





















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
CIPP/US Practice Exam - correct answer Designed to support preparation for the CIPP/US certification exam. IAPP - correct answer International Association of Privacy Professionals, the organization that provides the CIPP/US certification. Body of Knowledge - correct answer The set of topics and knowledge areas relevant to the CIPP/US certification. Practice Exam Purpose - correct answer Helps identify relative strengths and weaknesses in the major domains of the CIPP/US body of knowledge. Certification Exam Simulation - correct answer The practice exam simulates the types and breadth of questions encountered on the CIPP/US certification exam. Performance Guarantee - correct answer A strong performance on the practice exam does not guarantee similar success on the certification exam.
Typology: Exams
1 / 29
This page cannot be seen from the preview
Don't miss anything!






















CIPP/US Practice Exam - correct answer Designed to support preparation for the CIPP/US certification exam. IAPP - correct answer International Association of Privacy Professionals, the organization that provides the CIPP/US certification. Body of Knowledge - correct answer The set of topics and knowledge areas relevant to the CIPP/US certification. Practice Exam Purpose - correct answer Helps identify relative strengths and weaknesses in the major domains of the CIPP/US body of knowledge. Certification Exam Simulation - correct answer The practice exam simulates the types and breadth of questions encountered on the CIPP/US certification exam. Performance Guarantee - correct answer A strong performance on the practice exam does not guarantee similar success on the certification exam. Review for Accuracy - correct answer All items on the practice exam were reviewed for accuracy at the time of publication. Independent Development - correct answer The practice exam was developed independently of the CIPP/US certification exam. Reproduction Restrictions - correct answer The CIPP/US practice exam and rationales may not be reproduced in any manner other than for use by the original purchaser. Answer Sheet Instructions - correct answer Print out the answer sheet to indicate your selection for each question. Timer Setting - correct answer Set a timer for 150 minutes (2.5 hours) to simulate the certification exam. Answer Key Usage - correct answer Print out the answer key to check your answers against the exam questions. Correct Response Marking - correct answer Place a '1' or a checkmark in the corresponding domain column of the answer key for each correct response. Domain Scoring - correct answer Total the number of correct answer s under each domain column. Score Calculation - correct answer Calculate scores as a percent by dividing correct answer s by total questions in that domain and multiplying by 100.
Rationales Consultation - correct answer Consult the rationales for detailed explanations of each answer. Exam Format - correct answer All questions are multiple-choice with only one correct response. Sub-domain Indication - correct answer The letter in the box next to the unshaded box indicates the sub-domain of the body of knowledge related to the question. Version - correct answer The practice exam is based on the IAPP's CIPP/US body of knowledge version 2.6. Publication Year - correct answer The copyright year for the publication is 2025. Contact for Questions - correct answer Contact information is provided for questions or comments. Registered Trademarks - correct answer AIGP®, CIPP®, CIPP/A®, CIPP/C®, CIPP/E®, CIPP/G®, CIPP/US®, CIPM®, and CIPT® are registered trademarks of the IAPP. Fair and Accurate Credit Transactions Act of 2003 (FACTA) - correct answer Strengthens the Fair Credit Reporting Act (FCRA) by introducing provisions that deal directly with identity theft. Data flow mapping - correct answer A useful tool for organizations to comply with their regulatory responsibilities. Important step in data flow mapping - correct answer Identify custodians who are responsible for the data. Medical Quizzes app - correct answer A free app that allows users to take a two-minute quiz to receive a medical diagnosis. Health Insurance Portability and Accountability Act (HIPAA) - correct answer Does not protect the medical information provided to Medical Quizzes because the app is not provided by a covered entity. U.S. website collecting IP addresses - correct answer Is collecting personal data under U.S. law depending on whether the website can link the IP address to other identifying information about the visitor. Biometric information - correct answer A more popular and secure form of personal information to verify and/or authenticate identity. Illinois Biometric Information Privacy Act (BIPA) - correct answer Imposes a $1,000 penalty for each negligent violation, or a $5,000 penalty for each willful or reckless violation. Layered privacy notice - correct answer A short privacy notice with key points at the top.
Linking IP addresses to identifying information - correct answer A factor in determining if IP addresses are considered personal data. Voice-over-internet-protocol - correct answer A technology that allows for voice communication over the internet. Privacy Officer - correct answer An individual responsible for ensuring an organization's compliance with privacy laws and regulations. State privacy law - correct answer Legislation enacted by a state to protect the privacy of its residents. Data accountability - correct answer The responsibility of an organization to manage and protect data in accordance with applicable laws and regulations. Data classification - correct answer The process of organizing data into categories based on specific criteria. Sensitivity - correct answer The degree to which data must be protected due to its confidential nature. Transferability - correct answer The ability to move data from one system or location to another. Risk vulnerability - correct answer The potential for loss or harm related to data due to exposure to threats. Clinical class - correct answer A practical course in a nursing program where students gain hands-on experience in a healthcare setting. Internship - correct answer A temporary position that provides practical experience in a professional environment. Adjunct professor - correct answer A part-time instructor at a college or university who is not a full-time faculty member. Attendance - correct answer The act of being present at a class or event. Grading - correct answer The process of evaluating a student's performance and assigning a score or letter. Clinical internships - correct answer Practical training experiences for nursing students at healthcare facilities. Upstate Medical Hospital - correct answer The healthcare facility where John Doe is assigned for his clinical class.
Basic procedures - correct answer Fundamental medical tasks performed by nursing students under supervision. Appeal - correct answer A formal request to review and change a decision made by an authority. Disciplinary policy - correct answer The rules and procedures established by an institution to address misconduct. Hearing - correct answer A formal proceeding where evidence and arguments are presented regarding a dispute. Request for records - correct answer A formal inquiry to obtain documents or information held by an organization. Emails, texts, and written correspondence - correct answer Forms of communication that may be requested as part of a records inquiry. 45 days - correct answer The maximum time allowed for the School to provide requested records to John. FERPA - correct answer Family Education Rights and Privacy Act, which protects the privacy of student education records. CCPA - correct answer California Consumer Privacy Act, which gives consumers rights regarding their personal information. Schrems II - correct answer A decision by the Court of Justice of the European Union in July 2020 that invalidated the EU-U.S. Privacy Shield. Protective Order - correct answer A court order to prevent the disclosure of personal information during legal proceedings. Hospital Badge Confiscation - correct answer An action taken by the Hospital to investigate an incident involving John. Written Communications - correct answer All written messages regarding a student's grade that the nurse made. School's Email System - correct answer The email system used by the School to communicate, which must provide copies of emails sent. Health and Safety Exception - correct answer Allows the School to provide information about a student to the Hospital without consent if it relates to health and safety. Educational Records Access - correct answer The right of a student to access their educational records within 45 days of a request.
Federal Trade Commission (FTC) consent decree - correct answer A decree in which the respondent does not admit fault but will change its practices and avoid further litigation. Video Privacy Protection Act (VPPA) - correct answer A law that prohibits the disclosure of personal information about video rental customers. Exception to VPPA prohibition - correct answer Circumstances under which customer personal information may be shared with third parties. Order fulfillment - correct answer The process of completing a customer's order. Debt collection - correct answer The process of pursuing payments of debts owed by individuals or businesses. Opt-out process - correct answer A mechanism allowing users to decline participation in certain practices or data sharing. Regulatory complaints - correct answer Formal grievances filed with regulatory agencies regarding potential violations of laws or regulations. Unfair and deceptive practices - correct answer Business practices that mislead consumers or create an unfair advantage. Privacy policy - correct answer A statement that explains how an organization collects, uses, and protects personal information. Cross-sharing of information - correct answer The practice of sharing personal data across different products or services. Explicit consent - correct answer Clear and specific agreement given by an individual regarding the use of their personal information. Judge-approved settlement - correct answer An agreement reached between parties that is sanctioned by a judge. Privacy program office - correct answer A designated department within an organization focused on managing privacy-related issues. Tech Gurus - correct answer A fictional technology company involved in the scenario. Connect Me - correct answer An add-on product developed by Tech Gurus for social networking. Regulatory investigation - correct answer An inquiry conducted by a regulatory body to assess compliance with laws and regulations. Misrepresenting privacy - correct answer Providing false or misleading information regarding the handling of personal data.
Privacy or confidentiality of individuals' information - correct answer The protection of personal data from unauthorized access or disclosure. Misrepresenting compliance - correct answer Falsely claiming adherence to privacy, security, or compliance standards. Federal Trade Commission (FTC) - correct answer A regulatory authority that may enforce actions against companies like Tech Gurus. U.S. Department of Commerce (DOC) - correct answer A regulatory authority that may have jurisdiction over commerce-related issues. Federal Communications Commission (FCC) - correct answer A regulatory authority that oversees communications and may enforce regulations. Consumer Financial Protection Bureau (CFPB) - correct answer A regulatory authority that protects consumers in the financial sector. Consent decree - correct answer A type of settlement agreement reached between Tech Guru and the regulatory agency. Private right of action - correct answer A legal term referring to the right of an individual to sue for a legal remedy. Settlement agreement - correct answer An agreement reached to resolve a dispute without admission of guilt. Strict liability tort settlement - correct answer A legal term referring to a settlement where liability is established without fault. Judicial Branch - correct answer The branch of government that interprets laws and administers justice. Military Branch - correct answer The branch of government responsible for national defense and military operations. Executive Branch - correct answer The branch of government responsible for enforcing laws and administering the government. Legislative Branch - correct answer The branch of government responsible for making laws. Legal Authority - correct answer The power granted to a regulatory agency to enforce laws. Specific Authority - correct answer Authority granted to a regulatory agency for specific regulatory functions. General Authority - correct answer Broad authority granted to a regulatory agency to regulate within its jurisdiction.
Vendor agreements in California - correct answer If a consumer clicks on the 'Do Not Sell' button, the store can continue to share publicly visible account profile picture. AI-driven automated tool in hiring - correct answer A tool used by a hotel chain to help sort best suited applicants to open jobs based on received résumés. Sherry's qualifications - correct answer Included her name, phone number, past work experience at hospitality internships, education history at a top university and relevant extracurriculars. Interview selection bias - correct answer Despite her qualifications, only men were selected for interviews for the associate position. Human resources manager - correct answer Rhonda, who reviews recommendations for approved applicants. Consumer's in-store purchase history - correct answer An example of personal information that can be shared despite a 'Do Not Sell' request. Environmental safeguards under GLBA - correct answer Providing environmental safeguards, business continuity plans and disaster recovery. Securing computer systems under GLBA - correct answer Securing the computer systems, networks and applications together with access controls. Anticipated threats to information security - correct answer Protecting against anticipated threats or hazards to the security or integrity of the information. Disclosure of personal information under 42 CFR Part 2 - correct answer Requires consent to disclose personal information for the purpose of treatment. Subpoena for disclosing personal information - correct answer 42 CFR Part 2 requires only a subpoena for disclosing personal information to a court. Unique customer identifier - correct answer An example of personal information that can be shared despite a 'Do Not Sell' request. Private email address - correct answer An example of personal information that cannot be shared if a consumer clicks on 'Do Not Sell'. Publicly visible account profile picture - correct answer An example of personal information that can be shared despite a 'Do Not Sell' request. Civil lawsuits - correct answer Legal actions individuals can pursue under a private right of action. Health plan or healthcare provider - correct answer A covered entity that transmits protected health information data.
State regulatory agency - correct answer Any state regulatory agency or body that enforces a specific breach notification law. Resident affected by a breach - correct answer A resident of that state affected by a personal information breach who suffers harm. Discrepancy in résumé - correct answer A difference between Sherry's skill level and the position she was applying for. Recruitment selection tool - correct answer A tool that may sort applications and assess candidates for job positions. HIPAA compliance - correct answer A requirement ensuring that health information is protected and handled according to regulations. Résumé sorting tool assessment - correct answer The evaluation of the résumé sorting tool for potential bias in its application. Employee code violation discussion - correct answer A meeting summoned to address breaches of the organization's employee conduct policies. Invalid basis for discussion - correct answer A situation that does not constitute a legitimate reason for addressing a code violation. Layoff best practices - correct answer Recommended actions to take when terminating employees to ensure compliance and security. FACTA requirements - correct answer Regulations that require disclosure before using a credit score for loans. Opting out under GLBA - correct answer A method for consumers to prevent sharing of their personal information with third parties. Records retention under FACTA - correct answer Guidelines governing how long sensitive information derived from consumer reports must be kept. Biometric data removal - correct answer The process of deleting former employees' biometric information from access systems during layoffs. Email account deletion - correct answer The action of removing access to former employees' email accounts as part of the layoff process. Personal item disposal - correct answer The act of discarding personal and business-related items left by former employees. Personnel file retention policy - correct answer The rules governing how long personnel files of former employees must be kept.
Co-regulatory model - correct answer A model emphasizing industry development of enforceable codes or standards for privacy and data protection alongside government legal requirements. Trust Arc - correct answer An example of a co-regulatory model for privacy and data protection. Children's Online Privacy Protection Act (COPPA) - correct answer A law that regulates the online collection of personal information from children. Payment Card Industry Data Security Standards (PCI-DSS) - correct answer Standards that ensure companies protect cardholder data. Employee privacy risk reduction policy - correct answer A policy that might restrict employees from using personal devices for company business to reduce privacy risks. Keystroke monitoring - correct answer Monitoring of all employees to block non-business use of office computers. Discovery requests - correct answer Requests for information during litigation, which may include non-business-related material. Unauthorized accounts - correct answer Accounts opened by a bank's employees on behalf of customers without their consent, which can lead to enforcement action. Data breach - correct answer An incident where a consumer reporting agency suffers a breach due to lax information security practices. Money service business registration - correct answer The requirement for individuals buying and selling cryptocurrency on behalf of consumers to register as a money service business. Parental consent - correct answer The requirement for online platforms to obtain verified parental consent before collecting children's personal information. GLBA Safeguards Rule - correct answer A regulation that requires financial institutions to implement security measures to protect consumer information. Physical security - correct answer Measures taken to protect physical assets and facilities from unauthorized access or damage. Theoretical security - correct answer A concept of security that is based on theoretical frameworks rather than practical implementation. Operational security - correct answer Processes and practices that protect sensitive information from being accessed by unauthorized individuals. Reasonable security - correct answer Security measures that are appropriate and effective for the level of risk faced by an organization.
Data security - correct answer Protective measures that safeguard digital information from unauthorized access, corruption, or theft. Administrative security - correct answer Policies and procedures that govern the management and protection of sensitive information. Technical security - correct answer Technological measures used to protect information systems and data from cyber threats. Security surveillance - correct answer Monitoring activities in a specific area to ensure safety and security. Wiretap Act - correct answer A federal law that prohibits the interception of wire and oral communications without consent. Electronic Communication Privacy Act (ECPA) - correct answer A law that extends government restrictions on wiretaps to include electronic communications. KardiaBros Inc. (KBI) - correct answer A private company that manufactures implantable medical devices for cardiac patients. Initial Public Offering (IPO) - correct answer The process through which a private company offers shares to the public for the first time. Myocardial infarction - correct answer A medical term for a heart attack, which occurs when blood flow to the heart is blocked. Workforce expansion - correct answer The process of increasing the number of employees in an organization. Data protection checklist - correct answer A list of items and measures that need to be addressed to ensure data protection compliance. Chief Privacy Officer - correct answer An executive responsible for overseeing data protection and privacy policies within an organization. Lawyers LLC - correct answer The outside counsel advising KBI on legal matters, including data protection. Sam Myoma - correct answer A second-year MBA student interning at KBI, tasked with handling the data protection checklist. Data governance structure - correct answer The framework that defines how data is managed, protected, and utilized within an organization. Job requisition follow-up questions - correct answer Questions Sam should ask the director of human resources regarding the marketing executive role.
Independence between roles - correct answer No, Sam cannot accept these positions because there is not sufficient independence between the two roles. Country-based position requirement - correct answer No, Sam cannot accept these positions because each position must be based in its respective country. Algorithm for newsfeed curation - correct answer A social media platform uses an algorithm to curate users' newsfeeds based on factors like who they follow, their past interactions, and trending topics. Medical records transmission app - correct answer Grandview Hospital hired Apps for All to create and maintain a mobile app for transmitting medical records to patients. Contract for medical records - correct answer The contract establishes the accepted practice for the collection, use, retention, and disclosure of patients' medical records. Healthcare ransomware attacks - correct answer Healthcare entities were one of the highest targeted organizations for ransomware attacks in the last few years. Ransomware threat response - correct answer Disconnect all infected devices from the network. Federal Trade Commission enforcement - correct answer The Federal Trade Commission currently shares authority with another federal bureau for civil enforcement of alleged violations of Section 5 of the FTC Act. ECPA and email access - correct answer The ECPA requires a warrant to access the contents of an email if it has been stored on a provider's server for more than 180 days, but a subpoena can be used for emails stored for less than 180 days. Cybersecurity Information Sharing Act provisions - correct answer Identifying devices, data and systems used to conduct the core company activities. Consumer Financial Protection Bureau authority - correct answer The ability to conduct investigations and issue subpoenas, hold hearings and commence civil actions against offenders. EU to U.S. data transfer mechanisms - correct answer File Transfer Protocol. Department of Labor oversight - correct answer FLSA, OSHA and ERISA. HIPAA individual rights - correct answer Right to Request Confidential Communications. Information Management Program building stage - correct answer Procedure development and verification.
California Consumers Privacy Act enforcement - correct answer A handful of additional states passed comprehensive consumer data privacy laws giving enforcement authority to state offices. California Consumers Privacy Act (CCPA) - correct answer A law passed in 2019 that established comprehensive consumer data privacy regulations. Enforcement Authority - correct answer The power given to a state office to enforce laws. PCI DSS Levels - correct answer Levels based on the number of annual transactions the entity engages in. Privacy Office - correct answer A department managing privacy compliance within an organization. Phishing Attack - correct answer A cyber attack where a bad actor attempts to obtain sensitive information by masquerading as a trustworthy entity. Exfiltrated Data - correct answer Data that has been unlawfully transferred out of a system. Breach Notification Laws - correct answer Laws requiring organizations to notify individuals when their personal information has been compromised. Affected Individuals - correct answer Individuals whose personal data has been compromised in a data breach. Vendor - correct answer A third-party service provider that assists a company in its operations. Customer Data - correct answer Information collected from customers, including personal identifiers and payment information. Encryption - correct answer A method of securing data by converting it into a code to prevent unauthorized access. Incident Response - correct answer The process of managing and addressing a data breach or security incident. State Breach Law - correct answer Legislation that outlines the requirements for notifying individuals about data breaches. Personal Information - correct answer Data that can be used to identify an individual, such as name, address, and social security number. Holiday Sales Incentives - correct answer Promotional offers made to customers during the holiday season to increase sales. Customer Loyalty - correct answer The tendency of customers to continue buying from a specific company due to positive experiences.
FCRA Employment Denial Requirement A - correct answer The employer must provide the employee with the legal purpose of the report. FCRA Employment Denial Requirement B - correct answer The employer must provide notice to the applicant that an adverse action was taken. FCRA Employment Denial Requirement C - correct answer The employer must provide guidance to the applicant on how to dispute the CRA report. FCRA Employment Denial Requirement D - correct answer The employer must certify to the employee that the report is from a permissible agency. Preemption Definition - correct answer A federal statute taking precedence over a state statute. Federal Agency Authority - correct answer A federal agency exercising authority over its area of specialization. Federal Statute Fines - correct answer A federal statute establishing first priority for the application of fines. Federal Agency Prosecution - correct answer A federal agency's prosecution takes precedence over that of other countries. 21st Century Cures Act Balance - correct answer Using personal information for public interest purposes and the individual's right to object to such use. Personal Information Protection - correct answer Protecting an individual's personal information and the public interest in sharing the personal information. Research and Personal Information - correct answer Sharing personal information for research and the value of the personal information to pharmaceutical companies. FOIA and Personal Information - correct answer Allowing personal information to be disclosed under the Freedom of Information Act and the individual's right to be notified of such disclosure. Credit Report Check Law - correct answer Gramm-Leach-Bliley Act (GLBA). Unauthorized Expenses Law - correct answer Fair and Accurate Credit Transactions Act (FACTA). Gramm-Leach-Bliley Act (GLBA) - correct answer A law that requires financial institutions to explain how they share and protect their customers' private information. Foreign Intelligence Surveillance Act (FISA) - correct answer A law that provides a framework for the surveillance of foreign intelligence targets within the United States.
Fair and Accurate Credit Transactions Act (FACTA) - correct answer A law that aims to reduce identity theft by improving the accuracy of consumer credit information. AdChoices - correct answer A self-regulatory program that provides consumers with transparency and control over targeted advertising. TrustArc Privacy Certification - correct answer A certification that demonstrates compliance with privacy regulations and best practices. Age-Appropriate Design Code - correct answer A code that sets out standards for online services to protect children's privacy. Payment Card Industry Data Security Standard - correct answer A set of security standards designed to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. Section 5 FTS enforcement - correct answer FTC's enforcement authority over unfair methods of competition and deceptive practices. Invitation to Collude - correct answer Practices that facilitate explicit or implicit collusion between competitors. Unfair Methods of Competition Involving Intellectual Property - correct answer Abuse of intellectual property rights to harm competition. Quantitative Metrics - correct answer Specific quantitative metrics (e.g., market share thresholds) for triggering scrutiny under Section 5. Remedies - correct answer Variety of remedies the FTC may seek to address unfair methods of competition, including injunctions, divestitures, and disgorgement of ill-gotten gains. Data Handling Questions for Vendors - correct answer Questions companies should ask vendors to ensure proper data handling. Phone Interviews - correct answer Initial screening method used by NYS to assess candidates. Candidate Assessment Consistency - correct answer Requirement for all interviewers to ask the same questions to all applicants. Social Media Screen - correct answer Process used by NYS recruiters to track candidates' online presence for potential risks. Prohibition of Login Credentials - correct answer NYS HR team is prohibited from requesting or accepting candidate login credentials for social media accounts. Target Market of NYS - correct answer Consumers between the ages of 20-30 years who live a healthy lifestyle and participate in outdoor activities.