Authentic IAPP Certification Exam CIPP-US Questions Answers

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is a law passed in 2003 that establishes the first national standards for the sending of commercial e-mail in the United States. The law requires the Federal Trade Commission (FTC) to enforce its provisions. The law applies to any commercial e-mail message, which is defined as any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. The law does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship. The law also does not apply to non-commercial messages, such as political or charitable solicitations12

The CAN-SPAM Act is intended to help consumers by giving them more control over the commercial e-mails they receive. The law does not require companies to obtain prior consent (opt-in) from consumers before sending them commercial e-mails, but it does require companies to honor consumers’ requests to stop receiving such e-mails (opt-out). The law specifies that each commercial e-mail message must include a clear and conspicuous notice of the opportunity to decline to receive further messages from the sender, and a valid physical postal address of the sender. The sender must provide a functioning return e-mail address or other Internet-based mechanism that allows the recipient to submit an opt-out request. The sender must honor the opt-out request within 10 business days and must not sell, exchange, or transferthe e-mail address of the opt-out requester to another entity, unless the other entity is acting as an agent of the sender12

By requiring companies to allow consumers to opt-out of future e-mails, the CAN-SPAM Act aims to reduce the amount of unwanted and unsolicited commercial e-mail that consumers receive, and to protect their privacy and preferences. The law also imposes other requirements on companies that send commercial e-mails, such as banning false or misleading header information and deceptive subject lines, requiring the identification of the message as an advertisement, and requiring the labeling of sexually explicit content. The law also authorizes the FTC and other federal agencies to enforce the law and impose civil penalties for violations12

References:

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.4: The CAN-SPAM Act

BYOD is a practice that allows employees to use their own personal devices, such as smartphones, tablets, or laptops, for work-related purposes. BYOD can offer some benefits for both employers and employees, such as increased flexibility, convenience, and productivity. However, BYOD also poses significant privacy and security risks, such as data breaches, unauthorized access, loss or theft of devices, malware infections, and compliance challenges. Therefore, the business consultant will most likely advise Felicia and Celeste to weigh any productivity benefits of the plan against the risk of privacy issues, and to implement a comprehensive BYOD policy that addresses the following aspects:

• The scope and purpose of the BYOD program, including the types of devices, data, and applications that are allowed or prohibited.
• The roles and responsibilities of the employer and the employees, including the ownership, control, and access rights of the devices and the data.
• The security measures and controls that are required to protect the devices and the data, such as encryption, passwords, remote wipe, antivirus software, firewalls, and VPNs.
• The privacy expectations and obligations of the employer and the employees, such as the notice, consent, and disclosure requirements, the limits on data collection and monitoring, the retention and deletion policies, and the rights of access and correction.
• The legal and regulatory compliance requirements that apply to the BYOD program, such as the FTC Act, the GLBA, the HIPAA, the COPPA, the CCPA, and the GDPR.
• The incident response and reporting procedures that are followed in the event of a data breach, loss, or theft of a device, or any other privacy or security issue.
• The training and education programs that are provided to the employees to raise awareness and understanding of the BYOD policy and the best practices.
• The enforcement and audit mechanisms that are used to ensure compliance and accountability of the BYOD policy, such as sanctions, penalties, reviews, and audits. References:
• IAPP CIPP/US Body of Knowledge, Section III.C.2
• IAPP CIPP/US Textbook, Chapter 3, pp. 113-115
• FTC Mobile Device Security

 Federal preemption is a doctrine in law that allows a federal law to take precedence over or to displace a state law in certain matters of national importance (such as interstate commerce). The doctrine is based on the Supremacy Clause of the Constitution, which declares that federal law is the “supreme law of the land” and that state judges are bound by it. There are two types of federal preemption: express and implied. Express preemption occurs when Congress expressly states that a federal law is intended to preempt certain types of state legislation. Implied preemption occurs when a state law conflicts with federal law because it is impossible to comply with both at the same time, or because it interferes with the objectives of the federal law, or because the federal government has fully occupied the field of regulation.

The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act is an example of express preemption. The Act regulates commercial email messages and establishes requirements for senders and penalties for violations. The Act also explicitly preempts any state law that “expressly regulates the use of electronic mail to send commercial messages”, except for state laws that prohibit falsity or deception. This means that states cannot pass laws that impose greater obligations on senders of email marketing than the federal law, such as requiring opt-in consent or providing additional opt-out mechanisms. Therefore, the CAN-SPAM Act is the correct answer to the question.

The other options are not examples of federal preemption. The Payment Card Industry’s (PCI) ability to self-regulate and enforce data security standards for payment card data is not a federal law, but a private sector initiative. The U.S. Federal Trade Commission’s (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries is not a preemption of state law, but a concurrent power that can coexist with state consumer protection laws. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there, is not preempted by any federal law, but is a state law that applies to entities that meet certain criteria of collecting or selling personal information of California residents. References: Federal preemption, What is FederalPreemption?, Federal preemption Definition & Meaning, preemption, Preemption legal definition of Preemption, CAN-SPAM Act, IAPP CIPP/US Study Guide, Chapter 2.