CIPP/US Exam – State Privacy Laws
The “State Privacy Laws” part is an important part of the CIPP/US exam. As of the last update (2021), this part weighs more heavily in the exam.
The IAPP Body of Knowledge contains a list of all laws that are part of the examination material. Strangely enough, there is little to be found in the official textbook about these laws. In this blog we look at these laws and the most important characteristics.
CIPP/US State Privacy Laws
The state privacy laws you need to know for the CIPP/US exam are:
- California Electronic Communications Privacy Act (CalECPA or SB 178)
- Delaware Online Privacy and Protection Act (DOPPA)
- NEVADA SB 538
- Illinois Right To Know Act
- New Jersey Personal Information and Privacy Protection Act
- Washington Biometric Privacy Law (H.B. 1493)
- NYDFS Cybersecurity Regulation (23 NYCRR 500)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
Below we discuss the main characteristics of these laws:
California Electronic Communications Privacy Act (CalECPA or SB 178)
This 2015 act protects personal data. Every state law enforcement agency needs a warrant from a judge to access personal data. This concerns private user data stored online, emails, digital documents, text messages, smartphone contents and location information.
The act distinguishes between Electronic Communication Information (ECI) and Electronic Device Information (EDI), for which different types of data have different warrant requirements.
Delaware Online Privacy and Protection Act (DOPPA)
DOPPA (2016) regulates advertising to children. This act prohibits online advertising of products to minors (under 18) that they are normally not allowed to buy and/or content that is considered by the law to be inappropriate for children’s viewing. Think about alcohol, tobacco, firearms and pornography.
NEVADA SB 538
The 2017 Nevada Senate Bill 538 requires operators of websites and online services doing business in Nevada to provide notice to Nevada residents of their collection and disclosure of personally identifiable information.
Illinois Right To Know Act
The Right to Know Act provides that an operator of a commercial website or online service that collects personally identifiable information about individual customers residing in Illinois shall notify those customers of certain specified information pertaining to its personal information sharing practices. The Right to Know Act (2017) is still under revision.
New Jersey Personal Information and Privacy Protection Act
The New Jersey Personal Information and Privacy Protection Act (2017) provides that a retail establishment shall scan a person’s identification card – for example a driver’s license – only for the purposes specified in the Act.
Washington Biometric Privacy Law (H.B. 1493)
The Washington Biometric Privacy Law (2017) provides that commercial organizations may not enroll a biometric identifier of residents in a database without first providing notice, obtaining consent or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
NYDFS Cybersecurity Regulation (23 NYCRR 500)
The New York Department of Financial Services (NYDFS) sets cybersecurity requirements for financial services firms. This regulation applies to a wide range of financial institutions and is in line with the well-known NIST Cybersecurity Framework.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act gives consumers more control over the personal information that businesses collect about them. The CCPA includes new rights for California Consumers such as: the right to know, the right to delete, the right to opt-out of the sale of personal information and the right to non-discrimination.
California Privacy Rights Act (CPRA)
On January 1, 2023, the CCPA will be amended by the California Privacy Rights and Enforcement Act (CPRA or CCPA 2.0). The CPRA introduces new individual rights, expands some rights and creates a new enforcer: the California Privacy Protection Agency.
Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act is a comprehensive privacy law and has parallels with the CCPA, CPRA and GDPR. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising.
Our CIPP/US exam prep course includes a full State Data Privacy and Security Laws Appendix, an up to date and detailed outline of the entire CIPP/US textbook (latest edition), IAPP style practice questions and various training videos. This combination ensures optimum preparation for the exam and a high chance of excelling at your first try. Register here.