Some of that vagueness is intentional and not always for nefarious reasons either. When getting my the FCRA cert, there definitely a few requirements that were obviously very open ended so the gov could either pursue a potential unforeseen circumstance or not stifle business. The vagaries in laws has always been interesting to me. Unfortunately, I don't remember any definitive examples since I took the test years ago now.