The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. FERPA generally requires that schools obtain written consent from students (or their parents if the student is a minor) before disclosing personally identifiable information from education records. However, FERPA allows specific exceptions where disclosures can be made without consent.

One of these exceptions is when a school discloses education records to another school where the student seeks or intends to enroll . This allows educational institutions to share information for legitimate educational purposes, such as transferring transcripts between schools when a student moves or applies for enrollment elsewhere.

Explanation of Options:

A. If the disclosure is not to be conducted through email to the third party: FERPA does not prohibit disclosures via email as long as the recipient is authorized and the disclosure meets FERPA requirements. The medium of disclosure is not a determining factor.

B. If the disclosure would not reveal a student ' s student identification number: FERPA restricts the disclosure of personally identifiable information but does not specifically regulate disclosures based on whether a student ID number is included unless the number itself compromises the student ' s privacy.

C. If the disclosure is made to practitioners who are involved in a student ' s health care: FERPA does not specifically provide an exception for health care practitioners unless the disclosure falls under the " health and safety emergency " exception, which does not apply to general health care.

D. If the disclosure is for the purpose of providing transcripts to a school where a student intends to enroll: This is correct and aligns with one of the exceptions outlined in FERPA. Schools are permitted to share student records with other educational institutions where a student seeks or intends to enroll without requiring consent.

References from CIPP/US Materials:

FERPA (20 U.S.C. § 1232g): Governs the disclosure of student education records and details specific exceptions to the consent requirement.

IAPP CIPP/US Certification Textbook: Explains FERPA’s consent requirements and exceptions, including disclosures for enrollment purposes.

The Children’s Online Privacy Protection Act (COPPA) is a federal law that protects the privacy of children under 13 who use online sites and services. COPPA requires operators of such sites and services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to provide notice of their information practices to parents and the public.  COPPA also gives parents the right to access, review, and delete their children’s personal information, and to limit further collection or use of such information. 1

One way for operators to comply with COPPA is to participate in an approved self-regulatory program, also known as a “safe harbor” program. These are programs that are run by industry groups or other organizations that set and enforce standards for privacy protection that meet or exceed the requirements of COPPA. Operators that join a safe harbor program and follow its guidelines are deemed to be in compliance with COPPA and are subject to the review and disciplinary procedures of the program instead of FTC enforcement actions.  The FTC has approved several safe harbor programs, such as CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, and TRUSTe. 2

By participating in an approved self-regulatory program, the marketer in the scenario could have best changed its privacy management program to meet COPPA “Safe Harbor” requirements. This would mean that the marketer would have to adhere to the guidelines of the program, which would likely include obtaining verifiable parental consent before collecting personal information from children, providing clear and prominent privacy notices on its website and emails, honoring parents’ choices and requests regarding their children’s data, and ensuring the security and confidentiality of the data collected.  The marketer would also benefit from the oversight and assistance of the program in ensuring compliance and resolving any complaints or disputes. 3   References:   1 : Complying with COPPA: Frequently Asked Questions 4 , Section A 2 : COPPA Safe Harbor Program 3 : IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 143.

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime.  The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion 1 2 3 .  References:

1 : IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2 : DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3 : Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as " a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call. " 1  The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services.  The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry. 2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services.  However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services. 3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.  References:   1 : eCFR :: 16 CFR Part 310 – Telemarketing Sales Rule 3 , Section 310.2 2 : Telemarketing Sales Rule | Federal Trade Commission 1 , Rule Summary 3 : Complying with the Telemarketing Sales Rule - Federal Trade Commission 2 , Exemptions to the TSR.

Privacy by Design is a concept that the FTC endorsed in its 2012 report on protecting consumer privacy 1 .  It seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice 2 .  It asserts that data held by an organization ultimately belongs to the consumer and organizations should ensure that data subjects are properly informed about how their data is collected and used 3 .  Privacy by Design requires companies to build in consumers’ privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy 1 .  References:   1 : FTC Report of 2012, p.  22-23;  2 : Global Data Review 3 ;  3 : Termly 4 .

The data privacy leader needs to identify all the personal data that the Company has received from the retailer, as well as the purposes, retention periods, and sharing practices of such data. Since the data inventory is obsolete, the data privacy leader cannot rely on it to provide accurate and complete information. Therefore, the next best source of information is to interview the key marketing personnel who are responsible for the partnership with the retailer and the use of the personal data. The marketing personnel can provide insights into the data flows, the data categories, the data processing activities, and the data protection measures that the Company has implemented. They can also help the data privacy leader to locate the relevant documents, contracts, and records that can support the investigation.  References:  [IAPP CIPP/US Study Guide], Chapter 5: Data Management, p. 97-98;  IAPP Privacy Tech Vendor Report , Data Mapping and Inventory, p. 9-10.

The FTC is the primary federal agency responsible for enforcing privacy and data security laws in the United States. The FTC has broad jurisdiction over most commercial entities that collect, use, or share personal information from consumers. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, which includes unfair or deceptive privacy practices. The FTC can bring enforcement actions against companies that violate their own privacy policies, fail to provide adequate notice or choice to consumers, engage in unfair or harmful data practices, or breach consumers’ reasonable expectations of privacy. The FTC can also issue rules, guidelines, and reports on privacy and data security issues, as well as conduct investigations, workshops, and educational campaigns.  References:

IAPP CIPP/US Body of Knowledge , Section I.A.1.a

IAPP CIPP/US Textbook , Chapter 1, pp. 9-12

FTC Privacy and Security Enforcement