Certified Information Privacy Professional CIPP-US Passing Score

Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person. However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.

Some of the privacy measures that should be considered when designing contact tracing apps are:

• Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.
• Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits.
• User confidentiality: Contact tracing apps should protect the confidentiality of users’ personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.

Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose. Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app’s coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.

References:

• [IAPP CIPP/US Study Guide], Chapter 2: Privacy by Design and Default, pp. 35-36.
• [IAPP CIPP/US Body of Knowledge], Section II: Limits on Private-sector Collection and Use of Data, Subsection B: Privacy by Design, pp. 9-10.
• [IAPP Glossary], Terms: Contact Tracing, Privacy by Design, Privacy by Default.

The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section. The APEC information privacy principles are:

• Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.
• Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.
• Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.
• Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.
• Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.
• Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.
• Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.
• Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the legitimate rights of persons other than the individual would be violated.
• Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.

The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information,such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond. References:

• APEC Privacy Framework (2015)
• APEC Cross-Border Privacy Rules (CBPR) System
• APEC Privacy Recognition for Processors (PRP) System
• APEC Privacy Framework: A New Model for Transborder Data Flows

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

• Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12
• Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12
• Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

• Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

The California Consumer Privacy Act (CCPA) defines a ‘sale’ of personal information as any transfer or disclosure of personal information to another business or third party for monetary or other valuable consideration. However, the CCPA also provides some exceptions to this definition, such as:

• If the consumer has directed the business to intentionally disclose the personal information or use the personal information to interact with a third party, provided the third party does not also sell the personal information.
• If the business transfers the personal information to a service provider that is contractually prohibited from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract with the business.
• If the business transfers the personal information to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided the information is used or shared consistently with the CCPA.

The use of cookies on a website by a service provider is generally not deemed a sale of personal information by the CCPA, as long as the information collected by the service provider is necessary to perform the services specified in the contract with the business,and the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. One of the examples of a valid business purpose is to perform debugging to identify and repair errors that impair existing intended functionality.

Therefore, option D is the correct answer, as it describes a scenario where the use of cookies by a service provider is not a sale of personal information under the CCPA, assuming the service provider complies with the contractual obligations and does not further use or disclose the information.

Option A is incorrect, as it does not describe a valid exception to the definition of a sale. The third party that stores personal information to trigger a response to a consumer’s request to opt in is not acting as a service provider, but as a separate entity that may have its own interest in the personal information. The consumer’s request to opt in does not necessarily imply that the consumer has directed the business to disclose the personal information to the third party.

Option B is incorrect, as it does not describe a valid exception to the definition of a sale. The analytics cookies placed by the service provider may still constitute a sale of personal information, even if they cannot be linked to a particular consumer of that business. The CCPA defines personal information broadly to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Therefore, the analytics cookies may still fall within the scope of personal information, and their use by the service provider may still be a sale, unless one of the exceptions applies.

Option C is incorrect, as it does not describe a valid exception to the definition of a sale. The service provider that retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors is not acting as a service provider to the business, but as a separate entity that may have its own interest in the personal information. The agreement with the subcontractors does not necessarily imply that the business has authorized the service provider to retain, use, or disclose the personal information for any purpose other than performing the services specified in the contract with the business.

References:

• [IAPP CIPP/US Study Guide], Chapter 10: California Consumer Privacy Act, pp. 223-226.
• CIPP/US Practice Questions (Sample Questions), Question 30.