Ask Question
CIPP-US: Certified Information Privacy Professional/United States
IAPP
Exam Questions:
195
.png)
2.370 Learners
The CIPP-US exam, also known as the Certified Information Privacy Professional/United States exam, is crucial for IT professionals looking to validate their privacy law knowledge. Practicing with real exam questions shared by those who have passed the exam can significantly improve your chances of success. In this guide, we’ll provide you with practice test questions and answers shared by successful candidates.
Exam Details:
-
Exam Number: CIPP-US
-
Exam Name: Certified Information Privacy Professional/United States
-
Length of test: Approximately 2 hours
-
Exam Format: Multiple-choice questions
-
Exam Language: English
-
Number of questions in the actual exam: 90 questions
-
Passing Score: 70% (63 out of 90 questions)
Why Use CIPP-US Practice Test?
-
Real Exam Experience: Our practice tests replicate the format and difficulty of the actual CIPP-US exam, providing you with a realistic preparation experience.
-
Boost Confidence: Regular practice with exam-like questions builds your confidence and reduces test anxiety.
-
Track Your Progress: Monitor your performance over time to see your improvement and adjust your study plan accordingly.
Key Features of CIPP-US Practice Test:
-
Up-to-Date Content: Our community ensures that the questions are regularly updated to reflect the latest exam objectives and technology trends.
-
Detailed Explanations: Each question comes with detailed explanations, helping you understand the correct answers and learn from any mistakes.
-
Comprehensive Coverage: The practice tests cover all key topics of the CIPP-US exam, including privacy fundamentals, privacy laws, and compliance.
Use the member-shared CIPP-US Practice Tests to ensure you're fully prepared for your certification exam. Start practicing today and take a significant step towards achieving your certification goals!
Related questions
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Based on the problems with the company's privacy security that Roberta identifies, what is the most likely cause of the breach?
Mishandling of information caused by lack of access controls.
Unintended disclosure of information shared with a third party.
Fraud involving credit card theft at point-of-service terminals.
Lost company property such as a computer or flash drive.
Explanation:
The scenario describes how the company had no adequate rules about access to customer information and how low-level employees had access to all of the company's customer data, including financial records. This indicates that the company did not implement proper access controls to limit who can access, use, or disclose customer information based on their roles and responsibilities. Access controls are one of the key elements of information security and privacy, as they help prevent unauthorized or inappropriate access to sensitive data. Without access controls, the company's customer information was vulnerable to mishandling by employees or outsiders who could exploit the weak security measures. Therefore, the most likely cause of the breach was mishandling of information caused by lack of access controls.Reference:
IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Information Management from a U.S. Perspective, Section 4.2: Information Security, p. 113-114
IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.C: Describe the role of information security in privacy, Subobjective I.C.1: Identify the key elements of information security, p. 8
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. ''If they were really serious about not being bothered,'' Evan said, ''They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to.''
Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call ''another time.'' This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In what area does Larry have a misconception about private-sector employee rights?
The applicability of federal law
The enforceability of local law
The strict nature of state law
The definition of tort law
Explanation:
Larry has a misconception about the applicability of federal law to private-sector employee rights. He believes that the U.S. Constitution protects American workers from various forms of discrimination, harassment, and invasion of privacy by their employers. However, the U.S.Constitution only applies to government actions, not private actions, unless there is a specific federal statute that extends constitutional protections to the private sector1.For example, the Civil Rights Act of 1964 prohibits discrimination on the basis of race, color, religion, sex, or national origin by private employers2.The Electronic Communications Privacy Act of 1986 regulates the interception and disclosure of electronic communications by private parties3.The CAN-SPAM Act of 2003 sets the rules for commercial email and gives recipients the right to opt out of receiving unwanted messages4. These are examples of federal laws that apply to private-sector employees, but they do not cover all the situations that Larry faces at SunriseLynx. For instance, there is no federal law that protects private-sector employees from political discrimination or from having their personal mail opened by their employers.Larry may have to rely on state laws or common law torts to seek redress for these violations of his rights.Reference:1:Private Sector vs. Public Sector Employee Rights2: [Civil Rights Act of 1964 - Wikipedia]3: [Electronic Communications Privacy Act - Wikipedia]4:CAN-SPAM Act: A Compliance Guide for Business: IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 141-142
A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?
The vendor's reputation
The vendor's financial health
The vendor's employee retention rates
The vendor's employee training program
Explanation:
When selecting a vendor to manage personal information, the company should consider various criteria, such as the vendor's reputation, financial health, employee training program, privacy policies, security practices, compliance record, contractual terms, and service quality. However, the vendor's employee retention rates may not be as important as the other factors, as they do not directly affect the vendor's ability to protect and process the personal information entrusted to them. While high employee turnover may indicate some issues with the vendor's management or culture, it may not necessarily impact the vendor's performance or reliability, as long as the vendor has adequate measures to ensure continuity, accountability, and confidentiality of the personal information they handle.Reference:
[IAPP CIPP/US Study Guide], p. 81-82, section 3.4.1
[IAPP CIPP/US Body of Knowledge], p. 18-19, section C.2.a
What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?
Describing the policy changes on its website.
Obtaining affirmative consent from its customers.
Publicizing the policy changes through social media.
Reassuring customers of the security of their information.
Explanation:
The FTC has stated that it is a deceptive practice to make retroactive changes to a privacy policy that affect how a company uses or shares previously collected personal information, unless the company obtains affirmative consent from the affected consumers. This means that the company must clearly and conspicuously disclose the changes and obtain the consumers' express agreement to them. Simply describing the policy changes on the website, publicizing them through social media, or reassuring customers of the security of their information are not sufficient to comply with the FTC's position.Reference:
FTC Staff Revises Online Behavioral Advertising Principles, paragraph 3.
Do I really have to obtain consent from all my customers to make a change to my privacy policy?, paragraph 2.
IAPP CIPP/US Study Guide, page 64.
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?
Scanning emails sent to and received by students
Making student education records publicly available
Relying on verbal consent for a disclosure of education records
Disclosing education records without obtaining required consent
Explanation:
The lawsuit, filed in 2014, claimed that Google violated the federal and state wiretap and privacy laws by scanning and indexing the emails of millions of students who used its Apps for Education suite, which included Gmail as a key feature12.The plaintiffs alleged that Google used the information from the scans to build profiles of students that could be used for targeted advertising or other commercial purposes, without their consent or knowledge12.The lawsuit also challenged Google's argument that the students consented to the scans when they first logged in to their accounts, saying that such consent was not valid under FERPA, which requires written consent for any disclosure of education records12.Google denied the allegations and argued that the scans were necessary for providing security, spam protection, and other functionality to the users12.The case was settled in 2016, with Google agreeing to change some of its practices and policies regarding the scanning of student emails3.Reference:1: Lawsuit Alleges That Google Has Crossed A 'Creepy Line' With Student Data, Huffington Post,1.2: Google faces lawsuit over email scanning and student data, The Guardian,2.3: Google data case to be heard in Supreme Court, BBC,3.
What is the main purpose of the Global Privacy Enforcement Network?
To promote universal cooperation among privacy authorities
To investigate allegations of privacy violations internationally
To protect the interests of privacy consumer groups worldwide
To arbitrate disputes between countries over jurisdiction for privacy laws
Explanation:
The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation. GPEN was created in response to the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which called for member countries to foster the establishment of an informal network of PEAs. GPEN's main purpose is to facilitate cross-border cooperation and coordination among PEAs, especially in cases involving multiple jurisdictions or regions. GPEN also aims to enhance information sharing, promote awareness and education, and support capacity building among PEAs.Reference:
Home (public) | Global Privacy Enforcement Network
Global Privacy Enforcement Network - International Association of Privacy Professionals
International Partnerships - Office of the Privacy Commissioner of Canada
Specialised networks -- Global Privacy Assembly
Action Plan for the Global Privacy Enforcement Network (GPEN)
[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.
SCENARIO
Please use the following to answer the next QUESTION
Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.
One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still be sitting in the office, unsecured.
Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this when he applied.
Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills -- all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.
In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.
After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a victim of identity theft and whether this may have negatively affected his credit.
Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.
Consumers today are most likely protected from situations like the one Noah had buying stock because of which federal action or legislation?
The rules under the Fair Debt Collection Practices Act.
The creation of the Consumer Financial Protection Bureau.
Federal Trade Commission investigations into ''unfair and deceptive'' acts or practices.
Investigations of ''abusive'' acts and practices under the Dodd-Frank Wall Street Reform and Consumer Protection Act.
Explanation:
The Dodd-Frank Act was established to prevent the risky financial practices that led to the 2007--2008 financial crisis, which included issues similar to Noah's experience with buying stocks without understanding the risks.The act includes provisions for consumer protection in financial services and aims to prevent abusive practices in the financial industry
In March 2012, the FTC released a privacy report that outlined three core principles for companies handling consumer data. Which was NOT one of these principles?
Simplifying consumer choice.
Enhancing security measures.
Practicing Privacy by Design.
Providing greater transparency.
Explanation:
The FTC's privacy report, titled ''Protecting Consumer Privacy in an Era of Rapid Change'', proposed a framework for companies that collect and use consumer data. The framework consisted of three core principles: privacy by design, simplified consumer choice, and greater transparency. Privacy by design means that companies should incorporate privacy protections into their everyday business practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy. Simplified consumer choice means that companies should provide consumers with clear and easy-to-understand choices about the collection and use of their data, and respect their preferences. Greater transparency means that companies should increase the visibility and accessibility of their data practices, such as providing clear and concise privacy notices, educating consumers about the commercial data practices, and providing consumers with access to their data. Enhancing security measures is not one of the core principles of the FTC's privacy framework, although it is a component of the privacy by design principle.Reference:
IAPP CIPP/US Body of Knowledge, Section I.A.1.a
IAPP CIPP/US Textbook, Chapter 1, pp. 13-15
FTC Privacy Report, Executive Summary, pp. i-vii
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. ''If they were really serious about not being bothered,'' Evan said, ''They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to.''
Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call ''another time.'' This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
Which act would authorize Evan's undercover investigation?
The Whistleblower Protection Act
The Stored Communications Act (SCA)
The National Labor Relations Act (NLRA)
The Fair and Accurate Credit Transactions Act (FACTA)
Explanation:
The Stored Communications Act (SCA) is a federal law that regulates the privacy of electronic communications that are stored by third-party service providers, such as email providers, cloud storage providers, or social media platforms. The SCA prohibits unauthorized access to or disclosure of such communications, unless authorized by law or by the consent of the user or the service provider . The SCA also provides exceptions for certain types of access or disclosure, such as those made for law enforcement purposes, for the protection of the service provider's rights or property, or for the consent of the subscriber or customer .
One of the exceptions to the SCA is where the service provider gives consent to the access or disclosure of the stored communications. This means that if a third-party service provider agrees to cooperate with an investigation or a request for information, the access or disclosure is lawful under the SCA. Consent can be express or implied, depending on the circumstances and the terms of service of the provider. For example, if a service provider has a policy that allows it to disclose user information to third parties for legitimate purposes, the provider has impliedly consented to the access or disclosure of the stored communications. However, if a service provider has a policy that prohibits such disclosure, the provider has not consented to the access or disclosure of the stored communications.
In the scenario, Evan's undercover investigation may have been authorized by the SCA if he obtained the consent of the third-party service provider that stored the electronic communications of the employee who was suspected of misconduct. For instance, if the employee used a company email account or a cloud storage service that had a policy that allowed the service provider to disclose user information to the employer or to law enforcement, Evan may have been able to access or disclose the stored communications with the consent of the service provider. However, if the employee used a personal email account or a cloud storage service that had a policy that protected user privacy and prohibited such disclosure, Evan may have violated the SCA by accessing or disclosing the stored communications without the consent of the service provider.
Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?
7 days
10 days
15 days
21 days
Explanation:
According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient's opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.
IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing
IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing
Practice Exam - International Association of Privacy Professionals
Question