Free Preparation Discussions
MENU
IAPP Exam CIPP-US Topic 4 Question 72 Discussion
Topic #: 4
SCENARIO
Please use the following to answer the next QUESTION:
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. ''Doing your network?'' Matt asked hopefully.
''No,'' the boy said. ''I'm filling out a survey.''
Matt looked over his son's shoulder at his computer screen. ''What kind of survey?'' ''It's asking Questions about my opinions.''
''Let me see,'' Matt said, and began reading the list of Questions that his son had already answered. ''It's asking your opinions about the government and citizenship. That's a little odd. You're only ten.''
Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Based on the incident, the FTC's enforcement actions against the marketer would most likely include what violation?
Nevada's privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of ''covered information'' under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260 also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.
Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:
If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.
If the sale is to a person who processes the covered information on behalf of the operator.
If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.
If the sale is to a person who is an affiliate of the operator.
If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator's assets.
To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.
Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.
Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).
Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.
Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.
[IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.
Currently there are no comments in this discussion, be the first to comment!