Enforcement of U.S. Privacy and Security Laws Flashcards Preview

CIPP-US > Enforcement of U.S. Privacy and Security Laws > Flashcards

Flashcards in Enforcement of U.S. Privacy and Security Laws Deck (34)
Loading flashcards...

What is Civil Litigation?

Occurs in courts when one person sues another person to redress a wrong.


What types of relief may a person seek in civil litigation?

1. Monetary Judgment
2. Injunction


When may person sue based on a violation of law?

When a law creates a private right of action (ex. FCRA)


What is Criminal Litigation?

Lawsuits brought by the government for violations of criminal laws.


What types of punishment are typical associated with Criminal Litigation?

1. Imprisonment
2. Criminal Fines


Who initiates Criminal Litigation?

1. DOJ
2. State attorney generals


What are Agency Enforcement Actions?

Actions carried out pursuant to the statues that create and empower an agency.


What is the Administrative Procedure Act?

An act laying out the basic rules for agency enforcement actions.


What Act and Agency(ies) govern Medical Privacy?

Agencies - OCR and CMS (both roll up to HHS)


What Act and Agency(ies) govern Financial Privacy?

Agencies - CFPB, OCC, FED
Act - GLBA


What Act and Agency(ies) govern Education Privacy?

Agencies - Dept. of Education
Act - Family Educational Rights and Privacy Act


What Act and Agency(ies) govern Telemarking and Marketing Privacy?

Agencies - FCC and FTC
Act - Telephone Consumer Protection Act and other statues


What Act and Agency(ies) govern Workplace Privacy?

Agencies - EEOC and other agencies
Act - ADA other statutes


Which Acts give the FTC power to govern privacy issues?

1. FTC Act Section 5
3. Children's Online Privacy Protection Act (COPPA)
4. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
5. Telemarking Sales Rule


What incentives do a company and the FTC have to negotiate a consent decree rather than proceed with full adjudication?

1. Achieves a consent decree that incorporates good privacy and security practices
2. Avoids the expense and delay of trail
3. Gains an enforcement advantage due to the fact the fines are easier to assess in federal court if a company violates a consent decree

1. Avoids a prolonged trial
2. Avoids negative publicity


What is considered "unfair"?

An injury that is:
1. Substantial
2. Without offsetting benefits
3. one the consumers cannot reasonably avoid.


Unfair Case: Gateway

Facts: Privacy policy stated Gateway would not sell, rent, or loan PI without explicit consent. If the practice changed Gateway stated they would provide customers an opportunity to opt-out. Gateway started renting PI to third parties without providing the opt-out.


Unfair Case: BJ's Wholesale Club

Facts: BJ failed to encrypt PI and secure its wireless networks to prevent unauthorized access. Hundreds of customers' identities were stolen. Established that failing to implement basic security controls to protect PI is an unfair trade practice.


Unfair Case: Google

Google buzz automatically enrolled consumers and provided personal information to the public. This was in conflict with Google's privacy notice.


Unfair Case: Facebook

Facts: Facebook repeatedly made designated personal private information public. This was in violation of Facebook's privacy notice.


What are the Consumer Privacy Bill of Rights?

1. Individual Control
2. Transparency
3. Respect for Context
4. Security
5. Access and Accuracy
6. Focused Collection
7. Accountability


What areas did the FTC Report emphasize?

1. Privacy by Design
2. Simplified Consumer Choice
3. Transparency


What five priorities did the FTC announce for attention?

1. Do Not Track
2. Mobile
3. Data Brokers
4. Large Platform Providers
5. Promoting enforceable self-regulatory codes


How to states enforce against unfair and deceptive practices?

Most states have laws similar to Section 5 of the FTC Act. These laws are commonly known as UDAP statutes. Ina addition to covering unfair and deceptive practices, some states allow enforcement against unconscionable practices.


Who enforces UDAP laws?

State attorney generals


How does self regulation occur?

Through three traditional separation of powers components: (1) legislation, (2) enforcement, and (3) adjudication


What does legislation refer to?

To the question of who should define the appropriate rules for protecting privacy.


What does enforcement refer to?

To the question of who should initiate enforcement actions.


What does adjudication refer to?

To the question of who should decide whether a company has violated the privacy rules, and with what penalties.


Where does self regulation occur with Section 5 of the FTC and state UDAP laws?

At the legislation stage - companies write their privacy policies.