Exam CIPP-US topic 1 question 170 discussion

The VCDPA explicitly states that organizations that are already regulated by GLBA are exempt from certain provisions of the act regarding personal data. This means that the same organizations that must comply with GLBA will not face overlapping compliance requirements under the Virginia law.

Agree with smp175

A is the correct answer. The Nevada Privacy Law, specifically Nevada Revised Statutes (NRS) 603A.340, provides an exemption for entities subject to the Gramm-Leach-Bliley Act (GLBA). This exemption means that organizations that comply with GLBA are not required to comply with certain provisions of the Nevada Privacy Law related to data security and privacy. D is incorrect because the Virginia Consumer Data Protection Act (VCDPA) does not explicitly include an entity exemption for organizations subject to the Gramm-Leach-Bliley Act (GLBA). While the VCDPA does have certain exemptions, such as for entities subject to the Health Insurance Portability and Accountability Act (HIPAA) or the GLBA for data processed in compliance with those laws, it does not specifically mention an exemption for GLBA compliance. Therefore, option D is not the best choice in this context.

"Nonetheless, the VCDPA will not apply to financial institutions. Specifically, the VCDPA provides that it “shall not apply to any . . . financial institutions or data subject to Title V of the federal” GLBA. In this regard, the VCDPA’s GLBA exception is far broader than the CCPA’s GLBA exception, which is limited only to information subject to the GLBA. That is, unlike the CCPA, the VCDPA provides not only a GLBA “information” exception, but also a GLBA “entity” exception." https://www.mofo.com/resources/insights/210302-financial-institutions-exempt-virginia-privacy-law