State Laws Flashcards Preview

CIPP/US - Complete > State Laws > Flashcards

Flashcards in State Laws Deck (14)
Loading flashcards...


Similar to CalOPPA.

Must post privacy policy if working with kids, and can't use PII to market alcohol, tobacco, tattoos, fireworks, piercings, etc to kids.


CalOPPA (CA) - What is it?

1st law in nation to include websites, including mobile apps, to conspicuously post a privacy policy if they collect PII from CA residents. 2013


CalOPPA (CA) - Disclosure Requirements (4)

Must disclose:
- categories of PII collected
- types of 3rd parties that data can be shared to
- how site responds to Do Not Track signals
- If other parties can collect PII over time when using the site



Investigative Consumer Reporting Agencies Act- stricter than FCRA, requires written consent and includes a person's "character." Also requires that people can request a copy of the report, and a copy must be provided if adverse action is taken (regardless of whether you requested the copy)



Confidentiality of Medical Information Act- broader definition of contractor than HIPAA (eg, you're considered a contractor if you made the healthcare software, phone apps with health data, etc)


SB-1 (CA)

AKA Financial Info Privacy Act- limits financial data sharing to 3rd party partners


SB-1386 (CA)

If you store any customer data, you must notify CA residents of breaches.


Do Not Track Law (CA)



Massachusetts Personal Information Security Regulation

All parties that own or license PI of MA residents must encrypt all PI stored on laptops or other portable devices, as well as in transit when wireless or public networks.


MA State 201 CMR 17

Most prescriptive breach law in nation.

Establishes minimum PI safeguards for physical and electronic records.Basically have to have an ISO-style compliance program and report breaches.

If the breach includes credit/debit #s, the financial institutions must report, too.


TN SB 2005

1st state to require notification of any breach, whether encrypted or not. Original bill exempted encrypted data.

45 days to notify of breach


IL HB 1260

"Personal Info Protection Act," or PIPA

PII = PHI, PI, email, address, passwords, security questions, biometric data

Limits encryption safe harbor if the keys were likely exposed or compromised


CA AB 2828

Requires notification of breached encrypted data, in addition to unencrypted data.


NM HB 15

Breach notification law

PII includes biometrics, like fingerprints and voice prints

Includes encrypted data if keys were likely compromised, and unencrypted data.

45 days to notify