CIPP-US > FERPA and Telecommunications Privacy > Flashcards

FERPA and Telecommunications Privacy Flashcards

Understand privacy protections for student education records and communications data under FERPA and related laws. (111 cards)

Study These Flashcards
2
Q

What does FERPA stand for?

A

Family Educational Rights and Privacy Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What organizations does FERPA apply to?

A

All federally funded educational institutions (elementary to postsecondary).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are students’ rights under FERPA?

A
  • Control disclosure
  • Access and amend records
  • Receive annual notice
  • File complaints
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an education record under FERPA?

A

Records directly related to a student and maintained by an institution or agent.

Examples: grades, transcripts, class lists, health records, financial information, discipline files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What records are excluded from FERPA education records?

A
  • Campus police
  • Employment
  • Treatment
  • Applicant
  • Alumni records
  • Peer-graded papers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is considered personally identifiable information (PII) under FERPA?

A
  • Names
  • Addresses
  • Personal identifiers (SSN, DOB)
  • Information linkable to a student
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is directory information?

A

Education record information that institutions may define and disclose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can students opt out of directory information sharing?

A

Yes

Institutions must offer opt out before using data as directory information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are exceptions to the directory information rule?

A

Student identification numbers or other directory information that allow access to education records cannot be classified as directory information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who enforces FERPA?

A

U.S. Department of Education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What penalties exist for FERPA violations?

A

Loss of federal funding.

Complaints can be filed with the Family Policy Compliance Office

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Does FERPA preempt state laws?

A

No

FERPA does not preempt stricter state laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When do FERPA rights transfer from parents to students?

A
  • At age 18, or
  • Upon enrollment in college or university
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can a college disclose records to parents if the student is a tax dependent?

A

Yes, even without student consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When is disclosure of education records allowed without consent?

A
  • Not PII
  • Directory information (no opt-out)
  • Consent from rights holder, or
  • Statutory exception
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are requirements for valid consent under FERPA?

A
  • Signed consent identifying record, purpose, and recipient
  • Verify recipient identity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are some statutory exceptions to FERPA consent?

A
  • School officials
  • Record creator
  • Subpoenas
  • Health/safety emergencies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How long does a school have to provide access to records?

A

Within 45 days of request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What records are students not entitled to access?

A
  • Parents’ financial records
  • Waived recommendation letters
  • Treatment records
  • Privileged information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When can a student request record correction?

A

If records are inaccurate, misleading, or violate privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the FERPA gap?

A

FERPA only covers data in education records, allowing some data (e.g., directory information) to be sold if opt-out not exercised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which laws addressed the FERPA gap?

A
  • Protection of Pupil Rights Amendment (PPRA)
  • No Child Left Behind Act
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does the PPRA regulate?

A

Parental rights over student surveys collecting sensitive information.

Examples: politics, religion, sexuality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How did the No Child Left Behind Act expand the PPRA?

A

Added parental rights: access, advance notice, opt-out, and required school policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
When does FERPA **apply** vs. HIPAA?
* **FERPA**: public K-12 and college treating only students * **HIPAA**: private schools with no federal funds or clinics treating non-students
27
What is **SOPIPA**?
* California's Student Online Personal Information Protection Act (2014) * Bans use of student data for targeted ads
28
What does **IDEA** guarantee?
**Free Appropriate Public Education** (FAPE) for students with disabilities ages 3-21.
29
What **rights** do parents/adult students have under **IDEA**?
Inspect and request **corrections** to educational records.
30
Which **laws** protect students with disabilities?
* FERPA * IDEA * Rehabilitation Act of 1973 * Americans with Disabilities Act of 1990
31
What is the **Student Privacy Pledge**?
A **self-regulation initiative** with 12+ provisions signed by 250+ K-12 services.
32
What does the Student Privacy Pledge **prohibit**?
* **Monetizing** student data * Targeted **advertising**
33
What does COPPA **prohibit** in the **edtech context**?
* Commercial use * Unreasonable collection * Retention of children's data
34
What **security standard** is recommended for **K-12** institutions?
NIST Cybersecurity Framework | (CSF)
35
Does FERPA require **breach notifications**?
No ## Footnote But the Dept. of Education may investigate breaches.
36
What **rule** applies to universities with financial aid?
GLBA Safeguards Rule
37
What does **SOPIPA** require regarding **edtech**?
Reasonable security protections.
38
What does **New York's Education Law 2-D** mandate?
Security policies aligned with the **NIST Cybersecurity Framework**.
39
Which **federal agencies** regulate telemarketing?
* FCC (TCPA, 1991) * FTC (TSR, 1995)
40
What does the **TCPA** regulate?
Unsolicited advertising by: * Phone * Fax * Robocall * Text message
41
What is the **TSR** and **when** was it created?
* Telemarketing Sales Rule (1995) * Implements the Telemarketing and Consumer Fraud and Abuse Prevention Act
42
How does the TSR **define** telemarketing?
A campaign using phones to **induce purchases or donations** involving more than one interstate call.
43
What are **key TSR requirements** for telemarketers?
* Call 8 AM-9 PM * Use DNC list * Disclose ID * Product * Terms * Respect call-backs * Retain records 24 hrs.
44
Can federal telemarketing laws **preempt** state laws?
No ## Footnote TSR and FCC rules do not preempt stricter state laws.
45
What must telemarketers **disclose** under the TSR?
* Identity * Purpose * Nature of goods/services * No purchase required for prize entry
46
What is an **internal suppression list**?
A list maintained by organizations to ensure **Do-Not-Call requests** are respected.
47
What does the TSR **prohibit** in terms of misrepresentation?
Misrepresentation and **omission of key information** in ten defined categories.
48
What categories **must be disclosed** under TSR?
* Cost * Quantity * Restrictions * Performance * Refund * Prize * Investment * Affiliations * Credit card protection * Debt relief
49
What is required for **non-credit/debit payment methods**?
Express verifiable authorization.
50
What constitutes **call abandonment** under TSR?
**Call not connected** to a live rep within **two seconds**.
51
What is the **safe harbor** for **call abandonment**?
* Fewer than 3% of calls abandoned/day * 15s ring * Pre-recorded ID message * Documentation maintained
52
What does TSR require for **billing authorization**?
* Express, informed consent * Last four digits of account * Recorded agreement
53
What are '**free-to-pay**' conversions?
* Free trial converts to paid * Requires consumer consent
54
How long must telemarketers **keep records** under TSR?
2 years
55
What **records** must be kept under **TSR**?
* Ads * Prize records * Sales * Employee data * Consent authorizations
56
**Who** enforces the TSR?
* FTC * State AGs * Private individuals
57
What is the **Do Not Call Registry**? | (DNC)
A national **telemarketing opt-out list**. ## Footnote Established in 2003 and enforced by FTC, FCC, and state AGs.
58
What must telemarketers do **before** calling?
* Establish a profile * Pay a fee * Update list every 31 days
59
Who is **exempt** from DNC rules?
* Non-profits * Existing business relationships * Inbound calls * B2B calls
60
What defines an **Existing Business Relationship**? | (EBR)
* **Customer**: purchase within 18 months * **Prospect**: inquiry within 3 months
61
What is the **DNC Safe Harbor**?
No penalty if: * Written procedures * Staff training * Maintained DNC list * Documented compliance * Violations are errors
62
What is '**neighbor spoofing**'?
Caller ID **shows same area code** and prefix to appear local.
63
What does the TCPA **regulate** regarding **faxes**?
Prohibits **unsolicited commercial fax** transmissions; requires consent (explicit or EBR).
64
What does the **Junk Fax Prevention Act** allow? | (JFPA)
Allows faxing based on **EBR if opt-out** option is provided.
65
What is the **goal** of CAN-SPAM Act?
Set **rules for unsolicited emails** and provide consumer opt-out options.
66
What are **key** CAN-SPAM **requirements**?
* Return email * Valid postal address * Opt-out mechanism * Label for sexual content
67
What does CAN-SPAM **prohibit**?
* Deceptive headers/subject lines * Sending after opt-out * Aggravated violations
68
**Who** enforces CAN-SPAM and what are the penalties?
* Enforcement: FTC and State AGs * Penalties: fines and imprisonment
69
What is a **Mobile Service Commercial Message**? | (MSCM)
A **commercial email** sent directly to a subscriber's **wireless device**.
70
What **regulation** governs MSCM?
FCC's **CAN-SPAM** rule for MSCMs.
71
What is required **before sending** an MSCM?
Subscriber's **express prior authorization**.
72
What **formats** can authorization for MSCM take?
* Oral * Written * Electronic
73
How must opt-out **be provided** for MSCM?
* Same method as opt-in * Include reply email or Internet-based mechanism
74
What is the **Wireless Domain Registry**?
* FCC **list of domains** used for wireless messaging * Used to identify **MSCMs**
75
What is the **purpose** of the **Wireless Domain Registry**?
Protect wireless consumers from **unwanted commercial emails**.
76
What does **CPNI** stand for?
Customer Proprietary Network Information
77
What is **CPNI**?
Data telecom carriers collect, including: * Subscription information * Services used * Network and billing information * Call logs
78
What is **not considered** CPNI?
Personally Identifiable Information like: * Name * Phone number * Address
79
Which **law** governs CPNI?
The Telecommunications Act of 1996, Section 222.
80
**When** can carriers use/disclose CPNI?
With **customer consent** or as required by law.
81
What **organizations** are subject to CPNI rules?
* Telecom carriers * VoIP providers * ISPs ## Footnote Not streaming/OTT services.
82
What is the **Digital Advertising Alliance**? | (DAA)
A nonprofit that sets/enforces privacy practices for **digital advertising** via **self-regulatory** principles.
83
What is the focus of the DAA's **self-regulatory principles**?
Guidelines for **advertising across platforms**, including cross-device data use.
84
What is the **Network Advertising Initiative**? | (NAI)
A nonprofit of third-party ad companies that follow the **NAI Code of Conduct**.
85
What are **key requirements** of the **NAI Code of Conduct**?
* Notice and choice * Limits on data use * Restrictions on collection and transfer of data
86
**Who** enforces self-regulatory digital ad principles?
* DAA * Council of BBB for DAA * NAI board for NAI * FTC * State AGs
87
How can **violations** of ad **self-regulations** be treated?
As **unfair** or **deceptive** acts or practices. | (UDAP)
88
What happened with the **FCC Broadband Privacy Rule**?
Issued in **2016**, rescinded by Congress in 2017. ## Footnote Broadband remains a public utility.
89
What did the **FCC reclassification** mean for broadband?
It became subject to the **Telecommunications Act** and CPNI rules.
90
What does **CalOPPA** require?
Websites collecting CA residents' PII must **conspicuously post a privacy policy**.
91
What did CalOPPA Amendment **AB 370** add in 2013?
Privacy notices must disclose: * PII collected * Third-party sharing * Do Not Track responses * Other parties collecting PII
92
What is **ethics**?
Knowing the difference between what you **have the right to do** and **what is the right thing to do**.
93
What is **data ethics** according to HBR?
**Moral obligations** of gathering, protecting, and using PII and its impact on individuals.
94
What is the **CIPP/US** view of ethics?
Guiding company behavior when something is **legal but may not be advisable**.
95
What is **online behavioral advertising**?
Targeted ads **based on observation of individual behavior** over time.
96
Who coined the term '**surveillance capitalism**'?
Shoshana Zuboff
97
What does the **Driver's Privacy Protection Act** regulate? | (DPPA)
PII obtained by Departments of Motor Vehicles ## Footnote Including information on driver's licenses and motor vehicle records.
98
What does DPPA **prohibit**?
Release, use, or sale of PII by state DMVs **without consent**.
99
When can PII be shared under DPPA **without express consent**?
Permissible uses, including: * Law enforcement * Court orders * Insurance underwriting, claims * Fraud prevention
100
What is **web scraping**?
Automated **harvesting** of data/text from the web.
101
What does the **CFAA** prohibit? | (Computer Fraud and Abuse Act)
Accessing computers **without authorization** or exceeding authorized access.
102
What was the key finding in **Van Buren v. United States**?
Accessing information **with permission** doesn't violate CFAA **even if used improperly**.
103
How does the CPRA define '**publicly available information**'?
Information **lawfully made available by the consumer** or from widely distributed media.
104
How does **GDPR** treat web scraping?
Requires **lawful basis** for collecting/processing personal data.
105
What are the **six lawful bases** under GDPR?
1. Consent 2. Contract 3. Legal obligation 4. Vital interest 5. Public interest 6. Legitimate interest
106
What is a **merge**r?
A process where **2+ organizations combine** to form a single entity.
107
What is an **acquisition**?
A transaction where one organization **acquires control of another**.
108
What is a **divestiture**?
A process where an organization **sells one or more** of its divisions or subsidiaries.
109
What **privacy risk** is created during mergers and acquisitions?
Risk arises when **adapting to new processes** and **managing newly acquired data** and systems.
110
What should a **gap analysis** evaluate?
* Compliance requirements * Existing contracts * Client requirements * Integration of networks and data assets
111
Why is **due diligence** important during **mergers and acquisitions** (M&A) data transfers?
It ensures all parties understand data sources, purposes, and compliance risks **before integration or transfer**.
112
What **technical and security safeguards** should be considered during data transfers?
* Encryption * Access controls * Data accuracy * Integrity
CIPP-US
flashcards
Decks in class (12)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions