CIPP/US, CIPP/US Practice Questions, CIPP/US, CIPP US, Exams of Advanced Education

CIPP/US, CIPP/US Practice Questions, CIPP/US, CIPP US

Typology: Exams

2025/2026

Available from 02/28/2026

Exam_tutor
Exam_tutor 🇺🇸

8.7K documents

1 / 173

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIPP/US, CIPP/US Practice Questions, CIPP/US, CIPP US
In what ways can the enforcement action be brought to the FTC's attention? -
ANSWER 1. press reports covering the questionable practices2. complaints
from consumer groups of competitors
Which agencies are responsible for educational privacy? - ANSWER
Department of Education for the Family Educational Rights and Privacy Act.
What are some of the ways that the FTC has played a prominent role in the
development of US privacy standards? - ANSWER The FTC conducts public
workshops on privacy issues, and reports on privacy policy and enforcement.
Access - ANSWER The ability to view personal information held by an
organization. This may be supplemented by allowing updates or corrections
to the information. U.S. laws often provide for access and correction when
the information is used for any type of substantive decision making, such as
for credit reports.
Americans with Disabilities Act (ADA) - ANSWER Bars discrimination against
qualified individuals with disabilities; places restrictions on pre-employment
medical screening.
Consumer Financial Protection Bureau (CFPB) - ANSWER Has enforcement
power for unfair, deceptive or abusive acts and practices for financial
institutions.
Choice - ANSWER The ability to specify whether personal information will be
collected and/or how it will be used or disclosed. Choice can be express or
implied.
Common Law - ANSWER Legal principles that have developed over time in
judicial decisions (case law), often drawing on social customs and
expectations.
Consent Decree - ANSWER A judgment entered by consent of the parties (a
federal or state agency and an adverse party) whereby the defendant agrees
to stop alleged illegal activity, typically without admitting guilt or
wrongdoing.
Consumer Reporting Agency (CRA) - ANSWER Any person or entity that
complies or evaluates personal information for the purpose of furnishing
consumer reports to third parties for a fee.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download CIPP/US, CIPP/US Practice Questions, CIPP/US, CIPP US and more Exams Advanced Education in PDF only on Docsity!

CIPP/US, CIPP/US Practice Questions, CIPP/US, CIPP US In what ways can the enforcement action be brought to the FTC's attention? - ANSWER 1. press reports covering the questionable practices2. complaints from consumer groups of competitors Which agencies are responsible for educational privacy? - ANSWER Department of Education for the Family Educational Rights and Privacy Act. What are some of the ways that the FTC has played a prominent role in the development of US privacy standards? - ANSWER The FTC conducts public workshops on privacy issues, and reports on privacy policy and enforcement. Access - ANSWER The ability to view personal information held by an organization. This may be supplemented by allowing updates or corrections to the information. U.S. laws often provide for access and correction when the information is used for any type of substantive decision making, such as for credit reports. Americans with Disabilities Act (ADA) - ANSWER Bars discrimination against qualified individuals with disabilities; places restrictions on pre-employment medical screening. Consumer Financial Protection Bureau (CFPB) - ANSWER Has enforcement power for unfair, deceptive or abusive acts and practices for financial institutions. Choice - ANSWER The ability to specify whether personal information will be collected and/or how it will be used or disclosed. Choice can be express or implied. Common Law - ANSWER Legal principles that have developed over time in judicial decisions (case law), often drawing on social customs and expectations. Consent Decree - ANSWER A judgment entered by consent of the parties (a federal or state agency and an adverse party) whereby the defendant agrees to stop alleged illegal activity, typically without admitting guilt or wrongdoing. Consumer Reporting Agency (CRA) - ANSWER Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

Data Breach - ANSWER The intentional or unintentional release of secure information to an untrusted environment. Data Classification - ANSWER Defines the clearance of individuals who can access or handle a given set of data, as well as the baseline level of protection that is appropriate for that data. Deceptive Trade Practices - ANSWER Along with unfair trade practices, behavior of an organization that can be enforced against by the FTC. Defamation - ANSWER Any act or communication intending to harm the reputation of another as to lower him in the estimation of the community or to deter third persons from associating or dealing with him. Electronic Discovery (e-discovery) - ANSWER Discovery in civil litigation dealing with the exchange of information in electronic format, often requiring digital forensics analysis. Electronically Stored Information (ESI) - ANSWER A category of information that can include e-mail, word-processing documents, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives, or data on SD cards. Equal Employment Opportunity Commission (EEOC) - ANSWER A federal agency overseeing many laws preventing discrimination in the workplace, include Title VII of the Civil Rights Act, the Age Discrimination in Employment Act of 1967 (ADEA) and Titles I and V of the Americans with Disabilities Act of 1990 (ADA). Evidentiary Privilege - ANSWER Privileges limiting or prohibiting disclosure of personal information in the context of investigations and litigation, such as attorney-client privilege. Fair Credit Reporting Act (FCRA) - ANSWER Enacted in 1970 to regulate the consumer reporting industry and provide privacy rights in consumer reports, FCRA mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes. Federal Trade Commission (FTC) - ANSWER An independent consumer protection agency governed by a chairman and four other commissioners with the authority to enforce against unfair and deceptive trade practices. Global Privacy Enforcement Network (GPEN) - ANSWER Established in 2010 by the FTC and enforcement authorities from around the world, the GPEN

Personal Health Information (PHI) - ANSWER Any individually indentifiable health information with data elements which could reasonably be expected to allow individual identification. Personal Health Record (PHR) - ANSWER A record maintained by the patient to track health and medical care information across a duration of time. Preemption - ANSWER The ability for one government's laws to supersede those of another, such as federal law overriding individual state law. Privacy Notice - ANSWER An external communication from an organization to consumers, customers or users to describe an organization's privacy practices. Privacy Policy - ANSWER An internal standards document to describe an organization's privacy practices. Private Right of Action - ANSWER The ability of an individual harmed by a violation of law to bring suit against the violator. Privilege - ANSWER A rule of evidence that protects confidential information communicated between a client and legal advisor. Protective Order - ANSWER A judge-issued determination of what information contained in court records should not be made public and what conditions apply to who may access the protected information. Publicity Given to Private Life - ANSWER A tort claim that considers publicity given to an individual's private life by another is an invasion of privacy and subject to liability. Qualified Protection Order (QPO) - ANSWER Under HIPAA, a QPO prohibits the use of disclosure of PHI for any purpose other than the litigation for which the information was requested; it also requires the return of PHI to the covered entity at the close of litigation. Red Flags Rule - ANSWER Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft. Redaction - ANSWER The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or evidence in a court proceeding.

Sedona Conference - ANSWER A nonprofit research and educational institute responsible for the establishment of standards and best practices for managing electronic discovery compliance through data retention policies. Stored Communications - ANSWER A category of data prohibited from unauthorized acquisitionn, alteration or blocking while stored in a facility through which electronic communications service is provided. Substitute Notice - ANSWER Pursuant to breach notification laws, certain entities must provide for substitute notice of data breach in a situation where insufficient or out-of-date contact information is held. Trust Marks - ANSWER Demonstration of compliance with self-regulatory programs by display of a seal, logo, or certification. Unfair Trade Practices - ANSWER Along with deceptive trade practices, behavior of an organization that can be enforced against by the FTC. Authentication - ANSWER The identification of an individual account user based on a combination of security measures. Authorization - ANSWER After authentication, the proces of determining if the end user is permitted to have access to the desired resource, such as the information asset or the information system containing the asset. Choice and Consent - ANSWER Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers. Comprehensive Model - ANSWER A method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement. Confidentiality - ANSWER The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information. Co-regulatory Model - ANSWER Used in Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government.

Opt Out - ANSWER Opt out means that, in the absence of action by the individual, information can be shared with third parties (e.g., unless the individual checks a box to opt out, her information can go to another organization). What are the four phases of privacy program development? - ANSWER 1. Discover

  • Issue identification
  • Identify best practices
  • Perform PIA
  1. Build
  • Procedure development and identification
  • Full implementation
  1. Communicate
  • Documentation (Training and Awareness)
  1. Evolve
  • Affirmation and Monitoring
  • Adaptation What are the elements of data sharing and transfer? - ANSWER 1. Data inventory
  1. Data classification
  2. Data flows
  3. Accountability What are the four elements of privacy policies and disclosure? - ANSWER 1. How many policies?
  4. Policy review and approval
  5. Privacy notice
  6. Policy version control What are the six phases of privacy incident response programs? - ANSWER
  7. Detection
  1. Prevent further activity
  2. Investigation
  3. Notice
  4. Review
  5. Corrective actions What are the three elements of data subject preference and access - ANSWER 1. Opt-in, opt-out, no option
  6. Managing preferences
  7. Access and redress What are the two elements of vendor management? - ANSWER 1. Contracts
  • Confidentiality
  • No further use
  • Subcontractors
  • Breach disclosure
  • Information security
  1. Due diligence
  • Reputation
  • Financial condition, insurance
  • Information security
  • Point of transfer
  • Disposal
  • Training and user awareness
  • Incident response Which branch of the U.S. Federal Government makes laws? - ANSWER Legislative Where is privacy mentioned in the U.S. Constitution? - ANSWER It's not. Usually privacy falls under the 4th amendment.
  1. Misrepresentation - false security about the safety of a particular product.
  2. Defamation - an untruth about another which untruth will harm the reputation of the person defamed (wrtten defamation is libel; oral defamation is slander).
  3. Strict tort liability - extending the responsibility of the vendor or manufacturer to all individuals who might be injured by the product. What does article 5 of the FTC Act declare unlawful? - ANSWER unfair or deceptive acts or practices in or affecting commerce. What is Children's Online Privacy Protection Act of 1998 (COPPA)? - ANSWER
  4. Regulates collection and use of children's information by commercial website operators.
  5. Compels website owners to adhere to specific notice and choice practices.
  6. Applies to websites and services targeted to children under 13. Who handles the enforcement of COPPA? - ANSWER FTC Who handles the enforcement of CAN-SPAM? - ANSWER FTC What does the FTC consider a deceptive practice? - ANSWER Saying one thing and completely going against it What does the FTC consider an unfair practice? - ANSWER When reasonable practice are not being followed What does the "Consumer Privacy Bill of Rights" emphasize? - ANSWER 1. Privacy by Design
  7. Simplified choice
  8. Transparency What does the "Consumer Privacy Bill of Rights" prioritize? - ANSWER 1. Do not track
  9. Mobile
  10. Large platform providers
  11. Enforceable self-regulation What are the three goals of APEC Cross-border Privacy Enforcement Arrangement (CPEA) - ANSWER 1. Facilitate information sharing
  1. Promote effective cross-border cooperation
  2. Encourage information sharing and investigative/enforcement cooperation What are the three components of self-regulatory enforcement? - ANSWER
  3. Legislation - Who determines the rules?
  4. Enforcement - Who initiates actions?
  5. Ajudication - Who decides if something is in violation? What does HIPAA require? - ANSWER Covered entities to protect health information that is transmitted or maintained in any form or medium List the three HIPAA covered entities - ANSWER 1. Healthcare providers that conduct transactions in electronic form
  6. Health insurers
  7. Health clearinghouses Does HIPAA preempt stronger state laws? - ANSWER No Who enforces HIPAA? - ANSWER The U.S. Department of Health & Human Services (HHS) What are the punishments for non-compliance of HIPAA? - ANSWER Fines up to $250K and/or 10 years imprisonment What are the elements of the HIPAA Privacy Rule? - ANSWER 1. Privacy notice
  8. Authorizations for use and disclosure
  9. "Minimum necessary" use and disclosure
  10. Access and accounting of disclosures
  11. Safeguards
  12. Accountability
  13. De-identification
  14. Research
  15. Other exceptions (law enforcement investigations) What are the elements of the HIPAA Security Rule? - ANSWER 1. Confidentiality, integrity and availability of ePHI
  1. Limitation on use of credit reports Who does the FCRA apply to? - ANSWER Consumer Reporting Agencies (CRA) Who enforces the FCRA and what are the punishments? - ANSWER Enforced by the FTC and state attorneys general and non-compliance leads to civil and crimal penalties and fines The Fair and Accurate Credit Transactions Act of 2003 (FACTA) - ANSWER 1. Amends FCRA, preempting state laws
  2. Requires truncation of credit and debit card numbers
  3. Consumers have rights to explanation of credit score
  4. Free annual credit report
  5. Opt-out for marketing
  6. The Disposal Rule
  7. The Red Flags Rule The Financial Services Modernization Act of 1999 - "Gramm-Leach-Bliley" (GLBA) - ANSWER 1. GLBA Privacy Rule
  • Initial and annual privacy notice required
  • Provide right to opt out
  • No disclosure of account numbers to third parties
  • Comply with regulatory standards
  1. GLBA Safeguards Rule
  • Administrative Security
  • Technical Security
  • Physical Security What are the three categories of security that span multiple regulations? - ANSWER 1. Administrative
  1. Technical
  2. Physical

Dodd-Frank Wall Street Reform and Consumer Protection Act (2010) - ANSWER 1. Created the Consumer Financial Protection Bureau (CFPB) within the Federal Reserve

  1. Oversees the relationship between consumers and providers of financial products and services
  2. Can enforce against "abusive acts and practices" Family Educational Rights and Privacy Act of 1974 (FERPA) - ANSWER 1. Places control over disclosure and access to educational records (with exceptions)
  3. Provides students right to access and correct education records
  4. Applies to all educational institutions that receive federal funding. Protection of Pupil Rights Amendment 1978 (PPRA) - ANSWER 1. Extended protections to parents of minors relative to surveys collecting sensitive information
  5. Applies to all elementary and secondary schools receiving federal funding No Child Left Behind Act 2001 (NCLB) - ANSWER 1. Broadened PPRA survey restrictions
  • Enact policies
  • Parental review of surveys prior to use
  • Advance notice
  • Opt out FTC Telemarketing Sales Rule (TSR) Telephone Consumer Protection Act of 1991 - FCC regulations - ANSWER 1. Who can be called?
  • Prohibits calls to cell phones
  • U.S. National Do Not Call Registry
  1. Rules governing calls
  • 8am - 9pm as one example
  1. Call abandonment
  2. Unathorized billing
  3. Record keeping

Does the executive branch include federal agencies that report directly to the President? - ANSWER Yes What do federal agencies in the executive branch do? - ANSWER They implement the laws through rule making and enforce the laws through civil and criminal procedures. What are the lowest courts called in the federal court system (judicial branch)? - ANSWER District Courts. These serve as federal trial courts. Cases decided by a district court can be referred to what? - ANSWER A federal appellate court (also called a "circuit court"). What do federal circuit courts do? - ANSWER They are not trial courts; they serve as appeals courts for federal cases. The federal appeals courts are divided into how many circuits? - ANSWER 12 regional circuits; each district court is assigned to a appeals court which decides the appeals for that circuit. What are the other federal courts called? - ANSWER Special courts include the U.S. Court of Federal Claims and the U.S. Tax Court. What is the top court in the judicial branch? - ANSWER The U.S. Supreme Court. What does the U.S. Supreme Court do? - ANSWER Hears appeals from the circuit courts and decides questions of federal law; also interprets the U.S. Constitution. May also hear appeals from the highest state courts or function as a trial court in rare instances. In what circumstances do federal agencies wield power that is characteristic of all three branches of government? - ANSWER When they are given authority by Congress to promulgate and enforce rules pursuant to law. This means they operate under statutes that give them legislative power to issue rules, executive power to investigate and enforce violations of rules/statutes, and judicial power to settle particular disputes. What are the sources of law in the U.S.? - ANSWER Federal and state constitutions, legislation, case law (contracts and torts), and agency-issued regulations. What is the supreme law in the U.S.? - ANSWER The Constitution. Who drafted the Constitution and when? - ANSWER The Constitutional Convention drafted the Constitution in 1787.

True/False: The U.S. Constitution does not contain the word "Privacy". - ANSWER True. Which parts of the Constitution directly affect privacy? - ANSWER The Fourth Amendment limits on government searches. Which Supreme Court decisions affect privacy? - ANSWER The S.C. has held that a person has a right to privacy over personal issues such as contraception and abortion, arising from more general protections of due process of law. What are other sources of law affecting privacy? - ANSWER State constitutions may create stronger rights than are provided in the U.S. Constitution. Which state expressly recognizes a right to privacy in its constitution? - ANSWER California. What areas are regulated by laws enacted by federal Congress and state legislatures? - ANSWER applications of information (use of information for marketing or pre-employment screening), certain industries (such as financial institutions or healthcare providers), certain data elements (SSNs or driver's license info), or specific harms (identity theft or children's online privacy) How is law-making power distributed in the U.S.? - ANSWER Law-making power is shared between the national and state governments. What does the U.S. Constitution say about laws under the Constitution? - ANSWER It states that the Constitution and the laws passed pursuant to it, is "the supreme law of the land." When do states have the power to make laws? - ANSWER Where federal law does not prevent it, states have the power to make law. Which Amendment to the Constitution states "the powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."? - ANSWER The Tenth Amendment to the Constitution. What is one area of law where states may pass privacy/other laws with stricter requirements than federal law? - ANSWER HIPAA medical privacy rule.

What are common law's rules in regards to privacy? - ANSWER Common law upholds special privilege rules, even in the absence of statutes protecting that confidentiality. Name two special privilege rules. - ANSWER 1. Doctor-patient privilege2. attorney-client confidentiality. Does a consent decree typically admit guilt or wrongdoing? - ANSWER No. How are the courts involved in a consent decree? - ANSWER The document is approved by a judge. What does a consent decree accomplish? - ANSWER It formalizes an agreement reached between a federal or state agency and an adverse party. What are the contents of the consent decree? - ANSWER It describes the actions that the defendant will take and the decree may be subject to a public comment period. How much power does a consent decree hold? - ANSWER Once approved, the consent decree has the effect of a court decision. In what area has the FTC entered into numerous consent decrees with companies as a result of alleged violations of privacy laws. - ANSWER COPPA has allowed for several consent decrees, which require violators to pay money to the government and agree not to violate the relevant law in the future. What services do federal agencies provide? - ANSWER 1. promulgate rules and enforce them;2. provide guidance in the form of opinions. How are agency opinions interpreted and used? - ANSWER They do not carry the weight of law, but do give specific guidance to interested parties trying to interpret agency rules and regulations. What provisions might a privacy contract contain? - ANSWER data useage, data security, breach notification, jurisdiction, and damages. (A contract b/w an EU company and a US data processor might include provision requiring US co to be safe harbor certified/abide by framework) True/false: Every agreement is a legally binding contract. - ANSWER False. There are three fundamental requirements for forming a binding contract. What are the three factors required to form a contract? - ANSWER Offer, Acceptance, Consideration.

Which terms of the offer must be specific and definite? - ANSWER Price, quantity, and description. What ends the original offer? - ANSWER A counteroffer. What actions must be taken with an offer for it to qualify to form a contract? - ANSWER The offer must be communicated to another person and remain open until it is accepted, rejected, retracted or has expired. What is acceptance? - ANSWER The assent or agreement by the person to whom the offer was made that the offer is accepted. What requirements must the acceptance meet? - ANSWER The acceptance must comply with the terms of the offer and must be communicated to the person who proposed the deal. What is the bargained-for exchange? - ANSWER Consideration. What is consideration? - ANSWER The legal benefit received by one person and the legal detriment imposed on the other person. True/False: An agreement without consideration is not a contract. - ANSWER True. When may a privacy notice constitute a contract? - ANSWER If a consumer provides data to a company based on the company's promise to use the data in accordance with the terms of the notice. What are the goals of tort law? - ANSWER a. provide relief for damages incurred;b. deter others from committing the same wrongs. What are the three tort categories? - ANSWER Intentional torts, negligent torts, and strict liability torts. When did the concept of a personal privacy tort enter U.S. jurisprudence? - ANSWER The late 1890s. What are some current privacy torts? - ANSWER a. intrusion on seclusion;b. public revelation of private facts;c. interfering with a person's right to publicity;d. casting a person in a false light. What is a defense to some of the traditional privacy torts? - ANSWER The speaker is exercising free speech rights under the First Amendment. What are some other, more recent, privacy-related torts considered by courts? - ANSWER Allegations that a company was negligent for failing to provide adequate safeguards for PI, thus causing harm due to disclosure of