CIPP-US Exam Details

  • Exam Code
    :CIPP-US
  • Exam Name
    :Certified Information Privacy Professional/United States (CIPP/US)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :198 Q&As
  • Last Updated
    :Jun 28, 2026

IAPP CIPP-US Online Questions & Answers

  • Question 41:

    SCENARIO

    Please use the following to answer the next question:

    When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was

    not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to

    customer information nor

    procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low-level employees had access to all of the company's customer data, including financial records, and that the company still had in its

    possession obsolete customer data going back to the 1980s.

    Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a

    highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely

    disposing of it.

    When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that

    it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

    Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now

    considered the responsibility of every employee.

    Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?

    A. Consumers have a right to exercise control over how companies use their personal data.
    B. Consumers have a right to reasonable limits on the personal data that a company retains.
    C. Consumers have a right to easily accessible information about privacy and security practices.
    D. Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.

  • Question 42:

    Which of the following scenarios would be most likely to violate the Fourth Amendment of the U.S. Constitution with regard to contact tracing?

    A. A private employer conducting a voluntary contact-tracing program with its employees.
    B. An employer asking employees if they have been diagnosed with or tested for COVID-19 before allowing them to physically enter the workplace.
    C. A government program that installs a contact-tracing app on an individual's phone and collects data after providing notice and obtaining the individual’s consent.
    D. A government program that automatically installs a contact-tracing app on an individual's phone and collects data without obtaining the individual’s consent.

  • Question 43:

    Based on the 2012 Federal Trade Commission report "Protecting Consumer Privacy in an Era of Rapid Change", which of the following directives is most important for businesses?

    A. Announcing the tracking of online behavior for advertising purposes.
    B. Integrating privacy protections during product development.
    C. Allowing consumers to opt in before collecting any data.
    D. Mitigating harm to consumers after a security breach.

  • Question 44:

    In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

    A. It mandates the use of updated technology for securing credit records
    B. It requires the owner to implement an identity theft warning system
    C. It is not usually enforced in the case of a small financial institution
    D. It does not apply because the owner is not a creditor

  • Question 45:

    SCENARIO

    Please use the following to answer the next question:

    Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

    Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI).

    Therefore, he is thinking carefully about privacy issues.

    On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department

    could reduce paper waste through a system of one-time distribution.

    He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

    On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to

    hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had

    plans to properly report what had happened.

    Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were

    accessible to all medical facilities nationwide.

    Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he

    feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he

    could explain why. John plans to ask a colleague about this.

    In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to

    think more carefully about genetic testing.

    Although Declan's day ended with many questions, he was pleased about his new position.

    How can the radiology department address Declan's concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

    A. State the privacy policy to the patient verbally
    B. Post the privacy notice in a prominent location instead
    C. Direct patients to the correct area of the hospital website
    D. Confirm that patients are given the privacy notice on their first visit

  • Question 46:

    Why was the Privacy Protection Act of 1980 drafted?

    A. To respond to police searches of newspaper facilities
    B. To assist prosecutors in civil litigation against newspaper companies
    C. To assist in the prosecution of white-collar crimes
    D. To protect individuals from personal privacy invasion by the police

  • Question 47:

    Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?

    A. Being more closely scrutinized for any breaches of policy
    B. Getting accused of discriminatory practices
    C. Attracting skepticism from auditors
    D. Having a security system failure

  • Question 48:

    The use of cookies on a website by a service provider is generally not deemed a ‘sale’ of personal information by CCPA, as long as which of the following conditions is met?

    A. The third party stores personal information to trigger a response to a consumer’s request to exercise their right to opt in.
    B. The analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.
    C. The service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.
    D. The information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.

  • Question 49:

    SCENARIO

    Please use the following to answer the next question:

    Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop.

    "Doing your homework?" Matt asked hopefully.

    "No," the boy said. "I'm filling out a survey."

    Matt looked over his son's shoulder at his computer screen. "What kind of survey?"

    "It's asking questions about my opinions."

    "Let me see," Matt said, and began reading the list of questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten."

    Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and

    the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

    To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his

    name, address, telephone number, and date of birth, and to answer questions about his favorite games and toys.

    Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and

    he decided it was time to report the incident to the proper authorities.

    How could the marketer have best changed its privacy management program to meet COPPA "Safe Harbor" requirements?

    A. By receiving FTC approval for the content of its emails
    B. By making a COPPA privacy notice available on website
    C. By participating in an approved self-regulatory program
    D. By regularly assessing the security risks to consumer privacy

  • Question 50:

    Under what conditions will personal data processing be subject to the Virginia Consumer Data Protection Act (VCDPA) requirements for a documented data protection assessment?

    A. If the data subject is younger than 13 years of age and the data is processed after January 1, 2023.
    B. If the data processor processes personal data beyond the controller's instructions.
    C. If the personal data is stored by a California-based third-party service provider.
    D. If the personal data is processed for purposes of targeted advertising.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-US exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.