CIPP-US Exam Details

  • Exam Code
    :CIPP-US
  • Exam Name
    :Certified Information Privacy Professional/United States (CIPP/US)
  • Certification
    :IAPP Certifications
  • Vendor
    :IAPP
  • Total Questions
    :198 Q&As
  • Last Updated
    :Jun 28, 2026

IAPP CIPP-US Online Questions & Answers

  • Question 71:

    SCENARIO

    Please use the following to answer the next question:

    When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was

    not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to

    customer information nor procedures for purging and destroying outdated data. In her research, Roberta had discovered that even low-level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

    Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

    When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

    Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

    What could the company have done differently prior to the breach to reduce their risk?

    A. Implemented a comprehensive policy for accessing customer information.
    B. Honored the promise of its privacy policy to acquire information by using an opt-in method.
    C. Looked for any persistent threats to security that could compromise the company's network.
    D. Communicated requests for changes to users' preferences across the organization and with third parties.

  • Question 72:

    Your company, which sells its products in the United States and the European Union, is seeking to purchase cloud storage from a multinational cloud storage provider. The engineering team at your company wants to set up cloud data centers from the storage provider in both the United States and Germany.

    Which of the following contractual provisions should be included in the contract to ensure the security of the personal data being stored in both data center locations?

    A. An audit provision that allows the cloud storage provider to restrict an independent auditor's access to the premises, documents and personnel involved in the cloud storage provider's processing of the data.
    B. A general authorization provision that allows the cloud storage provider to appoint subcontractors to help provide the cloud storage services.
    C. A purpose limitation provision that requires the data, including personal information, to only be used for the contracted purposes.
    D. A non-solicitation provision prohibiting both companies from seeking to hire employees of the other company.

  • Question 73:

    SCENARIO

    Please use the following to answer the next question:

    Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they

    were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to."

    Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.

    Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly,

    even connecting with employees on social media. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.

    Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common

    at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.

    Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations

    sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored

    when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an

    outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.

    Larry wants to take action, but is uncertain how to proceed.

    In what area does Larry have a misconception about private-sector employee rights?

    A. The applicability of federal law
    B. The enforceability of local law
    C. The strict nature of state law
    D. The definition of tort law

  • Question 74:

    Read this notice:

    Our website uses cookies. Cookies allow us to identify the computer or device you're using to access the site, but they don't identify you personally. For instructions on setting your Web browser to refuse cookies, click here.

    What type of legal choice does not notice provide?

    A. Mandatory
    B. Implied consent
    C. Opt-in
    D. Opt-out

  • Question 75:

    Which of the following is an important implication of the Dodd-Frank Wall Street Reform and Consumer Protection Act?

    A. Financial institutions must avoid collecting a customer's sensitive personal information
    B. Financial institutions must help ensure a customer's understanding of products and services
    C. Financial institutions must use a prescribed level of encryption for most types of customer records
    D. Financial institutions must cease sending e-mails and other forms of advertising to customers who opt out of direct marketing

  • Question 76:

    Which of the following is most likely to provide privacy protection to private-sector employees in the United States?

    A. State law, contract law, and tort law
    B. The Federal Trade Commission Act (FTC Act)
    C. Amendments one, four, and five of the U.S. Constitution
    D. The U.S. Department of Health and Human Services (HHS)

  • Question 77:

    In a case of civil litigation, what might a defendant who is being sued for distributing an employee's private information face?

    A. Probation.
    B. Criminal fines.
    C. An injunction.
    D. A jail sentence.

  • Question 78:

    The FTC often negotiates consent decrees with companies found to be in violation of privacy principles. How does this benefit both parties involved?

    A. It standardizes the amount of fines.
    B. It simplifies the audit requirements.
    C. It avoids potentially harmful publicity.
    D. It spares the expense of going to trial.

  • Question 79:

    Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?

    A. The entity must conduct business in the state
    B. The entity must have employees in the state
    C. The entity must be registered in the state
    D. The entity must be an information broker

  • Question 80:

    A company based in United States receives information about its UK subsidiary’s employees in connection with the centralized HR service it provides. How can the UK company ensure an adequate level of data protection that would allow the restricted data transfer to continue?

    A. By signing up to an approved code of conduct under UK GDPR to demonstrate compliance with its requirements, both for the parent and the subsidiary companies.
    B. By revising the contract with the United States parent company incorporating EU SCCs, as it continues to be valid for restricted transfers under the UK regime.
    C. By submitting to the ICO a new application for the UK BCRs using the UK BCR application forms, as their existing authorized EU BCRs are not recognized.
    D. By allowing each employee the option to opt-out to the restricted transfer, as it is necessary to send their names in order to book the sales bonuses.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPP-US exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.