Under the California Consumer Privacy Act (CCPA) , businesses are required to respond to consumer requests for access, deletion, or information about how their data is processed. However, the responsibilities differ depending on whether the entity is acting as a business or a service provider under the CCPA.

Key CCPA Definitions:

Business:

The entity that determines the purposes and means of processing personal information.

In this scenario, Miraculous Healthcare is the business because it determines how the app and its associated data are used to deliver healthcare services.

Service Provider:

The entity that processes personal information on behalf of the business pursuant to a contractual agreement.

MedApps acts as a service provider because it is hosting and managing the app and the data on behalf of Miraculous Healthcare.

As a service provider , MedApps is restricted in how it can handle consumer data and must follow the instructions of the business (Miraculous Healthcare) for any data-related requests. Therefore, if MedApps receives an access or deletion request from a California-based user, it must forward the request to Miraculous Healthcare , which is responsible for determining how to respond in compliance with the CCPA.

Explanation of Options:

A. MedApps should immediately begin deleting the user ' s data: This is incorrect because MedApps cannot act independently in responding to access or deletion requests under CCPA. As a service provider, it must follow the instructions of the business (Miraculous Healthcare).

B. MedApps should provide the privacy notice in an easily readable format: This is irrelevant to the question. While providing a privacy notice in a readable format is a CCPA requirement, it does not address how to handle an access request.

C. MedApps should decline the request because MedApps is not based in California: This is incorrect. CCPA applies to businesses and service providers that collect or process personal data of California residents, regardless of whether the entity itself is physically located in California.

D. MedApps should promptly forward the request to Miraculous for instructions on handling: This is correct. Under CCPA, service providers are required to cooperate with the business and must forward consumer requests to the business for guidance and action. MedApps’ role as a service provider obligates it to defer to Miraculous Healthcare ' s instructions.

Relevant References from CIPP/US Materials:

CCPA Section 1798.140(v): Defines a service provider and outlines its obligations to process personal information only on behalf of the business and in accordance with contractual terms.

CCPA Section 1798.105(c): States that service providers are not required to delete personal information unless instructed to do so by the business.

IAPP CIPP/US Certification Textbook: Discusses the roles of businesses and service providers under the CCPA and their respective responsibilities regarding consumer requests.

Practical Considerations:

Riya, as the Privacy Officer at Miraculous Healthcare, should ensure that the Business Associate Agreement (BAA) and any CCPA-specific contract provisions with MedApps clearly define:

The process for handling consumer requests under CCPA.

The requirement for MedApps to promptly notify and defer to Miraculous Healthcare for any such requests.

Conclusion:

MedApps, as a service provider, is not authorized to respond to CCPA access or deletion requests independently. It must forward the request to Miraculous Healthcare for instructions.

The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section. The APEC information privacy principles are:

Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.

Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.

Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.

Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.

Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.

Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.

Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.

Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the legitimate rights of persons other than the individual would be violated.

Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.

The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information, such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond.  References:

APEC Privacy Framework (2015)

APEC Cross-Border Privacy Rules (CBPR) System

APEC Privacy Recognition for Processors (PRP) System

APEC Privacy Framework: A New Model for Transborder Data Flows

A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcing privacy rights. Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC’s enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation.  References:

U.S. Private-Sector Privacy, Third Edition  by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 2, Section 2.3.3, pp. 35-36.

How to end the deadlock on the private right of action  by Paula Bruening, IAPP Privacy Perspectives, Jan 20, 2022.

Private Right of Action (Legal Definition & Examples)  by Lawrina, accessed on Jan 25, 2022.

A consent decree is a settlement agreement between the FTC and a company that has engaged in unfair or deceptive privacy practices. A consent decree typically requires the company to stop the unlawful conduct, implement remedial measures, pay a civil penalty, and submit to ongoing monitoring and reporting. A consent decree benefits both parties involved because it spares the expense of going to trial, which can be costly, time-consuming, and uncertain. A consent decree also allows the parties to negotiate the terms of the settlement, rather than having a court impose a judgment. A consent decree does not admit liability or wrongdoing by the company, but it has the force of law and can be enforced by the FTC or the courts if the company violates its terms.  References:

IAPP CIPP/US Body of Knowledge , Section I.A.1.a

IAPP CIPP/US Textbook , Chapter 1, pp. 10-11

FTC Consent Decrees

The Stored Communications Act (SCA) is a federal law that regulates the privacy of electronic communications that are stored by third-party service providers, such as email providers, cloud storage providers, or social media platforms. The SCA prohibits unauthorized access to or disclosure of such communications, unless authorized by law or by the consent of the user or the service provider . The SCA also provides exceptions for certain types of access or disclosure, such as those made for law enforcement purposes, for the protection of the service provider’s rights or property, or for the consent of the subscriber or customer .

One of the exceptions to the SCA is where the service provider gives consent to the access or disclosure of the stored communications. This means that if a third-party service provider agrees to cooperate with an investigation or a request for information, the access or disclosure is lawful under the SCA. Consent can be express or implied, depending on the circumstances and the terms of service of the provider. For example, if a service provider has a policy that allows it to disclose user information to third parties for legitimate purposes, the provider has impliedly consented to the access or disclosure of the stored communications. However, if a service provider has a policy that prohibits such disclosure, the provider has not consented to the access or disclosure of the stored communications.

In the scenario, Evan’s undercover investigation may have been authorized by the SCA if he obtained the consent of the third-party service provider that stored the electronic communications of the employee who was suspected of misconduct. For instance, if the employee used a company email account or a cloud storage service that had a policy that allowed the service provider to disclose user information to the employer or to law enforcement, Evan may have been able to access or disclose the stored communications with the consent of the service provider. However, if the employee used a personal email account or a cloud storage service that had a policy that protected user privacy and prohibited such disclosure, Evan may have violated the SCA by accessing or disclosing the stored communications without the consent of the service provider.

References:  : [Stored Communications Act], 18 U.S.C. §§ 2701-2712 : [IAPP CIPP/US Study Guide] , Chapter 8, Section 8.2.2. : [The Stored Communications Act: An Old Statute for Modern Problems], pp. 10-11.

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose

the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices.  References:   CCPA  (Section 1798.150),  IAPP CIPP/US Study Guide  (p. 63-64)

Based on the incident, the FTC’s enforcement actions against the marketer would most likely include the violation of collecting information from a child under the age of thirteen without obtaining verifiable parental consent, as required by the Children’s Online Privacy Protection Act (COPPA) Rule. The COPPA Rule applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children under 13, and operators of general audience websites or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The COPPA Rule also applies to websites or online services that are directed to children under 13 and that collect personal information from users of any age. The COPPA Rule defines personal information to include full name, address, phone number, email address, date of birth, and other identifiers that permit the physical or online contacting of a specific individual. The COPPA Rule requires operators to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited excep tions, before collecting personal information online from children; give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); provide parents access to their child’s personal information to review and/or have the information deleted; give parents the opportunity to prevent further use or online collection of a child’s personal information; maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. The FTC has the authority to seek civil penalties and injunctive relief for violations of the COPPA Rule. The FTC has brought numerous enforcement actions against operators for violating the COPPA Rule, resulting in millions of dollars in penalties and orders to delete illegally collected data.  References:

Children’s Privacy | Federal Trade Commission

Kids’ Privacy (COPPA) | Federal Trade Commission

FTC Is Escalating Scrutiny of Dark Patterns, Children’s Privacy

FTC to Crack Down on Companies that Illegally Surveil Children Learning Online

FTC Takes Action Against Company for Collecting Children’s Personal Information Without Parental Permission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 165-168.

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers.  The three categories are:  1 2

Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data.  Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends) 1 2

Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data.  Data brokers may provide risk mitigation products through various methods, such as matching consumer-provided information with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status 1 2

Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data.  Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports 1 2

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

 The U.S. Supreme Court has recognized an individual’s right to privacy over personal issues, such as contraception, by acknowledging a “penumbra” of unenumerated constitutional rights as well as more general protections of due process of law. This means that the right to privacy is not explicitly stated in the Constitution, but it is implied from other rights that are explicitly stated, such as the First Amendment rights of speech and assembly, the Third Amendment right to be free from quartering of soldiers, the Fourth Amendment right to be secure from unreasonable searches and seizures, the Fifth Amendment right to be free from self-incrimination, and the Ninth Amendment right to retain other rights not enumerated in the Constitution. These rights create a “zone of privacy” that protects individuals from undue government interference in their personal affairs. The Supreme Court first articulated this concept of privacy in Griswold v. Connecticut (1965), where it struck down a state law that prohibited the use of contraceptives by married couples. The Court also relied on the due process clause of the Fourteenth Amendment, which prohibits states from depriving any person of life, liberty, or property without due process of law. The Court interpreted this clause to include a substantive component that protects certain fundamental rights from state regulation, unless there is a compelling state interest and the regulation is narrowly tailored to achieve that interest. The Court has applied this due process analysis to other privacy issues, such as abortion, marriage, and sexual orientation.  References:

Privacy | Wex | US Law | LII / Legal Information Institute

Privacy isn’t in the Constitution – but it’s everywhere in constitutional law

Privacy Rights and Personal Autonomy Legally Protected by the … - Justia

Right to privacy | Wex | US Law | LII / Legal Information Institute

According to HIPAA, a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. A business associate agreement (BAA) is a written contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the business associate, as well as the safeguards that the business associate must implement to protect the PHI. In this scenario, MedApps is a business associate of Miraculous, since it provides a telehealth app that involves the use or disclosure of PHI on behalf of Miraculous. Therefore, HIPAA would require Miraculous and MedApps to enter into a BAA before using the telehealth app. The other options are incorrect because HIPAA does not prohibit the use of cloud hosting services or the hosting of in-person appointment data in the cloud, as long as the appropriate safeguards and agreements are in place. HIPAA also does not require patient consent for the sharing of PHI with third parties for treatment, payment, or health care operations purposes, which would include the use of the telehealth app.  References:

HIPAA and Telehealth  - Office for Civil Rights

HIPAA Rules for telehealth technology  - Telehealth.HHS.gov

Notification of Enforcement Discretion for Telehealth  - Office for Civil Rights

Guidance: How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Provide Audio-Only Telehealth  - Office for Civil Rights

HIPAA Compliant App  - Telehealth.org

IAPP CIPP/US Certified Information Privacy Professional Study Guide - Chapter 3: HIPAA and HITECH, pages 75-76, 81-82, 86-87.