CIPP-US Exam Details

  • Exam Code
    :CIPP-US
  • Exam Name
    :Certified Information Privacy Professional/United States (CIPP/US)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :198 Q&As
  • Last Updated
    :Jun 28, 2026

IAPP CIPP-US Online Questions & Answers

  • Question 181:

    SCENARIO

    Please use the following to answer the next question:

    A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the

    letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

    The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and

    request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened

    the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

    This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

    As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

    Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete. What is the data privacy leader's next best source of information to aid the investigation?

    A. Reports on recent purchase histories
    B. Database schemas held by the retailer
    C. Lists of all customers, sorted by country
    D. Interviews with key marketing personnel

  • Question 182:

    According to the FTC Report of 2012, what is the main goal of Privacy by Design?

    A. Obtaining consumer consent when collecting sensitive data for certain purposes
    B. Establishing a system of self-regulatory codes for mobile-related services
    C. Incorporating privacy protections throughout the development process
    D. Implementing a system of standardization for privacy notices

  • Question 183:

    Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:

    A. You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.
    B. When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.
    C. When you are required to provide an individual with notice of a data breach under any state's law, you must provide the individual with an offer for free credit monitoring.
    D. The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

  • Question 184:

    What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

    A. A consent decree
    B. Stare decisis decree
    C. A judgment rider
    D. Common law judgment

  • Question 185:

    California's SB 1386 was the first law of its type in the United States to do what?

    A. Require commercial entities to disclose a security data breach concerning personal information about the state's residents
    B. Require notification of non-California residents of a breach that occurred in California
    C. Require encryption of sensitive information stored on servers that are Internet connected
    D. Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices

  • Question 186:

    Which of the following state laws has an entity exemption for organizations subject to the Gramm-Leach-Bliley Act (GLBA)?

    A. Nevada Privacy Law.
    B. California Privacy Rights Act.
    C. California Consumer Privacy Act.
    D. Virginia Consumer Data Protection Act.

  • Question 187:

    Once a breach has been de nitively established, which task should be prioritized next?

    A. Involving law enforcement and state Attorneys General.
    B. Determining what was responsible for the breach and neutralizing the threat.
    C. Providing notice to the affected parties so they can take precautionary measures.
    D. Implementing remedial measures and evaluating how to prevent future breaches.

  • Question 188:

    In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?

    A. Scanning emails sent to and received by students
    B. Making student education records publicly available
    C. Relying on verbal consent for a disclosure of education records
    D. Disclosing education records without obtaining required consent

  • Question 189:

    A company's employee wellness portal offers an app to track exercise activity via users' mobile devices. Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?

    A. Offer information about data collection and uses at key data entry points.
    B. Publish a privacy policy written in clear, concise, and understandable language.
    C. Present a privacy policy to users during the wellness program registration process.
    D. Provide a link to the wellness program privacy policy at the bottom of each screen.

  • Question 190:

    When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?

    A. After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
    B. After disclosing marketing practices to customers and after giving them an opportunity to opt in.
    C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
    D. After disclosing marketing practices to customers and after giving them an opportunity to opt out.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-US exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.