I. Introduction to the Privacy Landscape

Section A: General Introduction to Privacy Concepts

a. Identified vs. Identifiable Individuals

b. Sensitive Personal Information

c. The Role of Encryption, Anonymization, and Pseudonymization

d. The Source of Information

e. Data Subjects, Controllers, and Processors

a. FIPs in the United States

b. Examples of FIPs in International Frameworks

c. Common Themes

Section B: Structure of U.S. Law

a. Three Branches: Legislative, Executive, and Judicial

b. Checks and Balances

a. Constitutional Law

b. Statutory Law

c. Regulations and Administrative Rulemaking

d. Common Law (a/k/a Case Law)

e. Contractual Law

f. International Law

a. Federal Regulatory Authorities

b. State Regulatory Authorities

c. Self-Regulatory Authorities

Section C: Enforcement of Privacy and Data Security Laws

a. Contract Liability

b. Tort Liability

c. Civil Enforcement of Statutory Law

d. The Concept of Negligence

a. Federal Enforcement Actions

b. State Enforcement Actions

Section D: The U.S. Perspective on Information Management

a. Data Inventory

b. Data Flow Maps

c. Data Classification

a. Balancing Risks

b. Understanding Organizational Goals

c. Developing Policies

d. The Privacy Operational Life Cycle

a. Types of User Consent

b. Managing User Consent

c. Consumer Access

a. Information Privacy vs. Information Security

b. The CIA Triad

c. Security Controls

d. Causes of Data Breaches

e. Data Breach Incident Response

a. The Importance of Workforce Training

b. Legal Requirements

a. Introduction to Web-Based Concepts

b. Introduction to Web-Based Programming Languages

c. Online Data Collection

d. Third Party Website Interactions

e. Online Security and Cyber Threats

f. The Role of Human Error

g. Consumer Tracking and Online Advertising

h. Children’s Online Privacy

a. The Legal Implications of a Privacy Notice

b. Updating a Privacy Notice

c. Designing an Effective Privacy Notice

a. Vendor Contracts

b. Vendor Selection

c. Vendor Incident Response

d. Cloud Computing Issues

e. Third-Party Data Sharing

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. Data Transfers from the E.U. to the U.S. Under the GDPR

a. Additional GDPR Requirements

b. The Asia-Pacific Economic Cooperation (APEC) Privacy Framework (2004)

c. Multinational Compliance Conflicts

Knowledge Review #1

II. Limits on the Private Sector Use of Personal Information

Introduction

Section A: Cross-Sector FTC Privacy Regulation

a. FTC Authority

b. Enforcement Actions

c. Consent Decrees

a. Deceptive Trade Practices

b. Unfair Trade Practices

a. Scope of COPPA

b. Notice Requirements

c. “Verifiable Parental Consent”

d. Parental Access

e. Internal Procedures

f. Safe Harbor

g. Enforcement

Section B: Healthcare Privacy

a. Scope of HIPAA’s Privacy and Security Rules

b. HIPAA Privacy Rule

c. HIPAA Security Rule

d. Enforcement of the Privacy and Security Rules

e. 2021 HIPAA Safe Harbor Bill

f. Contact Tracing

a. What Constitutes a Data Breach?

b. Data Breach Notice Requirements

c. Additional Amendments to HIPAA

a. Compassionate Sharing of Mental Health and Substance Abuse Information

b. Exemptions for Disclosure from Biomedical Research and “Certificates of Confidentiality”

c. Remote Viewing of PHI by Researchers

d. Prohibition on “Information Blocking”

a. The Scope of Part 2

b. Disclosure Restrictions

c. Use Restrictions

d. Administrative Requirements

Section C: Financial Privacy

a. Who and What the FCRA Applies To

b. Regulation of Consumer Reporting Agencies (CRAs)

c. Regulation of “Users” of Consumer Reports

d. Regulation of “Furnishers” of Information Used in Consumer Reports

e. Regulation of Companies Extending Credit

f. Investigative Consumer Reports

g. Enforcement and Rulemaking

a. Disposal Rule

b. “Red Flags” Rule

a. Scope of the GLBA

b. GLBA Privacy Rule

c. GLBA Safeguard Rule

d. Enforcement and Rulemaking under the GLBA

e. Exemptions Under State Laws for Data Regulated Under the GLBA

a. Specific CFPB “Authorities”

b. Enforcement Against Covered Persons and Service Providers

Section D: Education Privacy

a. Education Records and Exceptions

b. Substantive Policies Under FERPA

c. FERPA Enforcement; Student and Parent Complaints

d. Interplay Between FERPA and HIPAA’s Privacy Rule

a. Application of FERPA

b. Application of COPPA

c. Self-Regulation of EdTech

Section E: Marketing and Telecommunications Privacy

a. To Whom and To What the TCPA and the TSR Applies

b. Who May Be Called?

c. How Calls Can Be Made

d. Record-Keeping Requirements

e. Enforcement of Telemarketing Rules

a. Scope of CAN-SPAM

b. Prohibitions Under CAN-SPAM

c. Enforcement

d. Wireless Message Rules

e. Wireless Domain Registry

a. Limitations on the Use of CPNI

b. Administrative and Technical Safeguards

c. Data Breach Notification Rules

d. Enforcement

a. Privacy Notices

b. Prohibition on Collection

c. Prohibition on Disclosure

d. Subscriber Access

e. Data Destruction

f. Enforcement

a. Prohibition on Disclosure

b. Data Destruction

c. Enforcement

a. Prohibition on Disclosure

b. Exceptions to Disclosure

c. Enforcement

a. Lack of Federal Regulation

b. Self-Regulation of Digital Advertising

Knowledge Review #2

III. Government Access to Personal Information

Introduction

Section A: Law Enforcement and Privacy

a. When Disclosure is Permitted

b. Obligations Imposed on Financial Institutions

c. Enforcement

a. Record-Keeping Requirements

b. Reporting Requirements

c. The USA-PATRIOT Act Amendments and the Anti-Money Laundering Provisions

a. Wire, Oral, and Electronic Communications

b. Court Order Requirement

c. One-Party vs. Two-Party Consent

d. Enforcement

a. The Stored Communications Act (SCA)

b. The Pen Register and Trap and Trace Statute

a. Who It Applies To

b. Design Mandate

c. Enforcement

Section B: National Security and Privacy

a. The History of FISA and Its Amendments

b. FISA Orders and the Foreign Intelligence Surveillance Court (FISC)

c. Section 215 Orders: Production of “Any Tangible Thing”

d. Section 217: Computer Trespassers

e. Section 702: Persons Outside the United States Other Than United States Persons

f. Secrecy and Transparency Under FISA

Section C: Civil Litigation and Privacy

a. Discovery Devices

b. Privileges

c. E-Discovery Rules

d. Discovery Conflicts and Foreign Discovery

e. Public Access to Court Records

Knowledge Review #3

IV. Privacy in the Workplace

Section A: Introduction to Workplace Privacy

a. Federal Trade Commission

b. Department of Labor

c. Occupational Safety and Health Administration

d. Equal Employment Opportunity Commission

e. National Labor Relations Board

a. Title VII of the Civil Rights Act of 1964

b. Americans With Disabilities Act (ADA)

c. Genetic Information Nondiscrimination Act of 2008 (GINA)

Section B: Privacy Before, During, and After Employment

a. Regulation of Automated Employment Decision Tools

b. EEOC Guidance

a. Restrictions Under the Fair Credit Reporting Act (FCRA)

b. Methods of Pre-Employment Screening

a. Requirements Under the Wiretap Act and the Electronic Communications Privacy Act of 1996 (“ECPA”)

b. Technology and Specific Types of Monitoring Activity

c. Unionized Workforce Issues Concerning Monitoring in the U.S. Workplace

a. The Importance of Written Policies

b. The Vail Letter and FACTA Amendments

a. HIPAA, AMA, and GINA

b. Family Medical Leave Act (“FMLA”)

Knowledge Review #4

V. State Privacy Laws

Section A: State Laws

a. State “Nexus”

b. State Law as a Compliment to Federal Law

c. Interaction Between State and Federal Law

a. Telemarketing

b. Email Marketing

c. Do-Not-Track Mechanisms

a. Credit History

b. California Financial Information Privacy Act (California SB-1)

c. New York Department of Financial Services (“NYDFS”) Cybersecurity Regulations

a. Overview of State Data Privacy and Security Laws

b. Minimum Security Standards

c. The Use of Social Security Numbers

d. Data Destruction Laws

e. Data Broker Laws

f. Cookie and Online Tracking Regulations

a. Introduction to State Data Breach Notification Laws

b. Key Definitions

c. Notification Requirements

d. Exceptions to Notification

e. Penalties, Enforcement, and Data Subject Rights

a. California’s Data Breach Notification Law (SB-1386)

b. California’s Data Security Law (AB-1950)

c. The California Consumer Privacy Act (“CCPA”)

d. The California Privacy Rights Act (“CPRA”)

a. Virginia Consumer Data Protection Act (“VCDPA”) (2021)

b. Colorado Privacy Act (2021)

c. Utah Consumer Privacy Act (2022)

d. Connecticut Personal Data Privacy and Online Monitoring Act (2022)

a. California Electronic Communications Privacy Act (2015)

b. Delaware Online Personal Privacy Protection Act (2016)

c. Nevada Privacy of Information Collected on the Internet From Consumers Act – SB 538 (2017), SB 220 (2019), and SB 260 (2021)

d. Illinois Geolocation Privacy Protection Act and the Right to Know Act (2017)

e. New Jersey Personal Information and Privacy Protection Act (2017)

f. Washington Biometric Privacy Law (2017)

g. New York’s SHIELD Act

a. Tennessee SB 2005

b. Illinois HB 1260

c. New Mexico HB 15

d. South Dakota Data Breach Law

e. Massachusetts HB 4806

Knowledge Review #5

Conclusion

Full Exam #1

Full Exam #2

I. Introduction to European Data Protection

Section A: Historical Background to E.U. Data Regulation

a. The Universal Declaration of Human Rights

b. The European Convention on Human Rights

a. Early Attempts at a Cohesive Approach

b. OECD Guidelines

c. Convention 108

d. “Additional Protocol” to Convention 108

e. Convention 108+

a. Directives vs. Regulations

b. The Data Protection Directive

c. Charter of Fundamental Rights

a. The General Data Protection Regulation (“GDPR”)

b. Convention 108+

c. The Law Enforcement Data Protection Directive

d. The ePrivacy Directive

e. Brexit

f. A Timeline of Data Protection in Europe

Section B: E.U. Institutions

a. The Role of the Parliament

b. The Functioning of the Parliament

a. The Role of the Council

b. The Functioning of the Council

c. Distinction from the Council of Europe

a. Role in Data Protection

b. Representation and Independence

a. The General Court

b. The European Court of Justice

c. Role in Data Protection

a. Jurisdiction of the Court

b. Data Protection Decisions by the Court

Section C: E.U. Legislative Framework

a. Overview

b. Scope

c. Key Principles

d. Article 29 Working Party

a. Background of the ePrivacy Directive

b. Scope

c. Key Provisions

d. 2009 Amendments – “The Cookie Directive”

e. The “ePrivacy Regulation”

a. “Information Society Services”

b. Key Principles

c. Relationship to Data Protection

d. The Data Services Act

a. Background of the GDPR and the LEDP Directive

b. Structure of the GDPR

c. “Opening Clauses”

d. The European Data Protection Board

e. Relationship to Other Legislation

Knowledge Review #1

II. E.U. Data Protection Law and Regulation

Section A: Data Protection Concepts

a. “Any Information”

b. “Relating To”

c. “An Identified or Identifiable”

d. “Natural Person”

a. Special Categories of Personal Data

b. Prohibition on Processing and Exceptions

c. Criminal Convictions and Offenses

a. Pseudonymization of Data

b. Anonymous Data

a. Data Subject

b. Data Controller

c. Data Processor

d. Distinguishing a Controller from a Processor

Section B: Territorial and Material Scope of the GDPR

a. How to Determine “Establishment”

b. How to Determine if “the Context of the Activities” is in the Establishment

c. Application to Data Processors

a. Data Subjects in the Union

b. Targeting Criteria

c. Application to Data Processors

d. Application Due to Public International Law

a. National Security Exceptions

b. Household Activities

c. Prevention, Investigation, Detection, and Prosecution of Criminal Offenses

d. Processing by E.U. Institutions

Section C: Data Processing Principles

a. Lawfulness

b. Fairness

c. Transparency

Section D: Lawful Processing Criteria

a. The Elements of Consent

b. Demonstrating Consent

c. Consent and Alternative Legal Bases

d. Obtaining Consent from Children

a. Legal Obligations

b. Protecting Vital Interests

c. Public Interest

a. What is a “Legitimate Interest”?

b. What are the Interests and Fundamental Rights of Data Subjects?

c. The Balancing Test

a. Sensitive Data Types

b. Prohibition and Derogations

Knowledge Review #2

Section E: Information Provision Obligations

a. Timing of Information Provision

b. When Disclosures are Not Necessary

a. Designing an Effective Privacy Notice

b. Updating a Privacy Notice

Section F: Data Subject Rights

a. Search Engines and the Right to be Forgotten

a. When Are Restrictions Permitted?

b. Additional Requirements

Section G: Security of Personal Data

a. The CIA Triad

b. Security Controls and Protection Mechanisms

c. Security Controls Under Article 32

d. Managing Employees

a. Response Planning

b. Incident Detection

c. Incident Response

d. Incident Follow-Up

a. What is a “Personal Data Breach”

b. Notifying Regulators (Article 33)

c. Notifying Data Subjects

d. Breach Notification Requirements Under Other E.U. Law

a. Choosing a Third-Party Data Vendor

b. Data Sharing Agreements

a. CSIRTs and NIS Cooperation Group

b. Operators of Essential Services and Digital Service Providers

Knowledge Review #3

Section H: Accountability Requirements

a. Accountability Generally

b. Accountability Under the GDPR

a. Organizational Privacy Policies

b. The Privacy Policy Life Cycle

c. Key Components of a Privacy Policy

d. Implementing a Privacy Policy

e. Responsibilities of Joint Controllers and Article 26

a. The Seven Principles of PbD

b. Data Protection by Design and Default Under the GDPR

a. Records of Processing Activities

b. Article 31 – Cooperation with DPAs

a. Privacy Impact Assessments

b. Data Protection Impact Assessments

a. When is Appointment of a DPO Required?

b. The Role of a DPO

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

Section I: International Data Transfers

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. The Framework for Data Transfers to Third Countries Under the GDPR

d. What Constitutes a “Transfer”?

a. The Making of an Adequacy Decision

b. Adequacy Decisions and the United States

a. Schrems II and the Use of SCCs

b. New Standard Contract Clauses (2021)

c. Ad Hoc Contract Clauses

a. Codes of Conduct

b. Certification Mechanisms

Section J: Supervision and Enforcement

a. DPA Tasks

b. DPA Powers

c. Activity Reports

d. Prior Consultation Under Article 34(4)

e. Competence of Supervisory Authorities

a. Cooperation Procedure Under Article 60

b. Mutual Assistance

c. Joint Operations

a. Structure of the EDPB

b. Tasks of the EDPB

c. Consistency Mechanism

a. Independence and Secrecy

b. Tasks and Powers

a. Article 83(4)

b. Article 83(5)

c. Factors to Consider in Establishing a Fine

d. Additional Member State Penalties

e. What Constitutes an Undertaking for Article 83?

a. Representative Actions

b. Collective Redress Directive

c. Data Subject Compensation

Knowledge Review #4

III. Compliance with the GDPR

Introduction

Section A: Employment Relationships

a. Legal Basis for Processing

b. Special Categories of Employee Data

a. Background Checks

b. Monitoring the Workplace

a. Whistleblowing Policies

b. Sarbanes-Oxley Act

Section B: Surveillance Activities

a. The Household Use Exception

b. Lawfulness of Processing

c. Conducting a DPIA

d. Video Surveillance as Biometric Data

e. Data Subject Rights

Section C: Direct Marketing

a. WP29 Guidance on What Constitutes Direct Marketing

b. Digital vs. Non-Digital Direct Marketing

c. Direct Marketing Under the GDPR

d. Direct Marketing Under the ePrivacy Directive

e. Robinson Lists

a. Person-to-Person vs. Automated Calls

b. Business-to-Business vs. Business-to-Consumer Calls

a. “Electronic Mail” Defined

b. Consent Requirements

c. Restrictions and Information Provision Obligations

d. B2B vs. B2C Email Messages

a. Postal Mail Marketing

b. Fax Marketing

c. Location-Based Marketing

a. Tracking Consumers Across the Internet

b. Parties Involved in Behavioral Advertising

c. Legal Framework

d. Compliance Challenges

Section D: Internet Technologies and Communications

a. Controllers and Processors in Cloud Computing

b. Cloud Computing Contracts

a. Web Cookies

b. IP Addresses and the Internet “Phonebook”

a. Who is the Data Controller?

b. Types of Data Used to Target

c. Compliance Challenges

a. Data Controllers

b. Compliance Challenges

a. Internet of Things (IoT)

b. Machine Learning and Big Data

c. Blockchains and Cryptocurrencies

d. Data Ethics

Knowledge Review #5

Conclusion

Full Exam #1

Full Exam #2

I. Developing a Privacy Program

Introduction

Section A: The Overview of a Privacy Program

a. What is a Privacy Program?

b. What is a Privacy Program Manager?

a. Identified and Identifiable Personal Information

b. Data Subjects, Controllers, and Processors

a. The Accountability Principle

b. Additional Principles Governing Privacy Management

Section B: Implementing a Privacy Program at the Organizational Level

a. Centralized Model

b. Distributed Model (a/k/a Local Model or Decentralized Model)

c. Hybrid Model

d. Advantages and Disadvantages

e. Choosing a Model and the Location for the Privacy Function

a. Identifying the Personal Information Processed by an Organization

b. Identifying Applicable Privacy Laws and Regulations

c. Additional Considerations and Organizational Objectives

a. Making the Business Case for Privacy and Data Protection

b. Identifying the Stakeholders

c. Interfacing With the Organization

d. Accountability Over the Process

e. Taking Privacy Out of the Abstract

a. Common Privacy Roles and Titles

b. Designated Privacy Leaders

c. Data Protection Officers (“DPO”) and the GDPR

d. Establishing the Professional Competency of Team Members

Knowledge Review #1

II. Privacy Program Framework

Introduction

Section A: Developing a Privacy Program Framework

a. Principles and Standards

b. Laws, Regulations, and Self-Regulatory Programs

c. Privacy Program Management Solutions

a. The Privacy Policy Life Cycle

b. Key Components of a Privacy Policy

c. Rationalizing Privacy Requirements

a. Education and Awareness

b. Internal Policy Compliance

c. Data Inventories, Data Flows, and Data Classification Schema

d. Risk Assessments

e. Incident Response Process

f. Monitoring Regulatory Environment

g. Internal Audit and Risk Management

Section B: Implementing a Privacy Program Framework

a. Internal Communication

b. External Communication

a. Scope of the GDPR

b. Data Processing Principles and Lawfulness

c. Individual Rights

d. Organizational Obligations

e. Regulatory Powers

a. Federal Laws

b. State Data Security Laws

c. State Data Breach Notification Laws

d. Comprehensive Privacy Legislation

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. International Data Transfers Under the GDPR

Section C: Using Privacy Metrics

a. Privacy Metric Development Template

b. Metric Owners

c. Identifying Collection Points

a. Compliance Metrics

b. Trend Analysis

c. Privacy Program ROI

d. Business Resiliency Metrics

e. Privacy Program Maturity

f. Resource Utilization

g. IAPP’s DPO Report Template

Knowledge Review #2

III. Privacy Operational Lifecycle

Introduction

Section A: Assess Your Organization

a. Data Inventory

b. Data Flow Maps

c. Data Classification

d. Developing Data Inventories, Maps, and Classification Schema

e. GDPR Records Processing Requirements

a. Privacy Assessments

b. Privacy Threshold Analysis and Privacy Impact Assessments

c. Data Protection Impact Assessments

a. Choosing a Third-Party Vendor

b. Vendor Contracts

c. Cloud Computing Issues and Data Residency

d. Restrictions on Third-Party Data Sharing

a. Physical and Environmental Aspects of Information Security

b. Bring Your Own Device and Data Loss Prevention

Section B: Protect Your Organization

a. The Eleven Elements of DLM Policies

b. Data Retention and Data Destruction Policies

a. Where Privacy and Security Diverge

b. Where Privacy and Security Overlap

c. Privacy as a Compliment to Information Security

a. The CIA Triad

b. Security Controls

a. The Seven Principles of PbD

b. Data Protection by Design and Default Under the GDPR

c. Solove’s Privacy Risks

d. Privacy Design Strategies

e. Systems Development Life Cycle and Privacy Engineering

a. The Importance of Alignment

b. Communicating Across the Organization

c. Understanding the Costs and Tradeoffs

a. Designing Effective Policies

b. Specific Policies That Impact Privacy

Knowledge Review #3

Section C: Sustain the Privacy Program

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

a. Training vs. Awareness

b. Training and Awareness as a Communication Tool

c. Training and Awareness as a Cost-Saving Mechanism

Section D: Respond: Data Subject Requests

a. Legal Consequences of a Privacy Notice

b. Updating a Privacy Notice

c. Designing an Effective Privacy Notice

a. Methods of Obtaining Consent

b. Consent Under the GDPR

c. Obtaining Consent From Children

d. Responding to a Withdrawal of Consent

a. Right to be Informed

b. Right to Access and Information

c. Right to Rectification

d. Right to Erasure (“Right to be Forgotten”)

e. Right to Restrict Processing

f. Right to Data Portability

g. Right to Object to Processing

h. Right Not to Be Subject to Automated Decision-Making and Profiling

a. Federal Law

b. State Law

a. Canada

b. Latin America

c. Asia

d. Australia and New Zealand

Section E: Respond: Privacy Incidents

a. Developing a Plan

b. Training

c. Key Roles and Responsibilities

d. Insurance Coverage

e. Managing Vendors

a. Steps in an Incident Response

b. Leadership Response Team

c. Investigation of an Incident

d. Working With Insurers and Other Contracted Parties

a. Internal Notifications and Progress Reporting

b. Notifying Affected Individuals

c. Notification to Regulatory Authorities

Knowledge Review #4

Conclusion

Full Exam #1

Full Exam #2