Objectives in this domain

Identify the sources of US law - constitutional, statutory, regulatory, and common law - and explain how each shapes privacy obligations.
Section 1.1medium
Describe the roles of the Federal Trade Commission, sector-specific regulators, and state attorneys general in enforcing privacy and security laws.
Section 1.2medium
Apply information management principles including data inventory, classification, flow mapping, and retention to support US privacy compliance.
Section 1.3medium
Explain mechanisms for transferring personal data between the US and other jurisdictions, including adequacy decisions and standard contractual clauses.
Section 1.4hard
Explain the concept of information fiduciary duty and its implications for organisations that collect and process personal data.
Section 1.5hard

Sample question from this domain

Free sampleIntroduction to the U.S. Privacy Environmentmedium

A technology company has not violated any specific privacy statute, yet the Federal Trade Commission opens an enforcement action alleging the company misrepresented its data-sharing practices to consumers. On what legal source does the FTC most directly rely to bring this action?

AThe common law tort of intrusion upon seclusion, which the FTC enforces on behalf of consumers in federal court.
BIts statutory authority under Section 5 of the FTC Act to challenge unfair or deceptive acts or practices. Correct
CA constitutional right to fair dealing implied by the Due Process Clause of the Fourteenth Amendment.
DA self-regulatory code of conduct that the company adopted and the FTC enforces as binding federal regulation.

Identify Section 5 of the FTC Act as the statutory basis for FTC enforcement against deceptive privacy representations. The FTC's general enforcement power comes from Section 5 of the FTC Act, which bars unfair or deceptive acts or practices, allowing action against misrepresentations even absent a sector-specific privacy statute.

Why A is wrong: Tempting because intrusion is a privacy wrong, but it is a private tort claim brought by individuals, not a statutory power the FTC invokes for enforcement.

Why B is correct: Correct: Section 5 of the FTC Act prohibits unfair or deceptive acts or practices, letting the FTC act on a misrepresentation even where no specific privacy statute applies.

Why C is wrong: Tempting because due process sounds protective, but it limits government conduct toward individuals and is not the source of FTC authority over deceptive business practices.

Why D is wrong: Tempting because broken promises in a code can support a case, but the code is not itself the legal source, and the FTC's authority flows from the FTC Act.

Other domains in this exam

Limits on Private-Sector Collection and Use of Data31% of the exam
Government and Court Access to Private-Sector Information12% of the exam
Workplace Privacy10% of the exam
State Privacy Laws23% of the exam

See also the CIPP-US cert hub, the study guide, and the cheat sheet.