer shares with third parties PII acquired through its mobile app, what are its obligations to the app users?6-22
  • : “Frictionless” Sharing6-24
  • Q 6.22 : What kind of disclosure must be made to users if a developer’s mobile app is integrated with social media platforms to automatically share information on users’ actions?6-24
  • : Retention of PII6-24
  • Q 6.23 : Are there limitations on an app developer’s right to store the sensitive information it collects?6-24
Chapter 7: Digital Workplace Privacy
  • : Monitoring of Employees’ Electronic Communications7-3
  • : Federal Statutes7-3
  • Q 7.1 : What major federal laws govern whether a company can monitor or access employees’ electronic communications?7-3
  • Q 7.2 : What are the Electronic Communications Privacy Act and the Stored Communications Act?7-3
    • Q 7.2.1 : What types of information does the ECPA protect?7-3
    • Q 7.2.2 : Do the ECPA and SCA prohibit a company from accessing employees’ electronic communications?7-4
  • Q 7.3 : What is the Computer Fraud and Abuse Act?7-4
  • : State Laws and Other Protections7-5
  • Q 7.4 : Are there any state laws concerning the monitoring or access of employees’ electronic communications and online activities?7-5
  • : Employer Practices and Policies7-6
  • Q 7.5 : What steps should a company take in order to monitor employees’ electronic communications and online activity?7-6
    • Q 7.5.1 : What types of electronic resources should a company’s policy address?7-6
    • Q 7.5.2 : Should a company’s policy apply only to company-provided electronic resources?7-7
  • Q 7.6 : In what circumstances can a company review an employee’s email mailbox?7-7
    • Q 7.6.1 : What should a company’s policy state with respect to emails sent and received via a company email address?7-8
    • Q 7.6.2 : Can a company also access emails sent from a personal device through the company’s email network?7-8
    • Q 7.6.3 : Can a company access emails sent or received through its employee’s personal, web-based, password-protected email account on work devices?7-8
  • Q 7.7 : Can a company access employee text messages stored on work-issued mobile devices?7-9
  • Q 7.8 : Can a company access employee text messages stored on personal mobile devices?7-10
  • Q 7.9 : What rights does a company have to review and disclose an employee’s communications in the context of litigation or a government investigation?7-11
    • Q 7.9.1 : Does a company have broader rights to review employee electronic communications if it is investigating potential misconduct on the part of the employee?7-11
  • : Social Media7-12
  • : Employer Practices7-12
  • Q 7.10 : Can a company monitor its employees on social media sites?7-12
  • Q 7.11 : Can a company ask an employee to provide passwords for personal social media accounts?7-14
  • Q 7.12 : Can a company provide guidelines for what its employees can or cannot post on social media sites when employees are acting in their professional capacity?7-14
  • Q 7.13 : Can a company provide guidelines for employees’ personal use of social media?7-14
  • Q 7.14 : Can a company discipline or take action against an employee based on information the employee posts on a social media site?7-15
  • : Social Media Posts As Protected Concerted Activity7-15
  • Q 7.15 : Are an employee’s social media posts about his job considered protected activity under the NLRA?7-15
  • : Employer Policies7-17
  • Q 7.16 : Should a company have a social media policy? If so, what information should the policy include?7-17
  • : Social Media in Employment/Hiring Decisions7-18
  • Q 7.17 : Can a company use social media to screen potential hires?7-18
  • Q 7.18 : Can a company require candidates to divulge passwords to private social media networks as a condition of employment?7-20
  • : Social Media in Discovery and Litigation7-21
  • Q 7.19 : What steps should a company take with respect to social media if litigation with an employee has commenced or appears likely?7-21
  • : Bring-Your-Own-Device (BYOD) Programs and Policies7-21
  • Q 7.20 : What is “BYOD”?7-21
    • Q 7.20.1 : What are the benefits of adopting a BYOD program?7-22
  • Q 7.21 : What are the parameters of a typical BYOD program?7-22
    • Q 7.21.1 : Can an employer that adopts a BYOD program access and review an employee’s personal content stored on any device used for work purposes?7-23
    • Q 7.21.2 : Is an employer obligated to reimburse employees for costs related to using their own electronic devices for work purposes?7-24
    • Q 7.21.3 : Is an employer obligated to pay overtime to eligible employees who use personal devices for work-related purposes?7-25
  • Q 7.22 : What risks are associated with a BYOD program?7-26
    • Q 7.22.1 : How can a company mitigate the legal risks associated with instituting a BYOD program?7-26
    • Q 7.22.2 : How can a company mitigate the security risks associated with instituting a BYOD program?7-27
  • Q 7.23 : Does a company need a separate BYOD policy if it already has a privacy policy relating to workplace electronic devices?7-28
    • Q 7.23.1 : What information should a company’s BYOD policy include?7-28
    • Q 7.23.2 : Should a company have employees sign the BYOD policy?7-31
  • : Tracking Employees’ Location7-32
  • Q 7.24 : What is location-based tracking?7-32
    • Q 7.24.1 : Can a company use location-based tracking to monitor the location of its employees?7-32
  • : Collection of Genetic Information; Genetic Testing7-33
  • Q 7.25 : Can a company obtain DNA samples from its employees for purposes of workplace investigations?7-33
  • : Background Checks7-34
  • Q 7.26 : What steps, if any, must a company take if it would like to obtain a background check?7-34
  • Q 7.27 : What steps, if any, must a company take if it would like to take an adverse employment action based on information in a background check?7-35
Chapter 8: Online Behavioral Advertising and Tracking
  • : Overview8-3
  • Q 8.1 : What is online tracking, and how does it work?8-3
  • Q 8.2 : What are the differences between OBA and content-based advertising?8-3
  • : Online Behavioral Advertising8-4
  • Q 8.3 : What is online behavioral advertising?8-4
    • Q 8.3.1 : How does tracking work in OBA?8-4
    • Q 8.3.2 : What information must an operator collect for advertising to be considered OBA?8-5
    • Q 8.3.3 : Would an operator be liable after a data breach if it had anonymized all of its data by, for example, using UUIDs?8-6
  • : Regulation, Enforcement, and Compliance8-6
  • : Generally8-6
  • Q 8.4 : Which government agencies are active on OBA?8-6
    • Q 8.4.1 : What statutes govern OBA?8-7
    • Q 8.4.2 : How does the FTC enforce its restrictions on OBA?8-7
  • : Best Practices and Industry Guidelines8-8
  • Q 8.5 : What are the best practices for using OBA?8-8
  • Q 8.6 : Are there any industry guidelines for OBA best practices?8-9
    • Q 8.6.1 : What should companies do to comply with the NAI guidelines?8-10
    • Q 8.6.2 : What should companies do to comply with the DAA principles?8-10
    • Q 8.6.3 : What should a website operator’s privacy policy say about OBA?8-11
  • : California Online Privacy Protection Act8-11
  • Q 8.7 : How does California’s “do not track” law apply to OBA?8-11
    • Q 8.7.1 : How does an operator know whether California’s laws apply to it?8-12
  • : Electronic Communications Privacy Act8-12
  • Q 8.8 : Can consumers bring private suits against companies who use OBA?8-12
    • Q 8.8.1 : How does the ECPA arguably apply to OBA?8-12
    • Q 8.8.2 : How can OBA create a liability under ECPA?8-14
    • Q 8.8.3 : How can an operator reduce the likelihood of an ECPA violation?8-14
  • : Computer Fraud and Abuse Act8-14
  • Q 8.9 : How does the Computer Fraud and Abuse Act apply to OBA?8-14
  • : Children’s Online Privacy Protection Act8-15
  • Q 8.10 : What OBA concerns are raised for an operator of a website directed to children?8-15
    • Q 8.10.1 : What must a website operator do to ensure compliance under COPPA with respect to OBA?8-16
  • : Video Privacy Protection Act8-16
  • Q 8.11 : Do any specific laws apply to tracking of online user behavior if a website provides video content?8-16
    • Q 8.11.1 : How does a company know whether the VPPA applies to its website?8-17
    • Q 8.11.2 : Is anyone who watches a video online a “consumer” protected under the VPPA?8-18
    • Q 8.11.3 : When does an operator have “knowledge” it is transmitting information under the VPPA?8-18
    • Q 8.11.4 : How can a website operator reduce the likelihood of a VPPA violation?8-19
  • : Tracking and Collection of User Data8-21
  • : Cookies8-21
  • Q 8.12 : Can website users avoid having their information tracked for OBA?8-21
    • Q 8.12.1 : May a website operator circumvent software that allows users to block cookies?8-21
  • : Data Brokers8-22
  • Q 8.13 : What considerations are raised where an operator enables its OBA by obtaining information from a third party?8-22
  • : Collection of Information from Multiple Sources8-22
  • Q 8.14 : What considerations are raised where an operator uses OBA by collecting information from multiple websites or devices?8-22
  • : Social Media Advertising8-23
  • Q 8.15 : What OBA opportunities does social media afford?8-23
  • : Social Context Advertising8-24
  • Q 8.16 : What is social context advertising?8-24
    • Q 8.16.1 : What are the relevant privacy considerations when determining whether to use social context advertising on a social media platform?8-24
  • Q 8.17 : What steps should a company take when advertising on social media to ensure its advertising complies with the right-of-publicity laws?8-25
    • Q 8.17.1 : What options does an advertiser have if a social media platform’s terms of use do not provide clear disclosure and obtain consent from users?8-25
    • Q 8.17.2 : If a platform’s terms of use clearly obtain consent for the commercial use of a user’s name or likeness, are potential right-of-publicity concerns eliminated?8-26
Chapter 9: Privacy Enforcement and Litigation
  • : Federal Trade Commission Enforcement9-2
  • : The FTC Act, Section 5 Authority9-2
  • Q 9.1 : What authority does the FTC have to take enforcement action against privacy violations?9-2
  • Q 9.2 : Can the FTC enforce section 5 against companies in all industries?9-3
    • Q 9.2.1 : What are the priority areas of enforcement currently for the FTC?9-4
  • : FTC Investigations9-5
  • Q 9.3 : If the FTC suspects a company is engaged in deceptive or unfair privacy practices, what does it do?9-5
    • Q 9.3.1 : How does the FTC decide to launch an investigation?9-6
    • Q 9.3.2 : Will the FTC provide notice of the alleged violation?9-6
    • Q 9.3.3 : What should a company do in response to an FTC investigation?9-6
    • Q 9.3.4 : How long does an FTC investigation take?9-8
    • Q 9.3.5 : Are investigations by the FTC publicly disclosed?9-8
    • Q 9.3.6 : What happens if the FTC completes its investigation and determines that no violation has occurred?9-9
    • Q 9.3.7 : What happens if the FTC completes its investigation and determines that a violation has likely occurred?9-9
  • : FTC Consent Orders9-10
  • Q 9.4 : What is a consent order?9-10
    • Q 9.4.1 : In privacy enforcement actions, what terms does a consent order typically include?9-10
    • Q 9.4.2 : What amount of civil penalty is typically included in consent orders?9-11
    • Q 9.4.3 : How long do the requirements in a consent order generally last?9-11
    • Q 9.4.4 : What are possible consequences of not complying with a consent order or court order?9-11
  • : FTC Administrative Proceedings9-13
  • Q 9.5 : What does an administrative proceeding involve?9-13
    • Q 9.5.1 : What are the possible outcomes of an FTC administrative hearing?9-14
    • Q 9.5.2 : Can an ALJ’s initial decision be appealed?9-14
  • : FTC Remedies9-14
  • Q 9.6 : Can the FTC issue a penalty for a violation of section 5?9-14
    • Q 9.6.1 : How are civil penalties assessed and imposed?9-15
    • Q 9.6.2 : Can the FTC obtain civil penalties from third parties?9-15
  • Q 9.7 : Can the FTC seek consumer redress?9-15
  • Q 9.8 : Can the FTC bring a criminal action for a violation of section 5?9-16
  • Q 9.9 : Can the FTC bring an action in court without first conducting an administrative hearing?9-16
  • : Federal Enforcement Other Than by the FTC9-16
  • Q 9.10 : What federal agencies other than the FTC bring privacy and data security enforcement cases against companies?9-16
  • : Enforcement by State Attorneys General9-18
  • : State UDAP Statutes9-18
  • Q 9.11 : What authority do state AGs have to take enforcement action with regard to privacy rights?9-18
  • : Investigation of Suspected Violations9-18
  • Q 9.12 : If a state AG suspects a violation of a UDAP law, what will the state AG do first?9-18
    • Q 9.12.1 : What should a company do if it receives CIDs or other legal demand from a state AG?9-18
  • Q 9.13 : Can a settlement be reached with state AGs before an action is filed in court?9-19
  • : Enforcement Priorities and Trends9-19
  • Q 9.14 : Are information privacy and security priorities for state attorneys general?9-19
    • Q 9.14.1 : How have state AGs been enforcing information privacy and security issues in recent years?9-19
  • : Government Requests for Data9-21
  • Q 9.15 : What should a company do if it receives a request from a governmental entity for electronic information it possesses?9-21
    • : International Considerations9-22
    • Q 9.15.1 : What should a company do if the information requested is stored outside the United States?9-22
  • Q 9.16 : What should a company do if it receives a legal request from a law enforcement or regulatory agency in a foreign jurisdiction for information stored in the United States?9-22
  • : Private Litigation/Class Actions9-23
  • Q 9.17 : What is a privacy class action?9-23
  • Q 9.18 : What kind of conduct can give rise to data privacy class actions?9-23
  • Q 9.19 : What kind of conduct can give rise to data security class actions?9-24
  • : Statutory Authority9-24
  • Q 9.20 : Upon which statutory authorities do privacy class action plaintiffs most often rely?9-24
  • : Litigation Trends9-25
  • Q 9.21 : What trends are current in the world of privacy class actions?9-25
  • : Defenses9-26
  • Q 9.22 : What are the most common defenses to privacy class actions concerning data privacy or data security?9-26
    • Q 9.22.1 : Is unjust enrichment a viable theory of recovery?9-26
  • : Establishing Standing9-27
  • Q 9.23 : How is a plaintiff’s potential lack of standing used to challenge privacy class actions?9-27
    • Q 9.23.1 : Have any theories proved successful in establishing standing for privacy class action plaintiffs?9-28
    • Q 9.23.2 : What can a company do to defend itself if the alleged harm is intangible?9-29
  • : Compensable Injury Under Negligence Standard9-30
  • Q 9.24 : How are the requirements for negligence used to challenge privacy class actions?9-30
  • : Class Certification9-31
  • Q 9.25 : Are putative privacy class actions often certified?9-31
  • : Settlements9-32
  • Q 9.26 : What are the typical terms of data privacy class action settlements?9-32
  • Q 9.27 : What are the typical terms of data security class action settlements?9-34
  • : Preventative Measures9-34
  • : Generally9-34
  • Q 9.28 : Are there any steps that a company can take to minimize the likelihood that it will be the defendant in a privacy class action lawsuit?9-34
    • : Mandatory Arbitration9-35
    • Q 9.28.1 : Can a company avoid class actions through mandatory arbitration?9-35
  • : Cyberinsurance9-36
  • Q 9.29 : What is cyberinsurance?9-36
    • Q 9.29.1 : What is first-party cyberinsurance coverage?9-37
    • Q 9.29.2 : What is third-party cyberinsurance coverage?9-37
    • Q 9.29.3 : Are there steps a company can take to determine whether purchasing cyberinsurance would be appropriate?9-38
Chapter 10: Global Privacy Laws; and Appendix 10A
  • : The Global Landscape10-3
  • : International Privacy Standards and Principles10-3
  • Q 10.1 : Are there any global or international standards or principles of data privacy?10-3
    • Q 10.1.1 : Have any international bodies sought to create global or international standards of data privacy?10-4
  • Q 10.2 : What laws govern data privacy and transfers of data from one country to another?10-6
  • : Enforcement10-6
  • Q 10.3 : How does enforcement of privacy laws vary around the globe?10-6
  • FIGURE 10-1 : Global Data Transfer Issues by Region10-7
  • : Penalties10-8
  • Q 10.4 : What are the consequences of a breach of data privacy laws?10-8
  • : Concepts of Global Privacy Laws10-10
  • : Covered Activities10-10
  • Q 10.5 : What activities are covered by data privacy and protection laws?10-10
  • : Covered Entities10-11
  • Q 10.6 : Are all business treated the same under global privacy laws?10-11
  • : Other Definitions10-12
  • Q 10.7 : What is “personal data”?10-12
  • Q 10.8 : What is meant by a data subject’s “consent”?10-14
  • Q 10.9 : What is meant by data access and data rectification?10-15
  • : Regulation of Businesses10-15
  • : Registration Requirements10-15
  • Q 10.10 : Does a business need to register to handle personal data?10-15
  • : Data Protection Officer Requirement10-16
  • Q 10.11 : Does a business need to appoint a data protection officer (DPO)?10-16
  • : Breach Notification10-17
  • Q 10.12 : Which countries require breach notification?10-17
  • : Employee Monitoring10-19
  • Q 10.13 : What rules apply to employee monitoring?10-19
  • : Online Sales and Marketing10-20
  • Q 10.14 : What issues arise for businesses conducting online sales and marketing?10-20
  • : European Union Privacy Law10-21
  • : EU Directive10-21
  • Q 10.15 : What is the EU framework for data protection and privacy?10-21
    • Q 10.15.1 : What are the principles of EU data protection laws?10-21
    • Q 10.15.2 : In what countries does EU data privacy law apply?10-23
    • Q 10.15.3 : What authorities enforce the EU data protection laws?10-24
    • : General Data Protection Regulation10-24
    • Q 10.15.4 : What changes are coming in EU data protection law?10-24
  • : International Data Transfers10-26
  • Q 10.16 : How can a business transfer personal data from the EU to other countries?10-26
    • Q 10.16.1 : What are the applicable derogations that permit transfers of personal data outside the EU?10-26
    • Q 10.16.2 : How and when are transfers of personal data outside the EU permitted by data transfer agreements or binding corporate rules?10-27
  • Q 10.17 : What are the current standards for data transfers between the EU and the United States?10-27
    • : EU-U.S. Privacy Shield Framework10-28
    • Q 10.17.1 : Under the Privacy Shield framework, what are an EU individual’s rights and legal remedies?10-28
    • Q 10.17.2 : How do EU and U.S. authorities cooperate to oversee and enforce the Privacy Shield framework?10-29
    • Q 10.17.3 : What requirements does the Privacy Shield framework impose on Participants?10-29
    • Q 10.17.4 : Does the Privacy Shield framework address EU concerns about possibilities under U.S. law for public authorities to access personal data being transferred?10-30
  • : “Brexit” Consequences10-31
  • Q 10.18 : How will the United Kingdom’s exit from the EU affect data protection law within the United Kingdom?10-31
  • : The Right to Be Forgotten10-31
  • Q 10.19 : What is the “right to be forgotten”?10-31
  • : Canadian Privacy Law10-32
  • Q 10.20 : Are there specific provisions of Canadian privacy law that U.S. businesses should be aware of?10-32
  • : PIPEDA10-32
  • Q 10.21 : Generally, what does Canada’s PIPEDA require?10-32
    • Q 10.21.1 : What is the jurisdictional coverage of PIPEDA, and are there sanctions for failure to comply?10-33
    • Q 10.21.2 : Under what circumstances would U.S. persons be exempt from PIPEDA?10-33
    • Q 10.21.3 : What are U.S. businesses’ responsibilities with respect to safeguarding and retaining personal information?10-34
  • : Privacy Act10-34
  • Q 10.22 : Generally, what does Canada’s federal Privacy Act require?10-34
  • : Provincial Privacy Legislation10-35
  • Q 10.23 : What are some of Canada’s provincial laws that a company might be subject to?10-35
  • : Asia-Pacific Privacy Law10-35
  • Q 10.24 : What are the main challenges for businesses operating in Asia-Pacific?10-35
  • Q 10.25 : Are there regional data privacy rules in Asia-Pacific, as in Europe?10-36
  • Q 10.26 : What are the main features of national data privacy and protection laws in Asia-Pacific?10-36
  • Q 10.27 : What enforcement provisions are important for companies doing business in Asia to consider?10-38
  • Appendix 10A : Global Data Protection RegulationsApp. 10A-1
  Index

  Please click here to view the latest update information for this title: Last Update Information  
 

Share
Email
UPKEEP SERVICE
Your purchase will also sign you up for “Upkeep Service,” whereby you will receive future automatic shipments of updates, new editions and supplements to this edition, as they become available, for a 30-day preview. Updates, new editions and supplements published within 90 days of your purchase will be issued free of charge; all other updates will be subject to an additional charge if kept beyond the preview period, invoiced at the time of delivery. This service will continue until canceled by you at any time. See here.

  • FOLLOW PLI:
  • twitter
  • LinkedIn
  • GooglePlus
  • RSS

All Contents Copyright © 1996-2017 Practising Law Institute. Continuing Legal Education since 1933.

© 2017 PLI PRACTISING LAW INSTITUTE. All rights reserved. The PLI logo is a service mark of PLI.