IAPP CIPP-US Practice Exam Questions

IAPP CIPP-US Sample Question Answers

Question # 1

Your company, an online store selling digital keys to video games, has received a data access request from an individual. Specifically, the individual wants access to her recent purchase history, as she has misplaced the emails containing the digital keys to multiple game purchases she made last month.From a security standpoint, what would the user have to do under CCPA in order to acceptably verify her identity?

A. Take a photo of herself with her driver license
B. Provide a notarized affidavit signed by two witnesses.
C. Log in to her password-protected account with the company
D. Phone the company and provide her contact details and credit card number 

Show Answer

Question # 2

In the US, II is a best practice (and in some states a requirement) to conduct a data protection assessment in which instance?

A. When a background check is used as part of the hiring process
B. When any information is processed by a corporation.
C. When trade secrets are shared with a third party.
D. When technology is used to monitor employees. 

Show Answer

Question # 3

Which power was NOT granted to the California Privacy Protection Agency by the California Privacy Rights Act (CPRA)?

A. Adopting and updating CCPA regulations
B. Investigating possible violations of the CCPA on the agency's own initiative.
C. Overriding decisions of the Attorney General regarding CCPA enforcement
D. Imposing administrative fines for violations of the CCPA

Show Answer

Question # 4

Which of the following would best provide a sufficient consumer disclosure under the Fair Credit Reporting Act (FCRA) prior to a consumer report being obtained for employment purposes?

A. A verbal notice provided with a conditional offer of employment
B. A notice provision in an electronic employment application.
C. A notice provision in a mailed offer letter.
D. A standalone notice document. 

Show Answer

Question # 5

A California resident has created an account on your company's online food delivery platform and placed several orders in the past month Later she submits a data subject request to access her personal information under the California Privacy Rights Act.Based on the CPRA. which of the following data elements would your company NOT have to provide to the requestor once her identity has been verified?

A. Inferences made about the individual for the company s internal purposes
B. The loyalty account number assigned through the individuals use of the services
C. The time stamp for the creation of the individual's account in the platform's database.
D. The email address submitted by the individual as part of the account registration process. 

Show Answer

Question # 6

The concept of data portability refers to what?

A. The practice of disclosing all the data sources one organization uses to enhance data collection from different social media platforms
B. The technical measures organizations use to empower consumers' control in case data is being transferred to service providers
C. The ability of individuals to obtain and reuse their personal data for their own purposes across different services.
D. The ability of individuals to easily change to another similar service provider if fees are unlawfully being raised

Show Answer

Question # 7

SCENARIO -Please use the following to answer the next question:Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Security Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaignEver since the pandemic, Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers. The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data center based in Ireland. Manufacturing data of Jones Labs is stored in Taiwan and managed by a local supplier that has no presence in the U.S.Before inspecting any GPS geolocation data from Jane's corporate mobile phone, Patrick should first do what? 

A. Obtain prior consent from Jane pursuant to the Telephone Consumer Protection Act
B. Revise emerging workplace privacy best practices with a reputable advocacy organization.
C. Obtain a subpoena from law enforcement, or a court order, directing Jones Labs tocollect the GPS geolocation data.
D. Ensure that such activity is permitted under Jane's employment contract or the company's employee privacy policy. 

Show Answer

Question # 8

According to the Family Educational Rights and Privacy Act (FERPA). when can a school disclose records without a student's consent?

A. If the disclosure Is not to be conducted through email to the third party
B. If the disclosure would not reveal a student's student identification number
C. If the disclosure is made to practitioners who are involved in a student's hearth care. 
D. If the disclosure is for the purpose of providing transcripts to a school where a student intends to enroll.

Show Answer

Question # 9

SCENARIO Please use the following to answer the next question;Miraculous Healthcare is a large medical practice with multiple locations in California and Nevada. Miraculous normally treats patients in person, but has recently decided to start offering teleheaith appointments, where patients can have virtual appointments with on-site doctors via a phone appFor this new initiative. Miraculous is considering a product built by MedApps, a company that makes quality teleheaith apps for healthcare practices and licenses them to be used with the practices' branding. MedApps provides technical support for the app. which it hosts in the cloud MedApps also offers an optional benchmarking service for providers who wish to compare their practice to others using the serviceRiya is the Privacy Officer at Miraculous, responsible for the practice's compliance with HIPAA and other applicable laws, and she works with the Miraculous procurement team to get vendor agreements in place. She occasionally assists procurement in vetting vendors and inquiring about their own compliance practices. as well as negotiating the terms of vendor agreements Riya is currently reviewing the suitability of the MedApps app from a privacy perspectiveRiya has also been asked by the Miraculous Healthcare business operations team to review the MedApps' optional benchmarking service. Of particular concern is the requirement that Miraculous Healthcare upload information about the appointments to a portal hosted by MedAppsWhat is the most practical action Riya can take to minimize the privacy risks of using an app for telehealth appointments?

A. Prevent MedApps from using copies of the patient data.
B. Require MedApps to obtain consent from all patients.
C. Require MedApps to submit a SOC2 report.
D. Engage in active oversight of MedApps

Show Answer

Question # 10

Which of the following would NOT be regulated by the Illinois Biometnc Information Pnvacy Act (BIPA)?

A. Photographs of local convicted felons uploaded lo a news website.
B. Fingerprint scans of elementary school students used to open their lockers
C. Security software designed to identify local convicted felons in retail stores via facial recognition.
D. Retina scans of elementary school students used to verify their identities for attendance purposes

Show Answer