IAPP CIPP-US Practice Test - Questions Answers, Page 6

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as 'a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call.'1The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services.The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services.However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.Reference:1: eCFR :: 16 CFR Part 310 -- Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as 'a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call.'1The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services.The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services.However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.Reference:1: eCFR :: 16 CFR Part 310 -- Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994.The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.

The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.

The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.

A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.

The TSR requires an entity to share a do-not-call request across its organization when the operational structures of its divisions are not transparent to consumers3.This means that the entity must treat the do-not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.

The TSR does not require an entity to share a do-not-call request across its organization in the following situations:

When the goods and services sold by its divisions are very similar. This is not a relevant factor for determining whether the entity must share a do-not-call request across its organization.The key factor is whether the consumers can distinguish between the different divisions based on their operational structures3.

When a call is not the result of an error or other unforeseen cause. This is not an exception to the requirement to honor a do-not-call request.The TSR prohibits telemarketers and sellers from calling a consumer who has made a do-not-call request, unless the call falls under one of the specific exemptions, such as calls from or on behalf of tax-exempt nonprofit organizations, calls to consumers with whom the seller has an established business relationship, or calls to consumers who have given prior express written consent2.

When the entity manages user preferences through multiple platforms. This is not an excuse for not sharing a do-not-call request across its organization.The TSR requires telemarketers and sellers to maintain an internal do-not-call list of consumers who have asked them not to call again, and to update the list at least once every 31 days2.The entity must ensure that the do-not-call request is recorded and communicated across all of its platforms that are used for telemarketing purposes3.

According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient's opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing

Practice Exam - International Association of Privacy Professionals

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students' educational records. FERPA generally requires schools to obtain written consent from students before disclosing their records to third parties, such as parents. However, FERPA allows some exceptions to this rule, such as when the disclosure is for health or safety emergencies, or when the student is still a dependent for tax purposes. According to FERPA, a school may disclose educational records to the parents of a student who is claimed as a dependent on the parents' most recent federal income tax return, without the student's consent. This exception applies regardless of the student's age or enrollment status at a postsecondary institution.Reference:

IAPP CIPP/US Body of Knowledge, Section III, C, 2

[IAPP CIPP/US Study Guide, Chapter 3, Section 3.5]

[FERPA, 34 CFR 99.31(a)(8)]

The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1.A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2.A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2.A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service.Reference:

1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule

2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business, https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business

3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks, https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/

The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) as an independent agency within the Federal Reserve System. The CFPB has the authority to regulate consumer financial products and services, such as mortgages, credit cards, student loans, and payday loans. One of the main objectives of the CFPB is to promote transparency, fairness, and consumer choice in the financial marketplace. The CFPB has issued rules and guidance to require financial institutions to provide clear and accurate information to consumers about the costs, risks, and benefits of their products and services.The CFPB also has the power to enforce consumer protection laws and prohibit unfair, deceptive, or abusive acts or practices by financial institutions123Reference:1:Dodd-Frank Wall Street Reform and Consumer Protection Act, Title X, Subtitle A, Section 1011.2:Consumer Financial Protection Bureau, Wikipedia.3:Dodd-Frank Act: What It Does, Major Components, and Criticisms, Investopedia.

The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions.Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student's personally identifiable information (PII) from the education records without consent.A student's signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12Therefore, the school must obtain the student's (or the parent's, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA.Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records.FERPA only applies to education records that are directly related to a student and maintained by the school or a party acting for the school12A newspaper's publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper's own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent.FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123If the university police provide an arrest report to the student's hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.

According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student's education records without consent if the disclosure meets one of the exceptions in 34 CFR 99.31. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student's enrollment or transfer (34 CFR 99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student's admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR 99.34(a)(1)).Reference:https://studentprivacy.ed.gov/ferpa

https://studentprivacy.ed.gov/ferpa