CIPP/US: the whole exam on one page

Introduction to Privacy

What privacy is

• 1890 Warren and Brandeis, "The Right to Privacy" (Harvard Law Review) - defined privacy as "the right to be let alone."
• Terminology by region: U.S. = "privacy law" (also data/information privacy); EU = "data protection law." Same field.

Four classes of privacy (I-B-T-C)

Historical origins

• 1361 Justices of the Peace Act (England) - arrest of "peeping Toms" and eavesdroppers; 1765 Lord Camden barred warrantless home searches.
• U.S. Constitution (1789): does NOT contain the word "privacy" - inferred from 3rd (quartering), 4th (search warrants), 5th (self-incrimination), 14th (due process) Amendments.
• California Constitution: EXPRESSLY guarantees privacy, added by ballot measure November 1974 (Art. 1, Sec. 1).
• 1948 UN Universal Declaration of Human Rights; 1950 European Convention on Human Rights Article 8 (private life, home, correspondence).

Fair Information Practices (FIPs / FIPPs)

Since the 1970s, the main way to organize rights and responsibilities. Four categories:

FIP codifications - the framework table

IT and the rise of data protection law - two firsts in 1970

Context: 1960s mainframes drove surveillance fears (Orwell's 1984, "Big Brother").

Categories of data

Personal information / PII

Data that identifies an individual; applies to both electronic and paper records.

Sensitive personal information

Subset needing extra safeguards: SSNs, financial info, driver's license numbers, health information.

Nonpersonal (deidentified / anonymized)

Identifiers removed; privacy laws generally do not apply.

Pseudonymized

Held under codes - only temporarily nonpersonal and reversible (can reidentify).

The personal / nonpersonal line - IP addresses

Static IPs and IPv6 push the line toward "identifiable."

Sources of personal information

Same name and address can be all three at once - handling depends on the source.

Processing and data roles

Processing

Almost anything done with data - collect, store, use, disclose, combine, erase, destroy.

Data subject

The individual the data is about.

Data controller

Decides how and why data is processed - focus of most obligations.

Data processor

Acts on controller's behalf; "business associate" under HIPAA. Cannot process beyond what the controller permits.

Sources of privacy protection (4)

• Markets - consumer/brand pressure
• Technology - e.g., encryption, works even where law/markets are weak
• Law - traditional approach
• Self-/co-regulation - policies, industry codes

Models of data protection

Seal programs (self-regulation) - FTC-recognized COPPA seals: CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, TrustArc.

U.S. Legal Framework

Three branches and sources of law

Sources of U.S. law: constitutions (federal + state), legislation, case law, contract law, tort law, agency regulations, consent decrees. A single privacy obligation can come from more than one. (Voluntary self-regulatory codes are NOT a primary source.)

Constitutions and privacy

• U.S. Constitution (1787) never uses the word "privacy." The Fourth Amendment limits government searches.
• Supreme Court recognized a privacy right via a penumbra of unenumerated rights + due process.
• Dobbs v. Jackson Women's Health (2022) overturned Roe v. Wade; said to be limited to abortion but raises concern for other penumbra-based rights.
• State constitutions may grant stronger rights; California lists privacy as inalienable; 11 state constitutions expressly recognize privacy.

Legislation and preemption

Both Congress and states legislate. Under the Tenth Amendment, powers not delegated to the federal government are reserved to the states. Key question: does federal law preempt state law (ceiling) or set a floor states may exceed?

Case law, common law, contract, tort

Case law

Final judicial decisions used as precedent.

Stare decisis

"Let the decision stand" - following precedent (can change over time).

Common law

Principles built up in judicial decisions (vs. statute); long protected doctor-patient and attorney-client confidentiality without statutes.

Contract needs offer + acceptance + consideration (no consideration = no contract). Counteroffer ends the original offer. Used for vendor data/security/breach terms.

Torts (civil wrongs), three categories:

Privacy torts date to the 1890s: intrusion on seclusion, public disclosure of private facts, false light, right of publicity. Often met with a First Amendment free-speech defense; courts are not uniform (unsettled).

Regulations, guidance, consent decrees

• Statutes can direct agencies (e.g. FTC and FCC) to issue rules with compliance force - e.g. CAN-SPAM (2003) rules on the opt-out mechanism.
• Agency opinions guide interpretation but don't necessarily carry the weight of law; informal channels (reports, speeches, testimony) show mindset and enforcement priorities, not requirements.
• Consent decree: judge-approved settlement to stop alleged illegal activity, typically without admitting guilt; once approved has the effect of a court decision. FTC has used many (e.g. COPPA), usually requiring payment to the government + future compliance.

Key definitions

Person

Any entity with legal rights - natural (individual) or legal (corporation).

Jurisdiction

Court needs both subject-matter (type of dispute) and personal (over parties) jurisdiction.

Private right of action

A harmed individual can sue the violator directly.

Notice, choice, access

• Notice = description of practices; serves consumer education + corporate accountability. For most industries, notice promises are enforceable by the FTC and the states.
• Privacy notice (external, to consumers) vs privacy policy (internal standards).
• Access = view (and often update/correct) data held; common where info drives substantive decisions (e.g. credit reports).

Regulatory authorities and self-regulation

• FTC - general authority over unfair/deceptive practices (incl. deception actions for broken privacy promises) + specific authority (children's privacy, marketing).
• Sector regulators: banking (CFPB, Federal Reserve, OCC), FCC, DOT, HHS Office of Civil Rights (health).
• Department of Commerce has NO privacy regulatory authority but often leads executive-branch privacy policy.
• State attorneys general enforce, often under state unfair/deceptive-practices laws.
• Under the CPRA, California created the CPPA - first U.S. agency dedicated to a state comprehensive law (like European DPAs).
• Self-regulation: NAI, Association of National Advertisers (formerly DMA), CARU; some government rules expect companies to enroll.

Six keys to understanding any law

1. Who is covered? (scope)
2. What information/uses are covered? (scope)
3. What is required/prohibited? (how to comply)
4. Who enforces? (risk)
5. What if you don't comply? (risk)
6. Why does it exist? (spirit/trends)

Worked example: California SB 1386 (breach notification)

Technological Aspects of Privacy

This chapter is mostly technology, not law - but the exam tests how laws and cases attach to that technology. Watch for the laws/cases woven in: CAN-SPAM, TCPA, CIPA, COPPA, CPRA, HIPAA, GDPR and Carpenter v. United States.

How the internet and web work

• TCP establishes a reliable connection and breaks data into packets; IP sets packet format and addressing (unique IP address). Data moves by packet switching - packets routed independently, reassembled in order. Header routes; payload is content.
• Internet is broader than the web (also email, IP telephony, file sharing, IoT). HTTP/HTML (Berners-Lee, CERN) drive the web; HTTPS encrypts the connection. XML describes the data; HTML describes display.
• URL = protocol + www + domain + top-level domain (.com/.org/.gov/.edu/country code). URLs are a subset of URIs.

Infrastructure: gateways, IPs, architecture, cloud

• Client-server: front end (HTML/CSS/JS) vs back end (databases). Separating them contains a breach. Thick client processes offline; thin client relies on remote processing.
• Cloud: on-demand computing vs on-premises.

• Edge computing: processes data at the network periphery (driven by IoT) to cut data-center cost and latency.

Email, texts and the laws on marketing messages

Tracking, monitoring and surveillance

• Deep packet inspection: a node reads beyond the header (malware scanning, data-leak prevention, ad targeting, censorship - China's Great Firewall). Effective encryption (HTTPS, encrypted email) defeats it (HTTPS/encrypted email surged after the 2013 Snowden disclosures).
• Packet sniffing: captures unencrypted Wi-Fi traffic. Defenses: encrypted Wi-Fi (per-user key), VPN (also covers the ISP), HTTPS.
• HTTP cookies exist because HTTP is stateless. A domain can only read cookies it set.

• First-party data: cookies, UGC, and terms of use. Cookie consent covers only setting cookies; broad rights (selling data, location) come from the terms of use. In CA + EU, give notice before setting cookies.
• Data brokers: obtain, cleanse, license data; scrutinized by the FTC (market >$250B).
• Third-party cookie decline: CPRA (effective January 2023) requires notice + an OPT-OUT for third-party cookies (US opt-out, not EU opt-in). By end-2022, Edge, Firefox, Safari blocked them by default; Chrome "in process."
• Email open tracking: a tracking pixel loads on open - read in plain text to defeat it.
• Cross-device: deterministic (same login) vs probabilistic (inferred from IP, cookies, location, behavior).

Location, sensors and the cases/laws

• Location tech: cell-tower/Wi-Fi triangulation, GPS, photo metadata (auto-stored location).
• Sensors: a RAT (remote access trojan) can hijack camera/mic and disable the in-use light.

Monitoring by authority: US employers may generally monitor internet use/emails on company networks/devices. CIPA requires public schools and libraries to install content filters. Ability to monitor does not make it legal or ethical.

Deidentification

• Differential privacy: math guarantee that the result yields essentially the same inference whether or not any individual's data is included; used in parts of the 2020 Census (dropped in 2022 for complex datasets).
• Linked vs linkable (FTC, Ramirez 2016): PII = data reasonably linkable to a person/computer/device (incl. device IDs, MAC, static IP, loyalty numbers).

Encryption, hashing and signatures

• Encryption = plaintext to ciphertext via a key; protects in transit (man-in-the-middle), at rest, in use. Under most breach laws, encryption at rest creates an exception from the duty to report a breach.

• CA validates identity and issues digitally signed certificates linking a person to a public key; PKI is the surrounding system.
• Hashing = one-way (irreversible); used for pseudonyms + integrity. Unsalted hashes of short values (SSNs) can be defeated by lookup tables - add salt.
• Digital signature: Alice signs with her private key; Bob verifies it's unchanged with her public key.

Cybersecurity foundations

• CIA triad: Confidentiality (no unauthorized access), Integrity (not improperly altered), Availability (accessible when needed - ransomware hits this).
• NIST CSF (2014): guidance, not law. Five Core Functions run concurrently: Identify, Protect, Detect, Respond, Recover.

• Zero trust: trust no actor inside or outside the perimeter; verify everything, encrypt all traffic.
• Least privilege via role-based access controls - often required by the HIPAA Security Rule. Plus defense in depth and security by default.

Information & Privacy Risk Management

The Business Case for Privacy

• Compliance is costly (over $1M/yr per company on GDPR after 2018; ITIF: a 50-state patchwork could cost ~$100B/yr), but mishandling data costs more - IBM 2022 average breach over $4M (higher in health/finance).
• Sensitive data (medical, financial, children's) held to a higher bar.
• Trust drives revenue: Cisco - ~75% of consumers won't buy from a business they distrust with data; Edelman - ethics matter more than competence. Equifax (~150M affected) regained near-pre-breach trust within a year.

Surveillance capitalism

Zuboff's term for collecting data to influence behavior.

Duty of loyalty

Proposed federal-bill duty to act in data subjects' best interests.

Information Management and Privacy Team Roles

Run under a senior leader (the CPO); mixes legal, IT, marketing, HR skills. Westin split the public into three attitude groups: fundamentalists (strong protectors), unconcerned (low worry), and pragmatists (largest, context-dependent, trade privacy for benefit).

Informal: privacy champions (advocates), first responders (front-line during incidents).

Data Life Cycle, Inventory, Classification, Mapping

• Data life cycle: Create → Store → Share/Use → Archive → Delete. Retention/destruction obligations (state data destruction laws, Ch.7) sit at the end.
• Data inventory: document all PI collected/stored/used/disclosed (customer and employee). Documented inventory reduces penalty severity in enforcement; legally required under the GLBA Safeguards Rule (Ch.9).
• Classification by sensitivity sets access clearance + protection; segregating sensitive data limits the blast radius of a breach and over-broad access.

Data Accountability - Controllers, Processors, Encryption

• Limited retention cuts breach risk; some laws require deletion after a period or when purpose ends.
• Data owner assigns sensitivity (confidential, proprietary, sensitive, restricted, public).

The Privacy Program - Four Business Risks

Framework steps: develop → implement → metrics, beginning with a privacy mission statement/vision. Compliance metrics = data subject requests, disclosures, incidents, employees trained, PIA metrics. Beyond compliance = ROI, business resilience, program maturity, trend analysis, resource use.

Privacy Operational Life Cycle (A-P-S-R)

Privacy Policy vs Privacy Notice

Updating: needs legal review + executive approval; review at least annually; use revision dates/version numbers and keep old versions (use data only per the notice in effect at collection).

Delivering Notices

• Layered notice: short top layer + linked full notice (good for small mobile screens).
• Just-in-time notice: at or before the point of collection.
• Privacy dashboard: summary plus user control.
• GLBA requires financial institutions to deliver the notice annually, with clear opt-out rights. HIPAA mandates training for all covered-entity employees.

Consent Models: Opt-In / Opt-Out / No Option

Managing Preferences and Dark Patterns

• Channel symmetry: the marketing channel should be the opt-out channel - CAN-SPAM requires an online opt-out for email (mail/phone-only not acceptable).
• Linking: under GLBA a bank must honor an opt-out across all communications regardless of media used to request it.
• Scope: third-party sharing needs opt-out; affiliate sharing does not. Third-party vendors must honor preferences given to the first organization; consent must be revocable.
• Dark patterns (interfaces that subvert user autonomy) are increasingly barred as valid consent.

Consumer Rights and Requests

• Rights: access, correction (rectification), deletion, portability, against automated decision-making, nondiscrimination - with defined response periods and a right to appeal (then complain to a regulator).
• Statutory access: FCRA (credit reports + rectification), HIPAA (medical records, disputes noted), GDPR, and the Judicial Redress Act of 2015 (qualifying non-U.S. individuals vs a U.S. agency). Absent a statute, access derives from OECD Guidelines / APEC Principles.

Privacy Risk Management, PIAs, Vendors

• Privacy risk = likelihood individuals experience problems from processing × the impact if they occur (NIST framing).
• Privacy harms: loss of self-determination (autonomy, exclusion, loss of liberty, physical harm), discrimination, loss of trust, economic loss.
• PIA (≈ GDPR DPIA): ensures legal conformity, determines risks/effects, evaluates protections; usually combines risk assessment + treatment. The privacy risk assessment weighs privacy impact × likelihood given controls.

Vendor/third-party risk: companies remain responsible for vendor actions; policy claims apply to third parties. Contract protections: confidentiality, no further use, subcontractor flow-down, prompt breach notice, security provisions, return/deletion at end. Due diligence: reputation, finances, SOC 2 (AICPA), disposal per the FACTA Disposal Rule, PCI DSS.

Information Security - CIA Triad and Controls

Confidentiality

Access limited to authorized parties.

Integrity

Data is authentic and complete.

Availability

Data accessible to the authorized as needed.

Data Breach Readiness Assessment

Forward-looking gauge of likelihood and severity of a personal data breach. Factors: type/nature of data (esp. sensitive PI); whether safeguards like encryption or pseudonymization were applied (lower assessed severity); effect on data subjects; potential malicious use; potential substantial physical damage.

Global Perspective and Cross-Border Transfers

160+ nations have significant privacy laws; the GDPR draws the most attention - fines based on worldwide revenue. GDPR-similar laws (China, India, Brazil, Japan, South Korea) are not identical - comply with each regime. Data localization (store/process within borders) is a rising trend.

Federal & State Regulators and Enforcement

The U.S. regulatory model

• Sectoral, not comprehensive - privacy regulated by industry (medical, financial, education), no single omnibus federal law.
• The FTC is the lead privacy enforcer, filling consumer-protection gaps under Section 5.
• All 50 states have UDAP statutes (Unfair and Deceptive Acts and Practices) similar to the FTC Act; absence of a federal comprehensive law makes state enforcement more important.

Three types of legal action

FCRA has a private right of action - a consumer can sue directly, no agency referral needed.

Federal sectoral regulators (who enforces what)

Other actors: DOS (international), DOC (federal privacy policy, EU-U.S. data flows), DOT/FAA/NHTSA (drones, connected cars), IRS/Treasury + FinCEN (tax records, money laundering), DHS (E-Verify, TSA, ICE), DOE (Smart Grid).

FTC Section 5 - the cornerstone

• Independent agency (chair + 4 commissioners); founded 1914 (antitrust), consumer-protection mission added 1938.
• Section 5 bars "unfair or deceptive acts or practices in or affecting commerce" - the single most important U.S. privacy provision (never mentions privacy explicitly).

Landmark cases

FTC enforcement tools

• FTC cannot itself assess civil penalties; seeks them in federal court, up to $50,120 per violation.
• Rulemaking: UDAP trade-rules use the slower Magnuson-Moss (Section 18) process, NOT ordinary APA notice-and-comment; must show the practice is prevalent + unfair/deceptive + economic effects.

Deceptive vs unfair practices

Deceptive practice

A material statement or omission likely to mislead reasonable consumers - includes breaking privacy-notice promises.

Unfair practice

Three-part test: (1) substantial injury (not speculative); (2) not reasonably avoidable; (3) not outweighed by countervailing benefits. No deceptive statement required.

Algorithmic disgorgement is non-monetary, so it survives AMG - increasingly used for AI.

FTC authority beyond Section 5

Future priorities: 2023 Office of Technology; 2022 proposed commercial surveillance rules (Magnuson-Moss); 2020 data portability workshop; 2022 dark patterns report; broadened Section 5 competition vision (no separate market-power showing needed).

State enforcement

• State AGs are the primary privacy enforcers; may join federal actions under HIPAA, GLBA, and CAN-SPAM.
• All 50 states have UDAP statutes; the FTC Act does NOT preempt non-conflicting state UDAP laws. Some reach unconscionable practices; several allow private rights of action.

Comprehensive state laws by end of 2022: California, Colorado, Connecticut, Utah, Virginia. Most reference COPPA for children's consent. They exempt federal sectoral laws via:

Entity-level exemption

Excuses the whole entity subject to a federal law.

Data-based exemption

Excuses only the data regulated by that law (HIPAA, GLBA, FCRA, DPPA).

State breach, SSN, identity-theft and other laws

• California enacted the first breach law in 2002; all 50 states now have one. Many require reports to state AGs.
• Breach-law personal info = name + (1) SSN, (2) driver's license/state ID, or (3) financial account/card number - narrower than comprehensive-law definitions.
• FACTA (2003) amended FCRA and preempted many state credit-report laws, but states kept identity-theft authority; all 50 have identity-theft laws (over half allow restitution).
• Common-law privacy torts: intrusion upon seclusion, appropriation of name/likeness, publicity given to private life, false light.
• DPPA (1994): bars state DMVs from releasing drivers' info without permission.

BIPA (Illinois, 2008): notice + informed consent for biometrics, with a private right of action driving class actions since 2015.

Self-regulation

• Spans legislation, enforcement, adjudication. Under Section 5/UDAP it is only quasi-legislative - industry writes rules but a government agency still enforces and adjudicates.
• PCI DSS = full self-regulatory system (privately drafted + enforced); penalties $5,000-$100,000 per month, can cut a merchant off from card networks.
• Privacy seals / trust marks (BBB, TrustArc) and the DAA / AdChoices icon program (choice over behavioral advertising).

State Comprehensive Privacy Laws

Federal debates: preemption and private right of action

Preemption

Federal statute overrides inconsistent state law (e.g. CAN-SPAM preempts state commercial-email laws).

Private right of action

Lets individuals sue directly rather than relying on a government enforcer.

Data fiduciary duty

Novel proposal: data handlers must act in good faith on behalf of consumers.

California timeline (first mover)

The CPPA (California Privacy Protection Agency) is a dedicated regulator, viewed as California's answer to an EU DPA.

Applicability thresholds (who is a "business" / "controller")

California uses business; the other four use controller. California: $25M annual gross revenue ALONE triggers coverage.

Exemptions: entity-level vs data-based

• Entity-level = whole organization exempt (e.g. nonprofits, higher ed, local government).
• Data-based = only a class of data exempt (e.g. DPPA-covered data) - the rest stays regulated.

Defining "consumer" and "personal information"

• All five protect state residents (not just purchasers).
• Only California includes employees; the other four exclude individuals "acting in a commercial or employment context."
• Personal information = data linkable to an individual. California uniquely adds household and employment data.

Sensitive personal information

All five include: citizenship; genetic/biometric; physical/mental health; race/ethnicity; religion; sexual orientation. Additions:

• Children's data treated as sensitive (opt-in): Colorado, Connecticut, Virginia.
• Geolocation as sensitive: California, Connecticut, Utah, Virginia.
• California adds union membership, philosophical beliefs, content of mail/email/text.

Sale vs California's "sharing"

Exclusions from sale: disclosure to a processor; to fulfill a consumer-requested product/service; consumer-directed disclosures; M&A/bankruptcy asset transfers.

Consumer rights, timelines, and appeal

GDPR-like rights: access, correction, deletion, portability, opt-outs, against automated decisions, sensitive-data, nondiscrimination.

Access / correction / deletion + opt-outs

• Access & deletion: all five. Correction: all except Utah.
• Deletion scope: CO/CT/VA = all held data; CA/UT = only data collected from the consumer. California also must notify service providers/third parties to delete.
• Opt out of sales: all five. Opt out of sharing: California only.
• Opt out of targeting/cross-context behavioral advertising: explicit in CO/CT/UT/VA (CA likely via opt-out of sell/share).
• Right against automated decision-making: all except Utah.

Sensitive-data handling and nondiscrimination

Nondiscrimination (no denial/different price/degraded quality for exercising rights): all five.

Notice and transparency

• Privacy notice + notice of right to opt out: all five.
• Notice at point of collection: California only.
• "Do Not Sell or Share My Personal Information" link and "Limit the Use of My Personal Information" link: California only.

Children's data (age thresholds)

Interacts with COPPA (parental consent generally required under 13).

Purpose limits, risk assessments, security

• Purpose/processing limitation (necessary/proportionate) and risk assessments for heightened-risk processing (targeted ads, selling, sensitive data, certain profiling): California, Colorado, Connecticut, Virginia - NOT Utah.
• Reasonable administrative, technical, physical security: all five (including Utah).

Enforcement, penalties, cure periods, private action

Universal opt-out mechanisms (GPC) - supplement

Universal opt-out mechanism

A browser/device signal opting a consumer out of sale, sharing, or targeted advertising across ALL sites at once, with no per-site request.

Global Privacy Control (GPC)

The leading example of such a signal.

California and Colorado have the most substantive guidance and require businesses to honor these signals. (By end of 2026, others include Texas, Montana, Delaware, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Connecticut, Oregon.)

State Breach, Security & Sectoral Laws

All 50 states have breach notification laws; many add data security and data destruction laws. There is no comprehensive federal breach law, so national companies must comply with all 50 state regimes.

No federal breach law - the preemption fault line

• First federal bill: 2003, Senator Dianne Feinstein (CA). None has passed.
• Businesses want fewer requirements + preemption of stricter state laws; privacy advocates want a federal floor matched to the strictest states.

Anatomy of a state breach law

Three building blocks: key terms (personal info, covered entity, security breach), notification (who/when/what/how), enforcement (penalties + private rights).

Personal information (majority)

First name/initial + last name plus one of: SSN, driver's license/state ID, or financial account / card number (often with access code).

~Two-thirds of states add

Medical/health info, biometric data, tax info, mother's maiden name. Almost all states exclude publicly available info.

Covered entity

Does business in-state + maintains computerized personal data. Georgia outlier: limits to information brokers only.

Security breach

Unauthorized access/acquisition compromising confidentiality/security/integrity, where data was not encrypted or rendered unreadable.

Risk-of-harm analysis

Nearly all states: skip notice if harm not reasonably likely. EXCEPT California, Georgia, Illinois, Minnesota, North Dakota, Texas (no risk-of-harm).

Notification requirements

Exceptions and delay

• More stringent law - e.g. HIPAA (healthcare) or GLBA Safeguards Rule (financial).
• Own compatible notice policy.
• Encryption safe harbor - all states have it, but fails if the decryption key is breached too (Illinois explicit).
• Law-enforcement delay - all states allow delay if notice would impede a criminal investigation; not permanent.

Enforcement

• All 50 states: civil penalties. ~1/3 let the AG fine, often capped per breach - $750,000 highest (Michigan).
• Nearly 15 states grant a private right of action, usually capped at actual damages + fees.

State data security laws (~2/3 of states)

No federal all-industry security law; healthcare/financial sectors have federal rules, and the FTC uses Section 5 against deceptive (misrepresented) or unfair (unreasonable) security.

Sector overlays exist; New York has the most prominent.

State data destruction laws (~2/3 of states)

Dispose of personal info so it is no longer readable or decipherable; advances data minimization. No all-industry federal law, but the FTC Disposal Rule covers consumer reports. Common exemptions: GLBA, HIPAA, FCRA.

Sectoral and emerging state laws (supplement)

US in context: some call the US less stringent than the EU (no comprehensive federal laws), but intense US breach focus has often driven more rigorous security programs.

Medical Privacy

Health data is sensitive (body/mind, candor with doctors, anti-discrimination by employers/insurers), yet used heavily for treatment, payment, research, and quality. Key trap: health data is NOT automatically HIPAA-protected - protection depends on WHO holds it.

Major Laws at a Glance

Core HIPAA Definitions

PHI

Individually identifiable health info held by a covered entity/business associate relating to health, care, or payment.

ePHI

PHI in electronic media. Paper, paper-to-paper faxes, and voice phone calls are NOT electronic media.

Covered entity

(1) Health care providers conducting certain electronic transactions, (2) health plans, (3) health care clearinghouses.

Business associate

Performs services using/disclosing PHI for a covered entity (e.g., cloud storage, billing); needs a written BAA.

TPO

Treatment, payment, operations - the purposes HIPAA pre-authorizes without separate authorization.

Deidentified

Via safe harbor (remove 18 listed elements) or expert determination; outside the Privacy Rule.

Privacy Rule Mechanics & Exceptions

• Notices: required at first service delivery (exceptions: indirect treatment, emergencies).
• Authorizations: TPO is free; other uses need opt-in; stricter for psychotherapy notes; treatment can't be conditioned on signing. Face-to-face communications are not marketing.
• Minimum necessary: applies to all except treatment.
• Access/amendment: patient may access/copy/amend designated record set; if amendment denied, patient files a statement included in future disclosures (no lawsuit - no private right of action).
• Exceptions (disclosure without consent): public health, abuse/neglect reporting, judicial/law enforcement, research (IRB-approved or deidentified).
• Post-Dobbs: Rule permits but does NOT require law enforcement disclosures.

Security Rule Specs

Required spec

Must be adopted as written.

Addressable spec

Assess appropriateness; if declined, document why and adopt a reasonable alternative (NOT optional to ignore).

Enforcement & Penalties

• OCR civil penalties up to ~$2 million/year per violation type (Anthem $16M; Premera $6.85M; Banner Health $200K for access).
• DOJ criminal authority, prison up to 10 years.
• 2021 HIPAA Safe Harbor Law: OCR may grant leniency if recognized security practices used the prior 12 months (not automatic immunity).
• Preemption: HIPAA is a federal floor - does NOT preempt stricter state law. Watch entity-exemption vs data-exemption distinction.

HITECH Breach Notification

HITECH also: penalties up to $2M for willful violations (even without knowledge); criminal liability for individuals; limited data sets; cash-paying patients may restrict disclosure to health plan; EHRs may not be sold without patient consent; PHR vendors (apps/wearables) enforced by FTC.

GINA Details

• Targets genetic predisposition absent manifestation of disease; bars insurers from premium adjustments/required testing and employers from using genetic info.
• Amended ERISA (penalty $100/day, min up to $15,000), Public Health Service Act, Social Security Act, Civil Rights Act.
• Employer exceptions (inadvertent, voluntary wellness w/ authorization, FMLA, public sources, toxin monitoring, DNA QC) - info must be kept in separate confidential medical files.
• CalGINA (2011) + other states fill gaps (life insurers, lenders, housing, education).

Telemedicine (COVID-era changes)

• OCR allowed nonpublic-facing videoconferencing (secure log-in) even if not fully HIPAA-compliant - enforcement discretion, not repeal.
• CMS allowed telemedicine reimbursement; DEA suspended the Ryan Haight Act in-person exam rule for controlled substances; IMLC use grew ~50% for cross-state licensing.

2024-2025 Updates

• Tracking technologies: OCR guidance - covered entities sending PHI to third-party trackers (cookies/pixels) can be an impermissible Privacy Rule disclosure. Non-HIPAA firms still bound by FTC Act, even if a third party built the app.
• Warby Parker (Feb 2025): OCR $1.5M penalty for Security Rule failures after a 2018 credential-stuffing attack (~200,000 affected) - no risk analysis, no MFA, no log review.
• HBNR 2024 update: explicitly covers health apps; identify third parties; for 500+ affected, FTC notice simultaneous with consumer notice; electronic notice allowed.
• 42 CFR Part 2 Final Rule (Feb 8, 2024): aligns with HIPAA/HITECH - single consent for future TPO; recipients may redisclose per HIPAA; HIPAA enforcement + Breach Notification Rule apply.
• Reproductive-health Privacy Rule (2024): barred PHI disclosure for lawful reproductive care, but vacated nationwide by a Texas federal judge in June 2025.

Financial Privacy

The Three Pillars + Regulator

FCRA: Three Roles

CRA

Compiles/evaluates info to furnish consumer reports to third parties for a fee (Experian, Equifax, TransUnion + thousands of smaller bureaus).

User

Lender/insurer/employer who uses a report; must have + certify a permissible purpose and give adverse-action notice.

Furnisher

Lender/retailer who feeds data to CRAs; must supply accurate data and handle disputes. An entity can be both user and furnisher.

CRA Duties + Obsolescence

• Provide access + dispute process (reasonable investigation); may withhold credit/risk scores.
• Ensure maximum possible accuracy.
• Drop outdated negatives: account data after 7 years; bankruptcies after 10 years.

Permissible Purpose

A user must certify the permissible purpose AND certify it won't be used for any other purpose. Purposes: written instruction of consumer; credit application/review; employment (only with written permission); insurance underwriting; legitimate business need (consumer-initiated); government license/benefit; child-support; court order/subpoena; prescreened firm offers.

Adverse Action Notices

An adverse action is any negative business/credit/employment decision. No adverse action when a creditor makes a counteroffer the consumer accepts.

Other FCRA Rules

• Furnisher Rule: accuracy + integrity; bars re-aging (moving date of first delinquency later to keep items past the limit).
• Risk-Based Pricing Rule (CFPB + Fed): notify consumers given less favorable terms due to their report. All who use credit scores to make/arrange residential real-property loans must disclose the score to applicants.
• Employment use: clear stand-alone written notice → prior written authorization → certify (incl. no EEO violation) → give report copy + rights summary BEFORE adverse action; adverse-action notice follows after.
• Misconduct investigations are NOT consumer reports if employer follows procedures, uses no credit info, and gives a summary if adverse action taken.
• Investigative consumer report (character via interviews): written disclosure within 5 days of report request (FCRA §606) + notice of right to nature/scope.
• Medical info from CRAs restricted; credit/employment use needs specific written consent.
• Prescreened lists: set criteria in advance, retain 3 years from each offer, include required statement + opt-out.

FACTA Rules: Disposal + Red Flags

GLBA: Privacy Rule + Safeguards Rule

Title V of the 1999 Financial Services Modernization Act; spurred by the U.S. Bancorp/MemberWorks scandal (bank shared account numbers with a telemarketer; $3M settlement). Covers financial institutions "significantly engaged" in financial activities; regulates nonpublic personal information (NPI) - broad enough that even a customer's name is NPI. Penalties up to $100,000/violation (institutions); $10,000 (officers/directors).

Consumer vs Customer

GLBA protects consumers, but many duties (e.g., annual notice) apply only to customers with an ongoing relationship.

Privacy Rule: initial + annual notices; process opt-outs within 30 days; free sharing with affiliates + joint marketing partners; nonaffiliated sharing needs notice + opt-out.

Safeguards Rule (effective 2003, FTC-updated 2021): written information security program with administrative, technical and physical safeguards, scaled to size/complexity. Requires a designated coordinator, written risk assessment, monitoring/testing, vendor oversight, and ongoing adjustment.

FAST Act Annual-Notice Exception (Dec 2015)

Amended GLBA §503: institution may skip the annual notice when both conditions hold - (1) sharing triggers no opt-out right, AND (2) privacy policy unchanged since last notice. Failing either restores the duty.

State Financial Privacy

• California CFIPA (SB-1): requires written opt-in consent ("Important Privacy Choices for Consumers" form) to share with nonaffiliated third parties - stricter than GLBA's opt-out. Negligent: $2,500/consumer up to $500K cap; willful: no cap.
• NY NYDFS Cybersecurity Reg (2017): first state reg beyond GLBA - NIST-aligned, requires CISO, incident response, audit trails. Also BitLicense (2015) for virtual currency custody.

AML / Bank Secrecy Act

The Bank Secrecy Act (BSA) requires an adequate AML program and timely Suspicious Activity Reports. Enforced by banking/financial-crime regulators - OCC + FinCEN, not the FCRA accuracy regulators.

Education & Children's Privacy

Theme: who controls student records (FERPA), who controls children's online data (COPPA/FTC), and how HIPAA, IDEA, PPRA and state laws fit around them.

Major laws at a glance

FERPA core definitions

Student

Anyone who is or has been in attendance (in-person OR internet). Excludes applicants who never enrolled - admission record becomes an education record only once the student matriculates.

Education record

Any record directly related to a student and maintained by/on behalf of the school (grades, financial aid, discipline; any medium incl. email).

PII

Name, family names, address, SSN/student number, DOB/place of birth, or anything that alone or combined identifies the student with reasonable certainty.

Directory information

Info not generally harmful if disclosed; each school defines its own list (name, DOB, address, email, phone, field of study, honors).

Records that are NOT education records

• Campus police records (held for law-enforcement purposes)
• Employment records (where employee is not a student)
• Applicant records (not enrolled)
• Alumni records (created after no longer a student)
• Peer-graded papers before collected/recorded by faculty
• Treatment records (health records, subject to conditions)

Opt-out vs opt-in (classic trap)

Who holds FERPA rights

When disclosure is permitted

• Info is not PII
• It is unblocked directory information
• The rights holder consents
• Disclosure goes to the rights holder
• A statutory exception applies

Valid consent must be signed, dated, and written, identifying the records, the purpose, and the recipient. To use a statutory exception only one exception must apply, but the school must use reasonable methods to verify identity.

Key no-consent exceptions

• School officials with a legitimate educational interest (need not be academic) - includes third-party vendors under the school's direct control; vendor cannot redisclose or reuse the record for any other purpose (e.g. marketing)
• Transfer/enrollment schools; financial aid; research studies; accrediting orgs
• Victims of sex offenses; sex-offender registry info
• Court orders / subpoenas - reasonable effort to notify the student first, unless nondisclosure is ordered
• Health or safety emergency - threat must be articulable and significant; school is safe if there was a rational basis at the time

Access & correction

• Access within 45 days of request (verify identity; cannot see others' portions, waived recommendation letters, parents' financials, treatment records, privileged info)
• May seek correction of inaccurate/misleading records; if denied, right to a hearing by a party with no direct interest; if still denied, student may place a written statement in the file (maintained and disclosed with the record)

FERPA vs HIPAA for health records

Edtech, COPPA & self-regulation

• Edtech handling student data is subject to FERPA. 2014 Google Apps for Education suit (EPIC alleged FERPA violations over email scanning) prompted 2014 Dept. of Education guidance: assess case by case whether edtech partners use FERPA-protected data.
• Student Privacy Pledge (2014; 400+ signatories by 2020): bars selling student data, behavioral ad targeting, non-educational profiling. Violation = deceptive trade practice under Section 5 of the FTC Act.

Cybersecurity in education

• FERPA: requires reasonable security but specifies no particular controls; breaches not explicitly addressed but can trigger DoE investigation
• GLBA Safeguards Rule: covers universities holding financial aid info
• NY Education Law 2-D: districts must adopt cybersecurity policies aligned to the NIST Framework; California SOPIPA: reasonable security for student data; all 50 states have breach-notification laws

Telecommunications & Marketing

Two coordinated federal regimes govern telemarketing - the FCC enforces the TCPA and the FTC enforces the TSR. Plus email (CAN-SPAM), faxes (JFPA), platform immunity (CDA 230), and FCC telecom breach rules.

Major laws at a glance

TSR call conduct rules

• Call only between 8 a.m. and 9 p.m.
• Scrub against the national DNC Registry; display accurate caller ID; identify self + what is sold; disclose material terms; retain records (2 years)
• Entity-specific suppression list: must honor any "don't call me again" request to that company - independent of the national registry

Required opening disclosures

Before any sales content, disclose: (1) seller's identity, (2) that the purpose is to sell, (3) nature of goods/services, (4) for prizes, that no purchase/payment is necessary. Must be truthful.

Misrepresentations & billing

• 10 material categories must be disclosed (cost, restrictions, performance, refund policy, prize/investment terms, affiliations, credit card loss protection, negative option features, debt relief)
• Non-card payment (phone/utility billing) needs express verifiable authorization (higher standard - lacks card protections)
• No billing without express informed consent. Pre-acquired account + free-to-pay conversion = strictest rules: last 4 digits + express agreement + audio recording of entire transaction

Call abandonment safe harbor

Abandoned = no live rep within 2 seconds of the greeting (predictive dialers cause this). Prerecorded sales messages violate the TSR unless prior express consent (opt-in).

National DNC Registry (eff. 2003)

• Access before calling; update lists every 31 days. Each seller gets a non-transferable SAN (telemarketer may use a client's SAN free, limited to paid area codes)
• Trap: failing to check the registry is a violation even if the number called is NOT listed

• Consent exception: must be in writing, state the number, include signature (e-sig OK), clear & conspicuous (no prechecked boxes; subterfuge invalid)
• DNC Safe Harbor: shields a good-faith error if firm has written procedures, trains staff, keeps entity-specific list, uses registry data ≤31 days old, monitors compliance. Deliberately ignoring a no-call request is not "error."

TCPA robocall / autodialer updates

• 2012 FCC: prior express written consent for all robocalls to residential lines - even with an EBR; opt-out during the call; HIPAA health-care robocalls exempt
• 2015: robotexts get same protection as voice; consent disclosure must be clear/conspicuous; can't condition consent on a purchase
• 2017: reassigned number - not liable for the first call, liable after notice; appearing in someone's contacts ≠ consent; consent revocable any reasonable way
• Facebook v. Duguid (2021): autodialer = only equipment using a random or sequential number generator to store/produce numbers (narrowed definition)

Enforcement & penalties

• TSR/DNC civil penalties up to $50,120 per call/violation (FTC + state AGs)
• TSR private right of action requires $50,000 in actual damages
• TransUnion v. Ramirez (2021): plaintiff must show actual harm, not mere risk, for standing
• Mini-TCPAs: over half of states require licensing/registration; e.g. Louisiana limits EBR to 6 months. 2021 FCC record $225M robocall fine

CAN-SPAM email rules (opt-out)

• No false headers / deceptive subject lines; working return address; clear cost-free opt-out honored within 10 business days; valid physical postal address (P.O. box OK); no aggravated violations (harvesting, dictionary attacks)
• Applies to commercial messages, NOT transactional/relationship messages (order confirmations, warranty/safety, employment info)
• ISPs adversely affected may sue (up to $250/violation, max $2M, trebled for willful)

Fax marketing notes

• 2019 FCC: online cloud-based fax services (faxes as email) fall outside TCPA/JFPA - not "telephone facsimile machines"
• California's bid to kill the EBR exception for interstate faxes struck down - TCPA preempts interstate fax regulation
• Enforcement: $12M Hooters award (2001); $5.4M Fax.com FCC fine (2004)

Workplace Privacy

Constitutional law and the state-action limit

• Fourth Amendment (limits searches of lockers/desks) applies to government (public-sector) employers only - private employers have no state action.
• Exception: a few states (notably California) extend their state constitutional privacy right to private-sector employees.

State contract and common-law torts

• Contract: Collective bargaining agreements are the most important contracts for employee privacy (often limit drug testing/monitoring). If privacy is to be protected, the task falls largely to legislatures.

Federal laws affecting employment privacy

Who enforces what

Employment life cycle

• Before: background screening (FCRA).
• During: polygraphs/testing, monitoring, social media, BYOD.
• After: access termination, HR records.
• HR-related privacy is a risk for virtually all organizations, even non-data-heavy ones.

Antidiscrimination limits on screening

• Reduce risk: avoid eliciting protected-class info; ask all candidates the same questions.
• Protected info allowed when required by statute, a bona fide occupational qualification (BFOQ), or learned for another nondiscriminatory reason.
• EEOC: screening (e.g., criminal-conviction bars) must be job-related and consistent with business necessity or risks disparate-impact claims.

ADA medical screening

• Covers employers with 15+ employees.
• Pre-offer: exams/inquiries only if job-related & business necessity; cannot ask if accommodation needed (unless disability known).
• Post-conditional-offer: exam OK if all entering employees examined, results kept confidential, used per statute.
• Must provide reasonable accommodation unless undue hardship.
• Psychological tests may count as medical exams. ADA excludes current illegal drug use but protects recovered addicts and qualified alcoholics.

FCRA background checks

• Covers any check from a CRA - not just credit, but criminal and driving records too.
• Need a permissible purpose ("employment purposes" = screening + promotion/reassignment/retention).
• Steps: written notice (indicate if investigative consumer report - info from neighbors/associates), written consent, certify to CRA, pre-adverse-action notice with report copy, then adverse-action notice.
• Noncompliance: civil + criminal penalties and a private right of action. FTC pursues nontraditional CRAs (online data brokers).

FACTA preemption & state credit laws

• FACTA (2003) amended FCRA and preempted many state credit-reporting/identity-theft laws, but does NOT preempt stronger state employment credit-check laws.
• California ICRAA: notice + written authorization first; box to receive report copy; report given before adverse action.
• 10 more states (CO, CT, DE, HI, IL, MD, NV, OR, VT, WA) limit credit use; most require a substantial relationship, Hawaii requires "directly relate" (strictest).

Fair Chance Act & Ban the Box

• Fair Chance to Compete on Jobs Act (2019): bars federal agencies and federal contractors from asking criminal history until a conditional offer.
• Part of Ban the Box movement (~two-thirds of states, 150+ municipalities; many reach private employers).

Screening tech: social media & AI

• Social-media screening risks: discrimination (protected-class info), FCRA (nontraditional providers), invasion of privacy via social engineering (fake profiles).
• Maryland first (2012) to ban demanding social-network passwords; ~half the states followed.

Polygraphs - EPPA

• EPPA (1988), enforced by DOL: bars most private employers from using lie detectors on workers/applicants; no adverse action for refusing.
• Exceptions: gov't, security services, controlled-substance mfg, defense contractors, national security; plus ongoing-investigation of economic loss with reasonable suspicion. Cannot discharge on polygraph alone.
• Does NOT preempt stricter state laws. Must post provisions conspicuously.

Substance testing

• No federal privacy statute directly governs employer drug/alcohol testing (public employees: 4th Amend.).
• ADA: drug test is not a medical exam; current illegal drug use excluded; qualified alcoholic protected.
• Settings: preemployment, reasonable-suspicion, routine (notice at hire), post-accident, random (narrow regulated/safety jobs).

Lifestyle discrimination

• Off-duty conduct generally private. Obesity from a physiological disability may be ADA-covered (courts split).
• No federal law protects smokers; more than half the states protect off-duty/off-premises smoking.

Monitoring baseline

• U.S. private employees have limited privacy expectations - facilities/equipment belong to employer.
• Acceptable use policies + monitoring notices establish knowledge and defeat improper-monitoring claims; may be required by state law.
• Reasons to monitor: OSHA safety, quality (recorded calls - pause for full payment-card data), avoiding negligent supervision, physical security (CCTV/GPS), cybersecurity, trade secrets.

Intercepting communications - Wiretap Act / ECPA

• Wiretap Act & ECPA prohibit intercepting wire/oral/electronic communications (criminal + private right of action).
• Two exceptions: consent (one party) and ordinary course of business (courts split on breadth).
• Listening to a purely personal call risks liability. States vary: one-party vs all-party consent to record.

Stored Communications Act - City of Ontario v. Quon

• SCA bars unauthorized access to stored communications; exceptions for the service provider (often employer) and authorized user. Employers may review for reasonable, work-related reasons.

Biometric, video, mail & union speech

• Federal wiretap/stored-record statutes do not reach silent video; state/common law bar cameras in restrooms/locker/changing areas.
• Mail is "delivered" when it reaches a business - opening business mail doesn't violate the federal statute (some state common-law risk).
• NLRB: employee social-media speech complaining about managers/coworkers/company may be protected.

LBS, DLP, BYOD, teleworking

• LBS: GPS on company vehicles generally OK (business purpose, work hours, prior notice); tracking employees themselves is limited - Connecticut requires written notice ($500 first-offense); California makes electronic location-tracking a misdemeanor.
• DLP: keystroke logging/webcams/geolocation - very invasive; do a privacy impact assessment.
• BYOD: work-device monitoring may be inappropriate on personal devices; disclose and consider consent. COIT = consumer tech now drives into the workplace.
• Teleworking: secure home networks, lock screens, shred papers, household members on video.

Investigating misconduct - Vail Letter & FACTA fix

• Vail Letter (FTC): made an outside investigator a CRA and its report an investigative consumer report - FCRA notice/consent destroyed undercover investigations.
• FACTA fix: excludes investigation communications from "consumer report" if (1) to investigate suspected misconduct/legal-policy compliance, (2) not for creditworthiness, (3) shared only with limited recipients. No advance notice needed; only a summary after adverse action (preserves secrecy).

After employment

• Terminate access (badges, accounts, devices); recover data; forward personal mail, review work mail; avoid shared passwords.
• References risk defamation, but common-law qualified privilege protects good-faith reports. No common-law duty to give a reference (some state statutes require for specific jobs, e.g., airline pilot, public-school teacher).
• HR record retention: consistent policies balancing legitimate need vs privacy.

Government & Court Access to Data

For any request, ask: is disclosure required, permitted, or forbidden? The same statute can do all three depending on the circumstances (e.g. produce with a court order, prohibit without one). Turning over too much or too little can both create liability.

Required vs Permitted vs Forbidden

Escalating legal standards (least → most demanding)

Evidentiary privileges (forbid disclosure)

• Generally defined under state law: attorney-client, doctor-patient, priest-penitent, spousal.
• Attorney-client: bars compelling attorney testimony about a client within scope of representation; exceptions = client consent or preventing imminent physical harm.
• Fifth Amendment against self-incrimination applies nationally.

Public records, protective orders, redaction

• Strong U.S. tradition of open courts + FOIA/state open-records laws. Putting records online ended practical obscurity, raising identity-fraud risk.
• Protective order (FRCP 26(c)): needs good cause; three-part test - (1) resisting party shows info confidential, (2) requester shows relevant/necessary, (3) court weighs harm vs need.
• HIPAA qualified protective order (QPO): used in state courts outside Federal Rules; bars non-litigation use + requires return/destruction of PHI at end.

Criminal Rule 49.1 and Bankruptcy Rule 9037 mirror 5.2. In criminal filings a 5th category applies: only city and state of a home address.

E-discovery and ESI

• Since the 2006 FRCP revisions, ESI (email, databases, logs, IM, voicemail, social media, removable media) drives pretrial discovery. Sedona Conference = leading source of retention best practices.
• Litigation hold: once on notice of (anticipated) litigation, suspend routine destruction. Discovery obligations generally prevail over conflicting business practices.
• Retention-policy dispute = 3-factor test: (1) policy reasonable on facts, (2) similar complaints against org, (3) policy adopted in bad faith.

Discovery under HIPAA and GLBA

• HIPAA: disclose PHI in discovery via (1) patient authorization, (2) court order, or (3) satisfactory assurances = agreed QPO submitted, or requester asked court for one.
• GLBA: may disclose to comply with legal process / respond to judicial process; courts read this to cover civil discovery - but still get a protective order.

Cross-border discovery

• Broad U.S. discovery (possession, custody, or control - globally) collides with foreign law like the GDPR. Supreme Court: foreign statutes don't strip a U.S. court of power to order production. Some courts require a privacy log.
• Hague Evidence Convention: alternative route; party invoking it bears the burden of showing it's more appropriate and that foreign law prohibits discovery - slow, costly, last resort.
• Aerospatiale factors: importance, specificity, U.S. origin of data, alternative means, and competing national interests (the MOST important factor).

Fourth Amendment

Bars unreasonable searches; warrants need probable cause, particularity, neutral magistrate. Exclusionary rule suppresses unlawfully obtained evidence.

Emerging issues

• Post-Dobbs / abortion data: an anti-abortion state may send a warrant to a company in another state. California bars compliance with other states' abortion warrants = interstate conflict of law (possible Supreme Court case).
• Geofence warrants: challenged as unconstitutional general warrants; lower courts split; Supreme Court has not ruled.

Statutes beyond the 4th Amendment

Congress added process where the Constitution didn't reach. These require some legal process but less than a probable-cause warrant.

HIPAA law-enforcement disclosure (Sec. 512(f))

Permits disclosure via court order, grand jury subpoena, or administrative request if all three: (1) relevant and material to a legitimate inquiry; (2) request specific and limited in scope; (3) deidentified info could not reasonably be used.

Preservation, pen register / trap-and-trace

• SCA preservation order: on government request, provider must preserve records pending a court order (like a litigation hold).
• Pen register (outgoing) / trap-and-trace (incoming) issue on lenient "relevant to an ongoing investigation" standard. PATRIOT Act expanded scope to "dialing, routing, addressing, or signaling info." USA FREEDOM Act barred bulk collection - requires specific selectors.

CISA - cyber threat sharing

• Cybersecurity Information Sharing Act (2015): companies voluntarily share cyber threat indicators + defensive measures with the government for liability protection. DHS is main coordinator; indicator definition excludes sensitive personal/business info.
• Must first remove personal info not directly related to a threat. Sharing with federal gov't doesn't waive privileges - NO similar protection for state/local or other companies. Info exempt from FOIA. Protected from liability for monitoring (NOT for operating defensive measures).
• Officially sunset Sept 30, 2025 (Congress missed reauthorization), then extended to Jan 30, 2026; long-term future uncertain.

Budapest Convention

2004 Council of Europe Convention on Cybercrime (first cybercrime treaty, 60+ countries). Second Additional Protocol (U.S. signed 2022): expedited production, direct disclosure of subscriber/domain info, emergency requests, with data-protection safeguards.

National security surveillance

Tension: Article II (president, foreign affairs) vs Article III (courts). Katz reserved the national security question.

• Snowden (2013) reforms: USA FREEDOM Act (2015) ended Section 215 bulk collection; Judicial Redress Act (2016) extended Privacy Act protections to certain non-U.S. persons; PCLOB reviewed the programs.
• National security exceptions vary: HIPAA permits disclosure to authorized federal officials (National Security Act); GLBA has a vaguer public-safety exception; COPPA has NO national security exception.

GDPR & International Privacy

Scope, Sanctions, and Core Concepts

The GDPR (2018) is the worldwide template for data protection, built on fair information practices (FIPs). It applies to companies with assets/employees in the EU, companies selling to individuals in the EU, and data stored in the EU - no EU establishment needed.

Personal data

Any data relating to an identified/identifiable natural person, directly or indirectly.

Sensitive (special-category) data

Race/ethnicity, political opinions, religious/philosophical beliefs, trade union membership, genetic, biometric, health, sex life/orientation - generally needs explicit consent.

Anonymized

Irreversibly de-identified - only then outside GDPR scope.

Pseudonymized

De-identified but reversible - still personal data.

Roles

Consent

Must be freely given, specific, informed, and unambiguous - by statement or clear affirmative action. Silence, pre-ticked boxes, and inactivity fail. Business bears the burden to demonstrate consent was obtained.

DPA, DPO, and EU Representative

• DPA: independent national authority enforcing the law - one per member state except Germany (federal + 16 Lander).
• DPO: in-EU internal point of contact; needs expertise and no conflicts of interest (cannot also set processing purposes). Need is triggered by EU data subjects, large-scale monitoring, or large-scale sensitive processing - not by controller-vs-processor status.
• EU representative: appointed by a company with no physical EU presence; subject to GDPR enforcement.

Seven Principles

1. Lawfulness, fairness, transparency
2. Purpose limitation (research/archiving/statistics not "incompatible")
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality (security)
7. Accountability - meta-principle: must demonstrate compliance with the other six (via records, DPIAs, breach documentation).

Data Subject Rights

Breach Notification

GDPR breach concept is broader than U.S. law. No DPA notice if unlikely to risk individuals (but still document it). No subject notice if data protected (encrypted), harm prevented, or notice disproportionate.

Enforcement and Fines

Complaint by data subject or DPA; multi-DPA cases get a lead DPA. If DPA gives no outcome/progress in three months, subject may go to national court. Controllers AND processors can be liable to data subjects; in the same processing each is liable for the entire damage, then seeks contribution (exempt only if not in any way responsible).

Member states may also impose criminal sanctions. Notable fines: Instagram €405M (children), Facebook €265M (scraping), Amazon €746M (cookie consent).

International Transfers

Transfers from the EEA (EU + Norway, Liechtenstein, Iceland) to non-EEA countries are prohibited unless one applies: adequacy decision, appropriate safeguard, or derogation.

• Adequacy decision: protections essentially equivalent to GDPR; data flows freely; subject to periodic review. Adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, US (via DPF), Uruguay.
• SCCs (standard contractual clauses): contract to comply with EU law + submit to DPA supervision - most common basis.
• BCRs (binding corporate rules): intra-group transfers after DPA certification.
• Derogations: narrow exceptions (explicit consent; occasional contract/legal-claims/vital-interest/public-interest). Read narrowly - only as strictly necessary; not for routine bulk transfers.

EU-U.S. Transfers: Schrems and the DPF

Other Global Data-Flow Mechanisms

• Global CBPR Forum (2022): certification built on APEC Cross-Border Privacy Rules but independent of APEC so non-members can join.
• OECD (2022): declaration on common principles for government access to private-sector data (legal basis, oversight, remedies, etc.).

Other high-yield exam points

Chapter 11 - Telecommunications and Marketing

Pretexting

Gaining access to CPNI through fraudulent means; combated by the 2007 order's password and breach-notice requirements.

Chapter 9 - Financial Privacy

Chapter 8 - Medical Privacy

Chapter 1 - Introduction to Privacy

OECD Collection Limitation Principle

Personal data collection should be limited, obtained by lawful and fair means and, where appropriate, with consent (one of the eight 1980 OECD principles).

Madrid Resolution - Proportionality principle

Processing limited to what is adequate, relevant, and not excessive for the purposes, with reasonable efforts to minimize (2009 standards approved by privacy commissioners, not governments).

Choice and consent (a distinct FIP category)

Organizations must describe available choices and obtain implicit or explicit consent for handling personal information.

Chapter 3 - Technological Aspects

Threat modeling

Identifying the most salient security risks for an organization (the "adversarial mindset"), using tools like MITRE ATT&CK and STRIDE.

Chapter 14 - GDPR and International Privacy

CJEU - Court of Justice of the European Union

The court whose Schrems I (2015, struck Safe Harbor) and Schrems II (2020, struck Privacy Shield) decisions scrutinized U.S. surveillance of EU data.