General Exam Tips
- 1.Read every question for qualifiers: 'always,' 'may,' 'before,' 'after,' and 'EXCEPT' completely change the correct answer — the exam is written to exploit fast reading.
- 2.Never leave a question blank. There is no penalty for wrong answers. Educated guessing on hard questions is always correct strategy.
- 3.Time math: 90 questions in 150 minutes = 100 seconds per question. Mark hard questions and return — do not stall on one question.
- 4.For scenario questions, identify the regulated entity first (Who is subject to this law?), then the data type, then the action. The answer usually follows from those three facts.
- 5.When two answers both seem correct, pick the more specific and precise one over the broad general principle.
- 6.On multi-select questions (select all that apply), verify each option independently — partial credit does not exist.
- 7.The 15 unscored field-test questions are indistinguishable from scored questions. Treat all 90 equally.
- 8.Pace check: if you have answered 45 questions and 75 minutes have passed, you are on pace. If you are behind, skip long scenario questions and return.
- 9.Identify the consent model first in any question involving data sharing: opt-in (HIPAA, COPPA, state sensitive data) or opt-out (GLBA, CAN-SPAM, most state sale/sharing) — this eliminates wrong choices immediately.
Quick Navigation
Introduction to the U.S. Privacy Environment
Must-Know Facts
- The Fourth Amendment restricts GOVERNMENT action only — it has zero direct application to private-sector data collection. This is tested repeatedly.
- FTC Section 5 has two completely separate theories: (1) Deception = material misrepresentation or omission likely to mislead reasonable consumers. (2) Unfairness = practice causing substantial injury not reasonably avoidable and not outweighed by benefits. Deception requires a false statement or omission; unfairness does not.
- FIPPs are the five foundational principles: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, Enforcement/Redress. They are guiding principles — NOT independently enforceable law.
- The U.S. sectoral model means no single comprehensive federal privacy law exists. Congress addressed privacy reactively, sector by sector (health = HIPAA, finance = GLBA, children online = COPPA). This is the core reason so many different statutes must be memorized.
- FTC enforcement tools: consent decrees (binding agreements), civil penalties, administrative orders, and 20-year compliance monitoring. The FTC cannot impose criminal penalties on its own — DOJ handles criminal enforcement.
- Privacy Act of 1974: applies ONLY to federal government agencies maintaining systems of records. It does not regulate private companies at all.
- Four common law privacy torts: (1) Intrusion upon seclusion, (2) Public disclosure of private facts, (3) False light, (4) Appropriation of name or likeness.
- State AGs have dual enforcement authority — they can bring actions under both state privacy laws AND some federal statutes (e.g., COPPA, CAN-SPAM). Federal enforcement is not always exclusively federal.
- The notice-and-choice model is the dominant U.S. regulatory philosophy: tell consumers what you collect and give them options. Self-regulatory frameworks (DAA, BBB Online) operate under this same model.
- Fiduciary duty is a newly emphasized BoK 2.6.1 topic — some proposals treat privacy professionals and data holders as having fiduciary obligations to data subjects.
Common Traps
Confusing Pairs
Scenario Tips
A company's privacy policy says 'We do not share your data with third parties.' The company then sells user data to advertisers.
FTC Deception theory applies. The privacy policy is a material representation that misleads consumers reasonably relying on it.
Unfairness (wrong) — unfairness does not require a representation. The explicit promise in the privacy policy makes this a deception case, not a pure unfairness case.
A company collects sensitive medical information via a health app and stores it with no encryption. A breach exposes millions of records. The company never made specific security promises.
FTC Unfairness theory applies. The failure to implement basic security measures causes substantial injury not reasonably avoidable by consumers.
Deception (wrong) — the company made no misrepresentation. Without a specific false security promise, this is unfairness, not deception.
Law enforcement subpoenas a bank for 6 months of account records on a suspect. The bank asks if a Fourth Amendment warrant is needed.
Under the third-party doctrine, bank records voluntarily shared with the bank generally do not require a warrant. A subpoena may suffice for financial records.
Fourth Amendment warrant required (usually wrong for third-party records) — Carpenter created a narrow exception for CSLI, not bank records.
A tabloid publishes accurate information about a private citizen's addiction treatment obtained from a clinic source.
Public disclosure of private facts — the information is true (no false light), the harm is the publication of true private medical facts.
Defamation (wrong) — defamation requires false statements. The information here is accurate.
A company has an existing FTC consent decree requiring it to implement specific security controls. It later suffers a breach because it stopped following those controls. How does this differ from a first-time FTC enforcement action?
Violating a consent decree is a separate violation that triggers civil penalties (up to ~$50,000 per day per violation). Unlike a first-time Section 5 action where the FTC's primary remedy is a prospective order, a consent decree violation allows the FTC to immediately seek civil penalties in federal court. The prior decree is the predicate.
Same consequences as a first violation (wrong) — the existence of the consent decree dramatically increases the penalty exposure and changes the procedural path. This is a test of whether you know FTC enforcement escalates.
A technology company publicly advertises that it participates in the DAA self-regulatory program for online behavioral advertising. An investigation finds it does not follow the DAA's opt-out standards. What is the most direct FTC theory?
FTC Deception. The public claim of DAA participation is a material representation that consumers and competitors reasonably rely on. Failing to follow the advertised standards makes that representation deceptive under Section 5.
Unfairness (wrong) — this is a textbook deception case because of the affirmative false representation about self-regulatory compliance. Unfairness would apply if there were no representation and only the harmful practice.
Last-Minute Facts
Limits on Private-Sector Collection and Use of Data
Must-Know Facts
- HIPAA consent model: OPT-IN. Individual authorization required before most disclosures of PHI beyond Treatment, Payment, and Healthcare Operations (the three TPO exceptions).
- GLBA consent model: OPT-OUT. Financial institutions can share NPI with nonaffiliated third parties UNLESS the consumer opts out. Sharing with affiliates and joint marketing partners has different (more permissive) rules.
- FCRA two-step adverse action process: (1) PRE-adverse action — send the consumer a copy of the report plus a Summary of Rights BEFORE making the final decision. (2) Adverse action notice — send AFTER the final adverse decision with name of CRA, right to dispute.
- COPPA age threshold: UNDER 13 (not under 18). Applies to operators of websites or online services directed to children OR with actual knowledge of child users. Requires verifiable parental consent (VPC) before ANY personal information collection.
- HIPAA covered entities: Health plans, healthcare clearinghouses, healthcare providers who transmit PHI electronically. Business associates must have a BAA before receiving PHI.
- HIPAA PHI de-identification: Two methods — Safe Harbor (remove all 18 identifiers) or Expert Determination (expert certifies re-identification risk is very small).
- HIPAA breach notification: Notify affected individuals within 60 days. Notify HHS simultaneously for breaches of 500+ records in a single state; annual report for smaller breaches. Notify media for 500+ records in same state.
- GLBA financial institution definition is VERY broad: includes payday lenders, tax preparers, check cashers, real estate settlement companies, mortgage brokers, auto dealers offering financing. Not limited to banks.
- FCRA: Employers must obtain a STANDALONE written disclosure AND written authorization before pulling a consumer report for employment. Cannot be buried in a job application.
- CAN-SPAM opt-out processing: Businesses have 10 BUSINESS DAYS to honor an opt-out request. CAN-SPAM PREEMPTS state email laws (but not state fraud/computer crime laws).
- TCPA: Prior EXPRESS WRITTEN consent required for marketing autodialed calls and texts. Prior express consent (non-written) may suffice for informational messages. National Do Not Call Registry applies to residential numbers.
- FERPA: Rights transfer from parents to the student (eligible student) at age 18 OR when they enroll in a postsecondary institution, whichever comes first.
- COPPA personal information includes persistent identifiers (cookies, device IDs) — not just name and email. Geolocation data and photos/video of children also covered.
- VPPA: Prohibits disclosing personally identifiable video rental/streaming records without written consent. Original 2 U.S.C. § 2710 context: Robert Bork's video rentals were published.
Common Traps
Confusing Pairs
Scenario Tips
A hospital hires a cloud vendor to store medical records. When must the hospital act before sharing PHI?
A Business Associate Agreement (BAA) must be executed BEFORE any PHI is transferred. The vendor becomes a Business Associate the moment they receive PHI.
Patient authorization (wrong) — individual patient authorization is not required for business associate relationships serving treatment, payment, or operations purposes.
An employer wants to use a background check report to reject a job applicant. What is the correct sequence?
(1) Provide standalone written disclosure and obtain written authorization BEFORE pulling the report. (2) After receiving the report, send pre-adverse action notice with the report copy and Summary of Rights. (3) Wait a reasonable time. (4) Send formal adverse action notice with CRA details.
Sending only one notice after the decision (wrong) — two notices are required, and the pre-adverse notice must come BEFORE the final decision.
A children's gaming app notices that a user who signed up as 18 years old is actually 10. What must the operator do under COPPA?
Once the operator has actual knowledge the user is under 13, COPPA obligations immediately apply regardless of the stated age. The operator must obtain verifiable parental consent or delete the child's information.
Relying on the stated age as a valid defense (wrong) — actual knowledge triggers COPPA regardless of the self-reported age.
A company sends commercial marketing emails. A recipient opts out. When must the opt-out be honored?
Within 10 BUSINESS DAYS of receiving the opt-out request under CAN-SPAM.
30 days (wrong) — 30 days is a CCPA/state law response timeline. CAN-SPAM uses 10 business days.
A health data startup collects step counts and sleep data through a smartphone app. Is HIPAA the primary law the startup must comply with?
Likely NOT HIPAA. Consumer health apps are typically not HIPAA covered entities unless they operate under a business associate relationship with a covered entity. The FTC Health Breach Notification Rule or state health data laws (Washington My Health My Data Act) likely apply.
HIPAA always covers health data (wrong) — HIPAA only applies to covered entities and business associates. Consumer apps collecting health data outside that ecosystem are regulated by other frameworks.
Last-Minute Facts
Government and Court Access to Private-Sector Information
Must-Know Facts
- Fourth Amendment restricts government searches and seizures — requires probable cause and a warrant for most searches. Does NOT apply to private-sector actions.
- Third-party doctrine: information voluntarily shared with third parties (banks, phone companies) traditionally loses Fourth Amendment protection. BUT Carpenter v. United States (2018) created a narrow exception for cell-site location information (CSLI), requiring a warrant.
- Carpenter did NOT eliminate the third-party doctrine — it created a limited exception for CSLI because of its pervasive, detailed nature. Bank records, phone records, and most third-party data still fall under the traditional doctrine.
- ECPA Title I (Wiretap Act): governs REAL-TIME interception of electronic communications. Requires a Title III super-warrant — probable cause, necessity (other methods exhausted), minimization procedures.
- ECPA Title II (Stored Communications Act): governs STORED data at service providers. Tiered legal process: subpoena for basic subscriber info, Section 2703(d) court order for non-content records, warrant for content of stored communications.
- ECPA Title III (Pen Register Act): governs metadata collection (numbers dialed, addresses). Requires a court order showing relevance — lower standard than a warrant.
- Law enforcement access hierarchy (lowest to highest): subpoena < Section 2703(d) court order < search warrant (probable cause).
- FISA: Foreign Intelligence Surveillance Act. Authorizes surveillance of foreign powers and their agents. Section 702 allows collection from non-U.S. persons outside the U.S. through U.S. providers without individual warrants. Overseen by the FISA Court.
- National Security Letters (NSLs): compel disclosure of certain records (subscriber info, financial records) WITHOUT judicial approval. Come with a gag order — recipient generally cannot disclose receipt of an NSL.
- Civil discovery (e-discovery): parties to litigation can subpoena electronic records from companies. Different rules from law enforcement access — governed by Federal Rules of Civil Procedure.
Common Traps
Confusing Pairs
Scenario Tips
FBI wants to access 14 months of a suspect's cell tower location data from a carrier. What process is required after Carpenter?
A search warrant based on probable cause is required. Carpenter held that accessing historical CSLI constitutes a Fourth Amendment search, taking it outside the third-party doctrine.
A Section 2703(d) court order (wrong) — that was the standard before Carpenter. Carpenter elevated the requirement to a full warrant for CSLI.
Law enforcement wants to intercept emails in real-time as they are transmitted over the internet.
The Wiretap Act (Title I of ECPA) applies. A Title III super-warrant is required: probable cause, showing that normal investigative procedures have failed or are unlikely to succeed, and minimization procedures.
Stored Communications Act (wrong) — the SCA covers stored data, not real-time interception. The operative fact is 'in real-time as they are transmitted.'
The FBI issues a National Security Letter to a telecom company demanding subscriber information and billing records. Does this require court approval?
No. NSLs do not require judicial approval. They are issued by FBI supervisors and compel disclosure of specific categories of records. The recipient is also subject to a gag order prohibiting disclosure.
FISA Court order required (wrong) — FISA Court orders authorize ongoing surveillance. NSLs are a different instrument requiring no court involvement.
Last-Minute Facts
Workplace Privacy
Must-Know Facts
- Employer monitoring: Employers generally have broad authority to monitor activity on employer-owned devices, networks, and communications systems. The key defense is business purpose + advance notice to employees.
- FCRA in employment: Employers MUST (1) provide a standalone written disclosure AND (2) obtain written authorization BEFORE pulling a consumer report. These are separate requirements — one form, no buried disclosures in employment applications.
- FCRA adverse action in employment: Two-step process — (1) pre-adverse action notice with copy of report and Summary of FCRA Rights BEFORE the decision, (2) formal adverse action notice AFTER the final decision.
- Illinois BIPA requirements: Written informed consent before collection, publicly available written policy on retention schedule and destruction guidelines, and private right of action for violations. The 2024 amendment (SB 2979) limits each plaintiff to a single recovery per person per method of collection — replacing the prior per-scan accrual that created runaway liability.
- BIPA biometric identifiers: fingerprints, voiceprints, hand/finger geometry scans, iris/retina scans, facial geometry. Photographs alone are EXPRESSLY EXCLUDED from BIPA.
- GINA prohibits: employers requesting, requiring, or purchasing genetic information, including family medical history. Narrow exceptions for inadvertent acquisition (overhearing), voluntary wellness programs with safeguards, and FMLA certification.
- Video surveillance in the workplace: Generally allowed in common work areas (lobbies, production floors, parking lots). Prohibited in areas with reasonable expectation of privacy (restrooms, changing rooms, private offices if reasonable expectation exists). Adding audio recording adds wiretapping law analysis.
- BYOD policies must address: scope of monitoring (work vs. personal data), data separation (containers), and remote wipe capabilities and the privacy implications for personal data.
- Drug testing: varies by state. Federal government and DOT-regulated industries (aviation, trucking, rail) have mandatory testing. Many states require reasonable suspicion; others allow random testing. Positive tests may be reported under certain frameworks.
Common Traps
Confusing Pairs
Scenario Tips
An employer plans to reject a job applicant based on a credit report and wants to know what notice is required.
Two-step process: (1) Before the final decision, send a pre-adverse action notice that includes the credit report and Summary of FCRA Rights, giving the applicant time to dispute. (2) After the final decision, send the formal adverse action notice with the CRA's identity and contact information.
Only sending the final rejection letter (wrong) — the pre-adverse action notice is mandatory before the decision and is the more heavily tested requirement.
An Illinois employer requires employees to use fingerprint scanners to clock in and out. What must the employer do before collecting fingerprints?
Under BIPA: (1) Obtain written informed consent from each employee before collecting fingerprints. (2) Publish a written policy on retention schedule and destruction guidelines for biometric data.
Simply encrypting the fingerprint data and storing it securely (wrong) — BIPA requires informed written consent and a public destruction policy, not just security measures.
During a job interview, an HR manager asks: 'Does anyone in your family have a history of heart disease?' What law may be violated?
GINA (Genetic Information Nondiscrimination Act). Family medical history is genetic information under GINA. Requesting it, even casually in an interview, violates GINA's prohibition on collecting genetic information.
ADA (wrong) — ADA prohibits disability discrimination and generally limits pre-offer medical inquiries, but family medical history is specifically a GINA issue because it constitutes genetic information.
Last-Minute Facts
State Privacy Laws
Must-Know Facts
- CCPA/CPRA applicability: For-profit businesses meeting ANY ONE of: (1) Annual gross revenue over $25M (adjusted to ~$26.6M for 2025 per CPI). (2) Buy/sell/receive/share personal data of 100,000+ consumers or households. (3) Derive 50%+ of annual revenue from selling/sharing consumers' personal data.
- CCPA/CPRA consumer rights: right to know, right to delete, right to correct, right to opt-out of sale/sharing, right to limit use of sensitive personal information, right to non-discrimination for exercising rights.
- CCPA/CPRA private right of action: LIMITED to data breaches caused by failure to maintain reasonable security. Statutory damages $100-$750 per consumer per incident (or actual damages if higher). This is the ONLY comprehensive state privacy law with a private right of action.
- Virginia VCDPA applicability: Control/process personal data of 100,000+ Virginia consumers per year, OR 25,000+ consumers while deriving 50%+ revenue from sale of personal data. NO revenue threshold (unlike California).
- Virginia VCDPA cure period: PERMANENT 30-day cure period (no sunset date). AG sends a written notice; business has 30 days to cure. Virginia's cure period did NOT sunset — unlike Colorado and Connecticut.
- Colorado CPA and Connecticut CTDPA cure periods: SUNSETTED on January 1, 2025. Colorado and Connecticut AGs can now bring enforcement actions directly without giving businesses an opportunity to cure.
- Texas TDPSA: No revenue or data volume thresholds — applies to any entity conducting business in Texas or targeting Texas residents that processes personal data AND does not meet the small business exemption. The broadest applicability of major state laws.
- Florida Digital Bill of Rights (FDBR): Applies to controllers with annual global revenues over $1 billion. Very high threshold limits applicability to major tech companies and platforms. Modeled on Virginia VCDPA with some variations.
- Washington My Health My Data Act: Protects consumer health data NOT covered by HIPAA. Includes location data that could reveal health conditions. Has a private right of action (unlike most state comprehensive laws). AG enforcement also available.
- California Delete Act (SB 362): Effective 2026 — requires data brokers to register with CPPA and allows consumers to delete their data from all registered data brokers through a single centralized deletion request.
- Universal opt-out mechanisms: Colorado CPA requires businesses to honor browser-based opt-out signals (Global Privacy Control). Several other states have adopted similar requirements.
- Data breach notification: ALL 50 states have laws. No single federal breach notification law exists. Common trigger: name + SSN, driver's license, financial account, or health/biometric data. Timelines vary (typically 30-90 days). Many states require AG notification for large-scale breaches.
- State law comparison framework: For each state law, know (1) applicability threshold, (2) consumer rights granted, (3) consent model for sensitive data (opt-in) vs. sale/sharing (opt-out), (4) cure period (if any), (5) enforcement body, (6) private right of action (yes/no).
- NYC Automated Employment Decision Tools (AEDT) Law: Requires bias audits and notice before using AI tools to screen job applicants or employees. Local NYC law — narrow scope but tested as new AI privacy regulation.
- Colorado AI Act: Prohibits algorithmic discrimination in high-risk AI systems. Requires impact assessments. First comprehensive state AI law of its kind — effective June 30, 2026 (original February 2026 date was postponed by SB 25B-004).
Common Traps
Confusing Pairs
Scenario Tips
A Virginia resident submits a data access request to a company covered by VCDPA. The company refuses. The resident wants to sue. Can they?
No. Virginia VCDPA has NO private right of action. The resident's only recourse is to file a complaint with the Virginia AG. The AG can bring enforcement actions but individuals cannot sue directly.
Yes, because privacy violations allow lawsuits (wrong) — private rights of action in state privacy law are rare. California CCPA for data breaches and Illinois BIPA are the main exceptions.
A Colorado AG discovers a company violated CPA in January 2025. The AG wants to bring an enforcement action. Must the AG give the company a cure period?
No. Colorado's 60-day cure period sunsetted on January 1, 2025. The Colorado AG can now pursue direct enforcement without providing a cure opportunity.
Yes, the AG must give 60 days to cure (wrong) — the Colorado cure period expired. Only Virginia's permanent 30-day cure period is still in effect.
A company with $30M in annual revenue and 50,000 California customer records asks whether CCPA/CPRA applies.
Yes. The company exceeds the $25M annual revenue threshold (the first applicability criterion). Only ONE of the three thresholds needs to be met. The 100K consumer volume threshold (criterion 2) and 50% data sale revenue threshold (criterion 3) are not relevant because threshold 1 is already satisfied.
No, because the company has fewer than 100,000 consumers (wrong) — the three CCPA/CPRA criteria are connected with OR logic. Meeting ANY ONE triggers applicability.
A small startup runs a consumer health app tracking menstrual cycles for Washington state users. What law most specifically covers their data practices beyond HIPAA?
Washington My Health My Data Act. It covers consumer health data NOT covered by HIPAA, including reproductive and menstrual health data. It includes both AG enforcement and a private right of action.
HIPAA (wrong) — the app developer is not a covered entity or business associate. HIPAA does not apply to consumer health apps that operate outside the healthcare provider ecosystem.
A national retailer with $500M in revenue wants to know if Florida's Digital Bill of Rights applies to its data practices.
No. Florida FDBR applies only to controllers with annual global revenues exceeding $1 billion. The retailer at $500M does not meet the threshold.
Yes, because the company is processing Florida consumer data (wrong) — FDBR has an extremely high revenue threshold that excludes most businesses.