CIPP-US Exam Details

  • Exam Code
    :CIPP-US
  • Exam Name
    :Certified Information Privacy Professional/United States (CIPP/US)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :198 Q&As
  • Last Updated
    :Jun 28, 2026

IAPP CIPP-US Online Questions & Answers

  • Question 131:

    SCENARIO

    Please use the following to answer the next question:

    Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have

    virtual appointments with on-site doctors via a phone app.

    For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical

    support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.

    Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists

    procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.

    Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the

    appointments to a portal hosted by MedApps.

    What can Riya do to most effectively minimize the privacy risks of using an app for telehealth appointments?

    A. Require MedApps to de-identity all patient data.
    B. Prohibit MedApps from using subcontractors.
    C. Require MedApps to submit a SOC2 report.
    D. Engage in active oversight of MedApps.

  • Question 132:

    Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?

    A. 7 days
    B. 10 days
    C. 15 days
    D. 21 days

  • Question 133:

    SCENARIO

    Please use the following to answer the next question:

    Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use.

    The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system

    of the APEC Privacy Framework.

    Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human

    Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing

    database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.

    The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the

    various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.

    The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

    A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
    B. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
    C. That business contact information could be considered personal information governed by CCPA.
    D. That CCPA only applies to companies based in California, which exempts the company from compliance.

  • Question 134:

    Which law provides employee benefits, but often mandates the collection of medical information?

    A. The Occupational Safety and Health Act.
    B. The Americans with Disabilities Act.
    C. The Employee Medical Security Act.
    D. The Family and Medical Leave Act.

  • Question 135:

    SCENARIO

    Please use the following to answer the next question:

    Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has

    only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer

    polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about

    becoming part of a dynamic new business, they will readily agree to these requirements.

    Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS

    for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

    Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as

    long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale.

    Celeste believes that

    even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

    In any case, Celeste feels that all they need is common sense ?like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next

    month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

    Regarding credit checks of potential employees, Celeste has a misconception regarding what?

    A. Consent requirements.
    B. Disclosure requirements.
    C. Employment-at-will rules.
    D. Records retention policies

  • Question 136:

    Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

    A. Research (such as information for understanding consumer trends).
    B. Risk mitigation (such as information that may reduce the risk of fraud).
    C. Location of individuals (such as identifying an individual from partial information).
    D. Marketing (such as appending data to customer information that a marketing company already has).

  • Question 137:

    When designing contact tracing apps in relation to COVID-19 or any other diagnosed virus, all of the following privacy measures should be considered EXCEPT?

    A. Data retention.
    B. Use limitations.
    C. Opt-out choice.
    D. User con dentiality.

  • Question 138:

    SCENARIO

    Please use the following to answer the next question:

    You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular tness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also collects credit card information for payment of the monthly subscription fee.

    One Friday, the company's security team contacts you about the discovery of malware on their media server. The team assures you that there was no user data on this server and that, in any case, they found the malware before any damage could be done.

    However, on Monday morning the security team contacts you again, this time with the information that they have discovered the same malware on the company's payments server. They suspect it likely that users' credit card information was taken by the attacker. By Monday evening, the situation has gotten dramatically worse, as the security team has also discovered this malware on the company's database server, an in ltration that gives the attacker access to users' pro le, health and location information.

    After coordinating with the security team, you are asked to meet with senior management and advise them on the company's obligations in connection with the incident. The Chief Financial O cer asks, "If we decide to notify all our users of this incident, are we obligated to provide any of them with a free credit monitoring offer?" The General Counsel wants to know if providing this notice and offer will help the company avoid liability.

    What answer should be given to the General Counsel?

    A. "Users can only sue us if we violate the state breach noti cation laws."
    B. "This is a health data incident subject to HIPAA, so the private right of action does not apply."
    C. "Users cannot sue us, because only federal and state regulators have enforcement authority in data breaches."
    D. "Even if we provide notice, we may still face liability due to mishandling the data and causing potential harm to users."

  • Question 139:

    The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?

    A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the General Data Protection Regulation (GDPR).
    B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country.
    C. Establish baseline privacy obligations that U.S. companies must comply with for personal information, even if stored in a foreign country.
    D. Prohibit foreign companies from using the personal information of U.S. citizens without their consent.

  • Question 140:

    What type of material is exempt from an individual's right to disclosure under the Privacy Act?

    A. Material required by statute to be maintained and used solely for research purposes.
    B. Material reporting investigative efforts to prevent unlawful persecution of an individual.
    C. Material used to determine potential collaboration with foreign governments in negotiation of trade deals.
    D. Material reporting investigative efforts pertaining to the enforcement of criminal law.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-US exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.