Certbus > IAPP > IAPP Certifications > CIPP-US > CIPP-US Online Practice Questions and Answers

CIPP-US Online Practice Questions and Answers

Questions 4

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A. A consent decree

B. Stare decisis decree

C. A judgment rider

D. Common law judgment

Browse 198 Q&As
Questions 5

SCENARIO

Please use the following to answer the next question:

Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop.

"Doing your homework?" Matt asked hopefully.

"No," the boy said. "I'm filling out a survey."

Matt looked over his son's shoulder at his computer screen. "What kind of survey?"

"It's asking questions about my opinions."

"Let me see," Matt said, and began reading the list of questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten."

Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and

the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his

name, address, telephone number, and date of birth, and to answer questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and

he decided it was time to report the incident to the proper authorities.

How could the marketer have best changed its privacy management program to meet COPPA "Safe Harbor" requirements?

A. By receiving FTC approval for the content of its emails

B. By making a COPPA privacy notice available on website

C. By participating in an approved self-regulatory program

D. By regularly assessing the security risks to consumer privacy

Browse 198 Q&As
Questions 6

A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

A. Department of Health and Human Services

B. The affected individuals

C. The local media

D. Medical providers

Browse 198 Q&As
Questions 7

What is the main purpose of the CAN-SPAM Act?

A. To diminish the use of electronic messages to send sexually explicit materials

B. To authorize the states to enforce federal privacy laws for electronic marketing

C. To empower the FTC to create rules for messages containing sexually explicit content

D. To ensure that organizations respect individual rights when using electronic advertising

Browse 198 Q&As
Questions 8

The Video Privacy Protection Act of 1988 restricted which of the following?

A. Which purchase records of audio visual materials may be disclosed

B. When downloading of copyrighted audio visual materials is allowed

C. When a user's viewing of online video content can be monitored

D. Who advertisements for videos and video games may target

Browse 198 Q&As
Questions 9

The Cable Communications Policy Act of 1984 requires which activity?

A. Delivery of an annual notice detailing how subscriber information is to be used

B. Destruction of personal information a maximum of six months after it is no longer needed

C. Notice to subscribers of any investigation involving unauthorized reception of cable services

D. Obtaining subscriber consent for disseminating any personal information necessary to render cable services

Browse 198 Q&As
Questions 10

Which of the following best describes private-sector workplace monitoring in the United States?

A. Employers have broad authority to monitor their employees

B. U.S. federal law restricts monitoring only to industries for which it is necessary

C. Judgments in private lawsuits have severely limited the monitoring of employees

D. Most employees are protected from workplace monitoring by the U.S. Constitution

Browse 198 Q&As
Questions 11

California's SB 1386 was the first law of its type in the United States to do what?

A. Require commercial entities to disclose a security data breach concerning personal information about the state's residents

B. Require notification of non-California residents of a breach that occurred in California

C. Require encryption of sensitive information stored on servers that are Internet connected

D. Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices

Browse 198 Q&As
Questions 12

Global Manufacturing Co's Human Resources department recently purchased a new software tool. This tool helps evaluate future candidates for executive roles by scanning emails to see what those candidates say and what is said about them. This provides the HR department with an automated "360 review" that lets them know how the candidate thinks and operates, what their peers and direct reports say about them, and how well they interact with each other.

What is the most important step for the Human Resources Department to take when implementing this new software?

A. Making sure that the software does not unintentionally discriminate against protected groups.

B. Ensuring that the software contains a privacy notice explaining that employees have no right to privacy as long as they are running this software on organization systems to scan email systems.

C. Confirming that employees have read and signed the employee handbook where they have been advised that they have no right to privacy as long as they are using the organization's systems, regardless of the protected group or laws enforced by EEOC.

D. Providing notice to employees that their emails will be scanned by the software and creating automated profiles.

Browse 198 Q&As
Questions 13

Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.

Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

A. Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.

B. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual's personal information upon request constitutes an unfair practice.

C. The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.

D. The New York "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act requires that businesses under New York's jurisdiction must delete customers' personal information upon request.

Browse 198 Q&As
Questions 14

SCENARIO

Please use the following to answer the next question:

When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was

not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to

customer information nor

procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low-level employees had access to all of the company's customer data, including financial records, and that the company still had in its

possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a

highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely

disposing of it.

When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that

it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now

considered the responsibility of every employee.

Based on the problems with the company's privacy security that Roberta identifies, what

is the most likely cause of the breach?

A. Mishandling of information caused by lack of access controls.

B. Unintended disclosure of information shared with a third party.

C. Fraud involving credit card theft at point-of-service terminals.

D. Lost company property such as a computer or flash drive.

Browse 198 Q&As
Questions 15

In a case of civil litigation, what might a defendant who is being sued for distributing an employee's private information face?

A. Probation.

B. Criminal fines.

C. An injunction.

D. A jail sentence.

Browse 198 Q&As
Questions 16

Which federal agency plays a role in privacy policy, but does NOT have regulatory authority?

A. The Office of the Comptroller of the Currency.

B. The Federal Communications Commission.

C. The Department of Transportation.

D. The Department of Commerce.

Browse 198 Q&As
Questions 17

Under the Fair Credit Reporting Act (FCRA), what must a person who is denied employment based upon his credit history receive?

A. A prompt notification from the employer.

B. An opportunity to reapply with the employer.

C. Information from several consumer reporting agencies (CRAs).

D. A list of rights from the Consumer Financial Protection Bureau (CFPB).

Browse 198 Q&As
Questions 18

Which of the following federal agencies does NOT have regulatory authority related to privacy?

A. Consumer Financial Protection Bureau.

B. U.S. Department of Transportation.

C. U.S. Department of Commerce.

D. Federal Reserve

Browse 198 Q&As
Exam Code: CIPP-US
Exam Name: Certified Information Privacy Professional/United States (CIPP/US)
Last Update: Mar 14, 2025
Questions: 198 Q&As

PDF

$49.99

VCE

$55.99

PDF + VCE

$65.99