CIPP-US Exam Details

  • Exam Code
    :CIPP-US
  • Exam Name
    :Certified Information Privacy Professional/United States (CIPP/US)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :198 Q&As
  • Last Updated
    :Jun 28, 2026

IAPP CIPP-US Online Questions & Answers

  • Question 141:

    John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John's personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information.

    Which of the following answers most accurately reflects John's ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?

    A. John has no right to sue the corporation because the CCPA does not address any data breach rights.
    B. John cannot sue the corporation for the data breach because only the state's Attoney General has authority to file suit under the CCPA.
    C. John can sue the corporation for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.
    D. John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm.

  • Question 142:

    What role does the U.S. Constitution play in the area of workplace privacy?

    A. It provides enforcement resources to large employers, but not to small businesses
    B. It provides legal precedent for physical information security, but not for electronic security
    C. It provides contractual protections to members of labor unions, but not to employees at will
    D. It provides significant protections to federal and state governments, but not to private-sector employment

  • Question 143:

    What is the main purpose of the Global Privacy Enforcement Network?

    A. To promote universal cooperation among privacy authorities
    B. To investigate allegations of privacy violations internationally
    C. To protect the interests of privacy consumer groups worldwide
    D. To arbitrate disputes between countries over jurisdiction for privacy laws

  • Question 144:

    Chanel Hair Studio is a busy high-end hair salon. In an effort to maximize efficiency of its operations and reduce wait times for appointments, Chanel decides to implement artificial intelligence software that will use client profiles and history to predict which clients will likely be late for their appointments. Information used to create the client profile included appointment history, distance from the salon, and any references to being tardy pulled from the client's social media accounts. If a client is predicted to be late, their appointment will be cancelled within 5 minutes.

    Based on the details, what is the biggest potential privacy concern related to Chanel's use of this new software?

    A. Scanning a client's social media accounts to use in a client profile without notice to the client.
    B. Calculating client profile address distance from the salon to determine location from salon to help predict if the client will be late.
    C. Using client profile information for any purpose other than setting up an appointment.
    D. Assessing client tardiness history with the salon for predictive purposes.

  • Question 145:

    SCENARIO

    Please use the following to answer the next question:

    Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering telehealth appointments, where patients can have

    virtual appointments with on-site doctors via a phone app.

    For this new initiative, Miraculous is considering a product built by MedApps, a company that makes quality telehealth apps for healthcare practices and licenses them to be used with the practices’ branding. MedApps provides technical

    support for the app, which it hosts in the cloud. MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the service.

    Riya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists

    procurement in vetting vendors and inquiring about their own compliance practices, as well as negotiating the terms of vendor agreements. Riya is currently reviewing the suitability of the MedApps app from a privacy perspective.

    Riya has also been asked by the Miraculous Healthcare business operations team to review the MedApps’ optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the

    appointments to a portal hosted by MedApps.

    What HIPAA compliance issue would Miraculous have to consider before using the telehealth app?

    A. HIPAA does not permit healthcare providers to use cloud hosting services.
    B. HIPAA does not permit in-person appointment data to be hosted in the cloud.
    C. HIPAA would require Miraculous and MedApps to enter into a Business Associate Agreement.
    D. HIPAA would require Miraculous to obtain patient consent before in-person appointment data can be shared with third parties.

  • Question 146:

    SCENARIO

    Please use the following to answer the next question:

    You are the privacy manager at a privately-owned U.S. company that produces an increasingly popular tness app called GetFit. After users create an account with their contact information, the app uses a smartphone and a system of

    connected smartwatch sensors to track users when they exercise. It collects information on location when users walk or run outdoors, as well as general health information (such as heart rate) during all exercise sessions. The app also

    collects credit card information for payment of the monthly subscription fee.

    One Friday, the company's security team contacts you about the discovery of malware on their media server. The team assures you that there was no user data on this server and that, in any case, they found the malware before any damage

    could be done.

    However, on Monday morning the security team contacts you again, this time with the information that they have discovered the same malware on the company's payments server. They suspect it likely that users' credit card information was

    taken by the attacker. By Monday evening, the situation has gotten dramatically worse, as the security team has also discovered this malware on the company's database server, an in ltration that gives the attacker access to users' pro le,

    health and location information.

    After coordinating with the security team, you are asked to meet with senior management and advise them on the company's obligations in connection with the incident. The Chief Financial O cer asks, "If we decide to notify all our users of this

    incident, are we obligated to provide any of them with a free credit monitoring offer?" The General Counsel wants to know if providing this notice and offer will help the company avoid liability.

    How does the Monday evening discovery of the malware on the company's database server alter the company's noti cation obligations, if at all?

    A. This discovery requires notice also be provided to the U.S. Dept. of Health and Human Services since the impacted information includes health information.
    B. This discovery has no effect on the situation, since the user information does not include a social security number or driver's license number.
    C. This discovery requires notice also be provided to the FTC since a health app is subject to the Health Breach Noti cation Rule.
    D. This discovery has no effect on the situation, since all required noti cations are already being provided.

  • Question 147:

    A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?

    A. The vendor's reputation
    B. The vendor's financial health
    C. The vendor's employee retention rates
    D. The vendor's employee training program

  • Question 148:

    Which of the following conditions would NOT be su cient to excuse an entity from providing breach noti cation under state law?

    A. If the data involved was encrypted.
    B. If the data involved was accessed but not exported.
    C. If the entity was subject to the GLBA Safeguards Rule.
    D. If the entity followed internal noti cation procedures compatible with state law.

  • Question 149:

    SCENARIO

    Please use the following to answer the next question:

    Noah is trying to get a new job involving the management of money. He has a poor personal credit rating, but he has made better financial decisions in the past two years.

    One potential employer, Arnie's Emporium, recently called to tell Noah he did not get a position. As part of the application process, Noah signed a consent form allowing the employer to request his credit report from a consumer reporting

    agency (CRA). Noah thinks that the report hurt his chances, but believes that he may not ever know whether it was his credit that cost him the job. However, Noah is somewhat relieved that he was not offered this particular position. He

    noticed that the store where he interviewed was extremely disorganized. He imagines that his credit report could still

    be sitting in the office, unsecured.

    Two days ago, Noah got another interview for a position at Sam's Market. The interviewer told Noah that his credit report would be a factor in the hiring decision. Noah was surprised because he had not seen anything on paper about this

    when he applied.

    Regardless, the effect of Noah's credit on his employability troubles him, especially since he has tried so hard to improve it. Noah made his worst financial decisions fifteen years ago, and they led to bankruptcy. These were decisions he made as a young man, and most of his debt at the time consisted of student loans, credit card debt, and a few unpaid bills ?all of which Noah is still working to pay off. He often laments that decisions he made fifteen years ago are still affecting him today.

    In addition, Noah feels that an experience investing with a large bank may have contributed to his financial troubles. In 2007, in an effort to earn money to help pay off his debt, Noah talked to a customer service representative at a large investment company who urged him to purchase stocks. Without understanding the risks, Noah agreed. Unfortunately, Noah lost a great deal of money.

    After losing the money, Noah was a customer of another financial institution that suffered a large security breach. Noah was one of millions of customers whose personal information was compromised. He wonders if he may have been a

    victim of identity theft and whether this may have negatively affected his credit.

    Noah hopes that he will soon be able to put these challenges behind him, build excellent credit, and find the perfect job.

    Consumers today are most likely protected from situations like the one Noah had buying stock because of which federal action or legislation?

    A. The rules under the Fair Debt Collection Practices Act.
    B. The creation of the Consumer Financial Protection Bureau.
    C. Federal Trade Commission investigations into "unfair and deceptive" acts or practices.
    D. Investigations of "abusive" acts and practices under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

  • Question 150:

    SCENARIO

    Please use the following to answer the next question:

    Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Security Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign.

    Ever since the pandemic, Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are de ned in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law rm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.

    Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers. The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS O ce documents are securely stored in a Microsoft O ce 365 data center based in Ireland. Manufacturing data of Jones Labs is stored in Taiwan and managed by a local supplier that has no presence in the U.S.

    When storing Jane's ngerprint for remote authentication. Jones Labs should consider legality issues under which of the following?

    A. The Privacy Rule of the HITECH Act.
    B. The California IoT Security Law (SB 327).
    C. The applicable state law such as Illinois BIPA.
    D. The federal Genetic Information Nondiscrimination Act (GINA).

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-US exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.