Most Recent IAPP CIPP-US Exam Dumps

According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student's education records without consent if the disclosure meets one of the exceptions in 34 CFR 99.31. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student's enrollment or transfer (34 CFR 99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student's admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR 99.34(a)(1)).Reference:https://studentprivacy.ed.gov/ferpa

https://studentprivacy.ed.gov/ferpa

The Consumer Privacy Bill of Rights is a set of principles that the Obama administration proposed in 2012 to guide the development of privacy legislation and policies in the United States.The report that introduced the bill of rights stated that it was 'generally based on the widely accepted Fair Information Practice Principles (FIPPs)'1, which are a set of standards that originated in the 1970s and have influenced many privacy laws and frameworks around the world.The FIPPs include concepts such as individual control, transparency, security, accountability, and data minimization2.The Consumer Privacy Bill of Rights adapted and expanded these principles to address the challenges and opportunities of the digital economy1.Reference:1: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy2, page 92: IAPP CIPP/US Certified Information Privacy Professional Study Guide3, page 17.

The federal act that does NOT contain provisions for preempting stricter state laws is theTelemarketing Consumer Protection and Fraud Prevention Act1.This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2.However, the act also explicitly states that it does not 'annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency'1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law.In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345.Reference:1:Telemarketing Consumer Protection and Fraud Prevention Act2:Telemarketing Sales Rule | Federal Trade Commission3:CAN-SPAM Act: A Compliance Guide for Business4:Children's Online Privacy Protection Rule (''COPPA'') | Federal Trade Commission5:Fair and Accurate Credit Transactions Act of 2003 - Wikipedia: IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA's notice and opt-out requirements, as well as the FCRA's requirements for using consumer reports.Reference:

[IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.

IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.

IAPP CIPP/US Practice Questions, Question 150.

Nevada's privacy law, Senate Bill 260 (SB 260), is an amendment to the existing Nevada Revised Statutes (NRS) Chapter 603A that was enacted in June 2021 and will take effect on October 1, 2021. SB 260 expands the scope and definition of ''covered information'' under NRS 603A to include any information that identifies, relates to, describes, or is capable of being associated with a consumer, such as name, address, email, phone number, social security number, biometric data, geolocation data, and online identifiers. SB 260 also grants Nevada consumers the right to opt out of the sale of their covered information by an operator of a website or online service that collects and maintains such information.

Under SB 260, an operator is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Nevada and use or visit the website or online service, and purposefully directs its activities toward Nevada. A sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. However, there are some exceptions to the definition of a sale, such as:

If the consumer has consented to the sale after being provided with clear and conspicuous notice of the sale and the opportunity to opt out.

If the sale is to a person who processes the covered information on behalf of the operator.

If the sale is to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.

If the sale is to a person for purposes that are consistent with the reasonable expectations of the consumer considering the context in which the consumer provided the covered information to the operator.

If the sale is to a person who is an affiliate of the operator.

If the sale is to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the operator's assets.

To comply with SB 260, an operator that sells covered information must provide a designated request address through which a consumer may submit a verified request to opt out of the sale. The designated request address may be an email address, a toll-free telephone number, or an Internet website. The operator must respond to the verified request within 60 days, and may extend the response period for an additional 30 days if reasonably necessary. The operator must also provide a notice to the consumer that identifies the categories of covered information that the operator collects and the categories of third parties to whom the operator may disclose the covered information.

Therefore, the best privacy compliance step for SuperMart to comply with SB 260 is to provide a mechanism for consumers to opt out of sales, as this is the core requirement of the law. Option A is the correct answer.

Option B is incorrect, as SB 260 does not grant consumers the right to access or delete their covered information, unlike other state privacy laws such as the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA).

Option C is incorrect, as SB 260 does not require operators to provide a notice of financial incentive for any loyalty programs offered to their customers, unlike the CCPA.

Option D is incorrect, as SB 260 does not impose service provider restrictions on the vendors of the operators, unlike the CCPA or the VCDPA.

[IAPP CIPP/US Study Guide], Chapter 10: State Data Security Laws, pp. 229-230.

CIPP/US Practice Questions (Sample Questions), Question 33.