CIPP-US Exam Results

• The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994. The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.
• The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.
• The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.
• A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.
• The TSR requires an entity to share a do-not-call request across its organization when the operational structures of its divisions are not transparent to consumers3. This means that the entity must treat the do-not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.
• The TSR does not require an entity to share a do-not-call request across its organization in the following situations:

References: 1: Telemarketing Sales Rule 2: Q&A for Telemarketers & Sellers About DNC Provisions in TSR 3: Federal Register :: Telemarketing Sales Rule

The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN’s main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs. References:

• Home (public) | Global Privacy Enforcement Network
• Global Privacy Enforcement Network - International Association of Privacy Professionals
• International Partnerships - Office of the Privacy Commissioner of Canada
• Specialised networks – Global Privacy Assembly
• Action Plan for the Global Privacy Enforcement Network (GPEN)
• [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

The federal act that does NOT contain provisions for preempting stricter state laws is the Telemarketing Consumer Protection and Fraud Prevention Act1. This act authorizes the Federal Trade Commission (FTC) to establish and enforce rules for telemarketing practices, such as the Do Not Call Registry, the prohibition of robocalls, and the disclosure of material information2. However, the act also explicitly states that it does not "annul, alter, or affect, or exempt any person subject to the provisions of this section from complying with, the laws of any State with respect to telemarketing practices, except to the extent that those laws are inconsistent with any provision of this section, and then only to the extent of the inconsistency"1. This means that states can enact and enforce their own laws regarding telemarketing, as long as they are not less protective than the federal law. In contrast, the other three acts listed in the question do contain preemption clauses that limit or override the authority of states to regulate certain aspects of electronic communications, online privacy, and credit transactions345. References: 1: Telemarketing Consumer Protection and Fraud Prevention Act2: Telemarketing Sales Rule | Federal Trade Commission3: CAN-SPAM Act: A Compliance Guide for Business4: Children’s Online Privacy Protection Rule (“COPPA”) | Federal Trade Commission5: Fair and Accurate Credit Transactions Act of 2003 - Wikipedia : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 144-145, 149-150, 154-155

According to the Privacy Shield Principles, an organization that self-certifies under the Privacy Shield Framework must provide individuals with the choice to opt out of the disclosure of their personal information to a third party or the use of their personal information for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. To facilitate this choice, the organization must inform the individual of the type or identity of the third parties to which it discloses personal information and the purposes for which it does so. The organization must also provide a readily available and affordable independent recourse mechanism to investigate and resolve complaints and disputes regarding its compliance with the Privacy Shield Principles. If the organization transfers personal information to a third party acting as an agent, it must ensure that the agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and that it takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Privacy Shield Principles. References:

• Privacy Shield Principles, section II. Choice Principle and section III. Accountability for Onward Transfer Principle
• [IAPP CIPP/US Study Guide], p. 67-68, section 3.2.1 and p. 69-70, section 3.2.2
• [IAPP CIPP/US Body of Knowledge], p. 15-16, section C.1.b and p. 16-17, section C.1.c