• ホーム
  • ブログ
  • IAPP CIPP-US試験情報と無料練習テスト問題で合格せよ [Q83-Q106]

IAPP CIPP-US試験情報と無料練習テスト問題で合格せよ [Q83-Q106]

Share

IAPP CIPP-US試験情報と無料練習テスト問題で合格せよ

2025年最新のの問題CIPP-US問題集で更新されたIAPP試験問題集を試そう


CIPP/US認定試験は、米国の個人情報の管理に関与している専門家向けに特別に設計されています。この認定は、ヘルスケア、金融、技術、政府など、さまざまな業界で働く個人を対象としています。この試験は、組織が適用されるプライバシー法と規制に準拠していることを確認する責任がある弁護士、コンサルタント、プライバシー担当者にも適しています。

 

質問 # 83
One of the most significant elements of Senate Bill No. 260 relating to Internet privacy is the introduction of what term into Nevada law?

  • A. Transfer Mechanism
  • B. Data Brokers
  • C. Artificial Intelligence.
  • D. Data Ethics

正解:B

解説:
One of the most significant changes introduced by Nevada Senate Bill 260 (SB 260) is the inclusion of the term "Data Brokers" into Nevada privacy law. The bill requires data brokers to register with the Nevada Secretary of State and comply with new privacy requirements, such as responding to consumer opt-out requests. This addition aligns Nevada's privacy framework more closely with laws like Vermont's data broker law.
Key Provisions of SB 260:
* Definition of Data Brokers:
* A data broker is defined as a company that collects, sells, or licenses consumer data and does not have a direct relationship with the consumer.
* Registration Requirements:
* Data brokers must register annually with the Nevada Secretary of State.
* Consumer Rights:
* Consumers are granted the right to opt out of the sale of their personal information, extending the scope of Nevada's existing privacy law.
Explanation of Options:
* A. Data Ethics:While data ethics is an important concept, it is not introduced as a specific term under SB 260.
* B. Data Brokers:This is correct. The inclusion of data brokers as a regulated entity is the primary addition introduced by SB 260.
* C. Artificial Intelligence:SB 260 does not address artificial intelligence directly.
* D. Transfer Mechanism:SB 260 focuses on regulating data brokers, not cross-border data transfer mechanisms.
References from CIPP/US Materials:
* Nevada Senate Bill 260 (SB 260): Introduces data broker registration and opt-out rights.
* IAPP CIPP/US Certification Textbook: Discusses state-specific privacy laws, including Nevada's privacy framework.


質問 # 84
What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

  • A. Consumer notice when third-party data is used to make an adverse decision
  • B. The truncation of account numbers on credit card receipts
  • C. The ability for the consumer to correct inaccurate credit report information
  • D. The right to request removal from e-mail lists

正解:B


質問 # 85
What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

  • A. A new business owner may not understand the regulations
  • B. Human rights may be disregarded for the sake of privacy
  • C. A large amount of money may have to be sent on improved technology and security
  • D. Industries may not be strict enough in the creation and enforcement of rules

正解:D


質問 # 86
The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?

  • A. The service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.
  • B. The third party stores personal information to trigger a response to a consumer's request to exercise their right to opt in.
  • C. The analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.
  • D. The information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.

正解:A


質問 # 87
SCENARIO
Please use the following to answer the next QUESTION
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop.
"Doing your homework?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking questions about my opinions."
"Let me see," Matt said, and began reading the list of questions that his son had already answered.
"It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids whotook the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

  • A. Unfair and Deceptive Acts and Practices laws.
  • B. Red Flag Rules.
  • C. Consumer Bill of Rights.
  • D. Investigative Consumer Reporting Agencies Act.

正解:A

解説:
The marketer could be prosecuted for violating the Unfair and Deceptive Acts and Practices (UDAP) laws, which are enforced by the Federal Trade Commission (FTC) and state attorneys general. UDAP laws prohibit businesses from engaging in unfair or deceptive practices that harm consumers, such as false advertising, misleading claims, or hidden fees. In this scenario, the marketer could be accused of deceiving children into providing personal information and preferences under the guise of a survey and a contest, without obtaining verifiable parental consent or disclosing how the information will be used or shared. This could also violate the Children's Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection and use of personal information from children under 13 years of age. References:
* [IAPP CIPP/US Study Guide], Chapter 5: Enforcement of Privacy and Security, pp. 177-178.
* IAPP CIPP/US Body of Knowledge, Section II: Limits on Private-sector Collection and Use of Data, Subsection A: Government and Court Access to Private-sector Information, Topic 2: Unfair and Deceptive Trade Practices.
* IAPP CIPP/US Practice Questions, Question 27.


質問 # 88
Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?

  • A. 21 days
  • B. 7 days
  • C. 15 days
  • D. 10 days

正解:D


質問 # 89
Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) "Privacy Rule"?

  • A. Office of Inspector General.
  • B. Office of Social Services.
  • C. Office of Public Health and Safety.
  • D. Office for Civil Rights.

正解:D


質問 # 90
What was the original purpose of the Federal Trade Commission Act?

  • A. To negotiate consent decrees with companies violating personal privacy
  • B. To ensure privacy rights of U.S. citizens
  • C. To protect consumers
  • D. To enforce antitrust laws

正解:C


質問 # 91
Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

  • A. Marketing (such as appending data to customer information that a marketing company already has).
  • B. Research (such as information for understanding consumer trends).
  • C. Location of individuals (such as identifying an individual from partial information).
  • D. Risk mitigation (such as information that may reduce the risk of fraud).

正解:C

解説:
Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled "Data Brokers: A Call for Transparency and Accountability". In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12
* Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail,
* e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12
* Risk mitigation products: These products help customers verify and authenticate consumers' identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12
* Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12 The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).
References:
* Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws


質問 # 92
Which of the following became the first state to pass a law specifically regulating the collection of biometric data?

  • A. California.
  • B. Texas.
  • C. Illinois.
  • D. Washington.

正解:C


質問 # 93
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months,one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
Based on the scenario, which of the following would have helped Janice to better meet the company's needs?

  • A. Spending more time understanding the company's information goals
  • B. Removing the financial burden of the company's employee training program
  • C. Explaining the importance of transparency in implementing a new policy
  • D. Creating a more comprehensive plan for implementing a new policy

正解:A

解説:
According to the Wiley study guide, one of the steps in developing a privacy policy is to conduct a privacy assessment, which involves identifying the organization's information goals and needs, as well as the legal and regulatory requirements that apply to its data collection and use practices3. By spending more time understanding the company's information goals, Janice would have been able to tailor the privacy policy to fit the company's business model and customer expectations, while still complying with the relevant privacy laws and standards. This would have also helped Janice to address Cheryl's concerns about the impact of the policy on the company's operations and customer relationships, and to propose solutions that balance privacy protection and service delivery.
References:
1: https://iapp.org/certify/cippus/
2: https://iapp.org/certify/get-certified/cippus/
3:
https://www.wiley.com/en-be/IAPP+CIPP+US+Certified+Information+Privacy+Professional+Study+Guide-p-9
4:
https://www.techtarget.com/searchsecurity/quiz/10-CIPP-US-practice-questions-to-test-your-privacy-knowledge
5: https://www.study4exam.com/iapp/free-cipp-us-questions
https://www.passitcertify.com/iapp/cipp-us-questions.html


質問 # 94
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?

  • A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the General Data Protection Regulation (GDPR).
  • B. Establish baseline pnvacy obligations that US companies must comply with for personal information, even if stored in a foreign country
  • C. Prohibit foreign companies from using the personal Information of US. citizens without their consent
  • D. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country

正解:D

解説:
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, updates the legal framework for federal law enforcement to access electronic data held by U.S. service providers, even when the data is stored outside the United States. The act resolves jurisdictional issues that arise in cross-border data requests and facilitates international cooperation for law enforcement purposes.
Key Provisions of the CLOUD Act:
* Data Access for Law Enforcement:
* The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based service providers (e.
g., Microsoft, Google) to provide access to data stored abroad using a valid warrant or subpoena, provided the request complies with applicable laws.
* International Data Sharing Agreements:
* The CLOUD Act enables the U.S. to establish bilateral agreements with other countries to streamline access to data for law enforcement purposes. These agreements ensure that U.S. and foreign law enforcement can access data without violating each other's sovereignty or privacy laws.
* Conflict with Foreign Laws:
* The act includes mechanisms for providers to challenge data requests that conflict with the laws of the country where the data is stored, providing safeguards for compliance with foreign privacy laws like the General Data Protection Regulation (GDPR).
Explanation of Options:
* A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the GDPR:This is incorrect. The CLOUD Act is not specific to the EU or GDPR compliance. Instead, it focuses on law enforcement access to data stored abroad.
* B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country:This is correct. The CLOUD Act directly addresses law enforcement's ability to compel data access from U.S. providers, regardless of the data's physical location.
* C. Establish baseline privacy obligations that U.S. companies must comply with for personal information, even if stored in a foreign country:This is incorrect. The CLOUD Act is focused on law enforcement access to data, not privacy obligations for companies.
* D. Prohibit foreign companies from using the personal information of U.S. citizens without their consent:This is incorrect. The CLOUD Act does not regulate foreign companies or impose consent requirements for using personal information.
References from CIPP/US Materials:
* CLOUD Act (18 U.S.C. § 2713): Establishes legal mechanisms for cross-border data access and international agreements.
* IAPP CIPP/US Certification Textbook: Discusses the CLOUD Act's impact on cross-border data requests and its interaction with global privacy laws.


質問 # 95
The "Consumer Privacy Bill of Rights" presented in a 2012 Obama administration report is generally based on?

  • A. The 1974 Privacy Act
  • B. Traditional fair information practices
  • C. European Union Directive
  • D. Common law principles

正解:C


質問 # 96
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?

  • A. Scanning emails sent to and received by students
  • B. Relying on verbal consent for a disclosure of education records
  • C. Disclosing education records without obtaining required consent
  • D. Making student education records publicly available

正解:A

解説:
The lawsuit, filed in 2014, claimed that Google violated the federal and state wiretap and privacy laws by scanning and indexing the emails of millions of students who used its Apps for Education suite, which included Gmail as a key feature12. The plaintiffs alleged that Google used the information from the scans to build profiles of students that could be used for targeted advertising or other commercial purposes, without their consent or knowledge12. The lawsuit also challenged Google's argument that the students consented to the scans when they first logged in to their accounts, saying that such consent was not valid under FERPA, which requires written consent for any disclosure of education records12. Google denied the allegations and argued that the scans were necessary for providing security, spam protection, and other functionality to the users12. The case was settled in 2016, with Google agreeing to change some of its practices and policies regarding the scanning of student emails3. References: 1: Lawsuit Alleges That Google Has Crossed A
'Creepy Line' With Student Data, Huffington Post, 1. 2: Google faces lawsuit over email scanning and student data, The Guardian, 2. 3: Google data case to be heard in Supreme Court, BBC, 3.


質問 # 97
A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than
500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

  • A. The affected individuals
  • B. Department of Health and Human Services
  • C. The local media
  • D. Medical providers

正解:D

解説:
According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:
* The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
* The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
* The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.
A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a written contract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.
References:
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private- sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
* Practice Exam - International Association of Privacy Professionals


質問 # 98
What role does the U.S. Constitution play in the area of workplace privacy?

  • A. It provides significant protections to federal and state governments, but not to private-sector employment
  • B. It provides enforcement resources to large employers, but not to small businesses
  • C. It provides legal precedent for physical information security, but not for electronic security
  • D. It provides contractual protections to members of labor unions, but not to employees at will

正解:A

解説:
The U.S. Constitution has significant workplace privacy provisions that apply to the federal and state governments, but they do not affect private-sector employment. Notably, the Fourth Amendment prohibits unreasonable searches and seizures by state actors. Courts have interpreted this amendment to place limits on the ability of government employers to search employees' private spaces, such as lockers and desks.4 Some states, including California, have extended their constitutional rights to privacy to private-sector employees.5 In general for private-sector actors, however, there is no state action, and no constitutional law governs employment privacy


質問 # 99
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?

  • A. Communicated requests for changes to users' preferences across the organization and with third parties.
  • B. Honored the promise of its privacy policy to acquire information by using an opt-in method.
  • C. Implemented a comprehensive policy for accessing customer information.
  • D. Looked for any persistent threats to security that could compromise the company's network.

正解:D


質問 # 100
More than half of U.S. states require telemarketers to?

  • A. Provide written contracts for customer transactions
  • B. Register with the state before conducting business
  • C. Identify themselves at the beginning of a call
  • D. Obtain written consent from potential customers

正解:B

解説:
According to the IAPP CIPP/US Study Guide, more than half of U.S. states require telemarketers to register with the state before conducting business within the state. This registration requirement may involve paying a fee, posting a bond, or providing information about the telemarketer's identity, location, and business practices. The purpose of this requirement is to protect consumers from fraudulent or deceptive telemarketing calls and to facilitate the enforcement of state laws and regulations. The other options are not required by most states, although some states may have additional rules or guidelines for telemarketers regarding identification, consent, or contracts. References:
* IAPP CIPP/US Study Guide, Chapter 7: Marketing and Advertising
* State Telemarketing Registration Requirements


質問 # 101
Which of the following became the first state to pass a law specifically regulating the practices of data brokers?

  • A. California.
  • B. Washington.
  • C. Vermont.
  • D. New York.

正解:C

解説:
According to the web search results from my predefined tool, Vermont became the first state to pass a law specifically regulating the practices of data brokers in 2018. The law defines a data broker as "a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship." The law requires data brokers to register with the Secretary of State, pay a registration fee, provide information about their data collection and opt-out practices, and implement security measures to protect the personal information they collect and sell. The law also imposes additional obligations on data brokers that possess the personal information of minors. The law aims to increase the transparency and accountability of the data broker industry and to protect the privacy rights of consumers12. References:
* Registered Data Brokers in the United States: 2021 | Privacy Rights ...
* Am I A Data Broker?: A Quick Primer on State Laws Regulating a ... - Taft


質問 # 102
An organization self-certified under Privacy Shield must, upon request by an individual, do what?

  • A. Identify all personal information disclosed during a criminal investigation.
  • B. Suspend the use of all personal information collected by the organization to fulfill its original purpose.
  • C. Provide the identities of third and fourth parties that may potentially receive personal information.
  • D. Provide the identities of third parties with whom the organization shares personal information.

正解:D

解説:
Explanation/Reference: https://www.lakesidesoftware.com/sites/default/files/Privacy_Shield_Privacy_Statement.pdf


質問 # 103
A student has left high school and is attending a public postsecondary institution. Under what condition may a school legally disclose educational records to the parents of the student without consent?

  • A. If the student is still a dependent for tax purposes
  • B. If the student has not yet turned 18 years of age
  • C. If the student is in danger of academic suspension
  • D. If the student has applied to transfer to another institution

正解:A

解説:
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students' educational records. FERPA generally requiresschools to obtain written consent from students before disclosing their records to third parties, such as parents. However, FERPA allows some exceptions to this rule, such as when the disclosure is for health or safety emergencies, or when the student is still a dependent for tax purposes. According to FERPA, a school may disclose educational records to the parents of a student who is claimed as a dependent on the parents' most recent federal income tax return, without the student's consent.
This exception applies regardless of the student's age or enrollment status at a postsecondary institution. References:
* IAPP CIPP/US Body of Knowledge, Section III, C, 2
* [IAPP CIPP/US Study Guide, Chapter 3, Section 3.5]
* [FERPA, 34 CFR § 99.31(a)(8)]


質問 # 104
According to FERPA, when can a school disclose records without a student's consent?

  • A. If the disclosure is to practitioners who are involved in a student's health care
  • B. If the disclosure would not reveal a student's student identification number
  • C. If the disclosure is to provide transcripts to a school where a student intends to enroll
  • D. If the disclosure is not to be conducted through email to the third party

正解:C

解説:
Explanation/Reference: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html


質問 # 105
Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?

  • A. The consent must be in writing, must state the times when calls can be made to the consumer and must be signed
  • B. The consent must be in writing, must have an end data and must state the times when calls can be made
  • C. The consent must be in writing, must contain the number to which calls can be made and must be signed
  • D. The consent must be in writing, must contain the number to which calls can be made and must have an end date

正解:C

解説:
https://www.ftc.gov/business-guidance/resources/complying-telemarketing-sales-rule#writtenagreement What must the written agreement contain? A written agreement need only contain: - unambiguous evidence that a call recipient is willing to receive telephone calls that deliver a - prerecorded message by or on behalf of a specific seller; the telephone number to which such messages may be delivered; and - the call recipient's signature.


質問 # 106
......


IAPP CIPP-US試験は、90の複数選択問題から構成されるコンピュータベースの試験です。試験はタイム制であり、受験者は2時間半以内に完了する必要があります。試験はPearson VUEテストセンターで実施され、受験者はオンラインで試験に登録することができます。試験料には学習ガイド、オンラインリソースへのアクセス、合格時の証明書が含まれています。

 

最新のCIPP-US試験問題集でIAPP試験が合格できます:https://www.goshiken.com/IAPP/CIPP-US-mondaishu.html

合格できるIAPP CIPP-USのPDF問題集で最近更新された194問あります:https://drive.google.com/open?id=1X3jMmXOdysLwBEpzWRDXb-s_5vPBNuPy

関するブログ

もっと
CIPP-US無料問題集