• Home
  • Articles
  • CIPP-US Dumps 2025 New IAPP CIPP-US Exam Questions [Q97-Q116]

CIPP-US Dumps 2025 New IAPP CIPP-US Exam Questions [Q97-Q116]

Share

CIPP-US Dumps 2025 - New IAPP CIPP-US Exam Questions

Free CIPP-US braindumps download (CIPP-US exam dumps Free Updated)


The CIPP-US certification exam covers a wide range of topics, including US privacy laws and regulations, data protection, information security, and risk management. It is designed to ensure that candidates have a comprehensive understanding of the principles and practices of privacy and data protection. CIPP-US exam is open to anyone who has a basic knowledge of privacy laws and regulations and is interested in pursuing a career in data privacy.

 

NEW QUESTION # 97
Which statute is considered part of U.S. federal privacy law?

  • A. The e-Privacy Directive.
  • B. The Fair Credit Reporting Act.
  • C. SB 1386.
  • D. The Personal Information Protection and Electronic Documents Act.

Answer: B

Explanation:
The Fair Credit Reporting Act (FCRA) is considered part of U.S. federal privacy law because it regulates the collection, use, and disclosure of personal information by consumer reporting agencies, such as credit bureaus, background check companies, and tenant screening services. The FCRA aims to protect the privacy, accuracy, and fairness of consumer credit information, and to ensure that consumers have access to and control over their own credit reports. The FCRA also imposes obligations on users and furnishers of consumer reports, such as creditors, employers, insurers, and landlords, to obtain consent, provide notice, and correct errors when using consumer reports for various purposes. The FCRA is enforced by the Federal Trade Commission (FTC) and other federal agencies, as well as by private lawsuits and state attorneys general. The FCRA was enacted in 1970 and has been amended several times, most notably by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which added provisions on identity theft prevention, fraud alerts, free credit reports, and disposal of consumer information. References:
* Fair Credit Reporting Act - Wikipedia
* Fair Credit Reporting Act | Federal Trade Commission
* Fair Credit Reporting Act (FCRA) - Consumer Information
* Fair Credit Reporting Act (FCRA) | Privacy Rights Clearinghouse


NEW QUESTION # 98
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

  • A. Common law judgment
  • B. A judgment rider
  • C. Stare decisis decree
  • D. A consent decree

Answer: D


NEW QUESTION # 99
When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

  • A. When a call is not the result of an error or other unforeseen cause
  • B. When the operational structures of its divisions are not transparent
  • C. When the goods and services sold by its divisions are very similar
  • D. When the entity manages user preferences through multiple platforms

Answer: A


NEW QUESTION # 100
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Based on the problems with the company's privacy security that Roberta identifies, what is the most likely cause of the breach?

  • A. Lost company property such as a computer or flash drive.
  • B. Mishandling of information caused by lack of access controls.
  • C. Fraud involving credit card theft at point-of-service terminals.
  • D. Unintended disclosure of information shared with a third party.

Answer: B


NEW QUESTION # 101
The concept of data portability refers to what?

  • A. The technical measures organizations use to empower consumers' control in case data is being transferred to service providers
  • B. The practice of disclosing all the data sources one organization uses to enhance data collection from different social media platforms
  • C. The ability of individuals to obtain and reuse their personal data for their own purposes across different services.
  • D. The ability of individuals to easily change to another similar service provider if fees are unlawfully being raised

Answer: C

Explanation:
The concept of data portability refers to an individual's right to access and transfer their personal data from one organization to another. It enables individuals to obtain and reuse their personal data for their own purposes across different services. For example, an individual can request their data from one service provider and transfer it to another provider, facilitating competition and giving consumers more control over their data.
This right is commonly associated with General Data Protection Regulation (GDPR) but is becoming more widely discussed in U.S. privacy contexts, such as under the California Consumer Privacy Act (CCPA) and similar state laws. Although the CCPA does not explicitly mention "data portability," the concept aligns with its provision that grants individuals the right to access their data in a portable and usable format.
Explanation of Options:
* A. The practice of disclosing all the data sources one organization uses to enhance data collection from different social media platforms: This describes a data disclosure practice, not data portability.
* B. The technical measures organizations use to empower consumers' control in case data is being transferred to service providers: This refers to technical controls but does not fully capture the essence of data portability.
* C. The ability of individuals to obtain and reuse their personal data for their own purposes across different services: This is the correct answer and accurately defines data portability.
* D. The ability of individuals to easily change to another similar service provider if fees are unlawfully being raised: While data portability might facilitate switching providers, it is not specifically tied to the issue of unlawful fee increases.
References from CIPP/US Materials:
* GDPR Article 20: Provides the right to data portability in the EU.
* CCPA Section 1798.100: Requires businesses to provide personal data in a readily usable format upon request.
* IAPP CIPP/US Certification Textbook: Discusses data portability as part of consumer rights and privacy frameworks.


NEW QUESTION # 102
An organization self-certified under Privacy Shield must, upon request by an individual, do what?

  • A. Provide the identities of third and fourth parties that may potentially receive personal information.
  • B. Identify all personal information disclosed during a criminal investigation.
  • C. Provide the identities of third parties with whom the organization shares personal information.
  • D. Suspend the use of all personal information collected by the organization to fulfill its original purpose.

Answer: C

Explanation:
According to the Privacy Shield Principles, an organization that self-certifies under the Privacy Shield Framework must provide individuals with the choice to opt out of the disclosure of their personal information to a third party or the use of their personal information for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. To facilitate this choice, the organization must inform the individual of the type or identity of the third parties to which it discloses personal information and the purposes for which it does so. The organization must also provide a readily available and affordable independent recourse mechanism to investigate and resolve complaints and disputes regarding its compliance with the Privacy Shield Principles. If the organization transfers personal information to a third party acting as an agent, it must ensure that the agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and that it takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Privacy Shield Principles. References:
* Privacy Shield Principles, section II. Choice Principle and section III. Accountability for Onward Transfer Principle
* [IAPP CIPP/US Study Guide], p. 67-68, section 3.2.1 and p. 69-70, section 3.2.2
* [IAPP CIPP/US Body of Knowledge], p. 15-16, section C.1.b and p. 16-17, section C.1.c


NEW QUESTION # 103
What is the main challenge financial institutions face when managing user preferences?

  • A. Ensuring that preferences are applied consistently across channels and platforms
  • B. Ensuring they are in compliance with numerous complex state and federal privacy laws
  • C. Determining the legal requirements for sharing preferences with their affiliates
  • D. Developing a mechanism for opting out that is easy for their consumers to navigate

Answer: A


NEW QUESTION # 104
What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

  • A. Human rights may be disregarded for the sake of privacy
  • B. A new business owner may not understand the regulations
  • C. Industries may not be strict enough in the creation and enforcement of rules
  • D. A large amount of money may have to be sent on improved technology and security

Answer: C


NEW QUESTION # 105
A covered entity suffers a ransomware attack that affects the personal health information (PHI) of more than 500 individuals. According to Federal law under HIPAA, which of the following would the covered entity NOT have to report the breach to?

  • A. Medical providers
  • B. The local media
  • C. Department of Health and Human Services
  • D. The affected individuals

Answer: A


NEW QUESTION # 106
Which of the following laws is NOT involved in the regulation of employee background checks?

  • A. The Civil Rights Act.
  • B. The Gramm-Leach-Bliley Act (GLBA).
  • C. The U.S. Fair Credit Reporting Act (FCRA).
  • D. The California Investigative Consumer Reporting Agencies Act (ICRAA).

Answer: B

Explanation:
The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA's notice and opt-out requirements, as well as the FCRA's requirements for using consumer reports. References:
* [IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.
* IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.
* IAPP CIPP/US Practice Questions, Question 150.


NEW QUESTION # 107
What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?

  • A. Process requests for changes to user preferences within a designated time frame
  • B. Conduct annual consumer surveys regarding satisfaction with user preferences
  • C. Provide consumers with the opportunity to opt out of receiving telemarketing phone calls
  • D. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter's own use

Answer: D

Explanation:
The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates the privacy and security of consumer financial information collected, used, and disclosed by financial institutions, such as banks, credit unions, securities firms, insurance companies, and others12. Under the GLBA, financial institutions must comply with two main rules: the Privacy Rule and the Safeguards Rule12. The Privacy Rule requires financial institutions to provide notice to their customers about their information-sharing practices and to obtain verifiable parental consent before collecting, using, or disclosing personal information from children12. The Privacy Rule also gives customers the right to opt out of having their personal information shared with certain nonaffiliated third parties, unless an exception applies12. The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the confidentiality, security, and integrity of customer information12.
Therefore, banks and other financial institutions are required to offer an opt-out before transferring personal information (PI) to an unaffiliated third party for the latter's own use, unless an exception applies, such as when the disclosure is necessary to complete a transaction requested or authorized by the customer, or when the disclosure is to a service provider or joint marketer that agrees to protect the information and use it only for the purposes for which it was disclosed12. This requirement is intended to give customers more controlover how their personal information is used and shared by financial institutions and to protect their privacy rights12.
References: 1: Gramm-Leach-Bliley Act | Federal Trade Commission, 1. 2: How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act | Federal Trade Commission, 2.


NEW QUESTION # 108
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

  • A. Uses the transferred data for limited purposes
  • B. Enters a contract with the organization that states the third party will process data according to the consent agreement
  • C. Notifies the organization if it can no longer meet its requirements for proper data handling
  • D. Provides the same level of privacy protection as the organization

Answer: B

Explanation:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and; 3: Privacy Shield Framework.


NEW QUESTION # 109
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?

  • A. Scanning emails sent to and received by students
  • B. Making student education records publicly available
  • C. Disclosing education records without obtaining required consent
  • D. Relying on verbal consent for a disclosure of education records

Answer: A


NEW QUESTION # 110
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?

  • A. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
  • B. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
  • C. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate
  • D. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

Answer: B

Explanation:
notification to individuals in the state of New York.
Explanation:
https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.html


NEW QUESTION # 111
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

  • A. The EPPA requires that employers post essential information about the Act in a conspicuous location.
  • B. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.
  • C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
  • D. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.

Answer: C

Explanation:
Polygraphs (but no other lie detector tests) are permissible in certain circumstances. Under the EPPA, polygraph means an instrument that records continuously, visually, permanently, and simultaneously changes in cardiovascular, respiratory and electrodermal patterns as minimum instrumentation standards and is used to render a diagnostic opinion as to the *honesty or dishonesty* of as individual. https://www.dol.gov/agencies/whd/fact-sheets/36-eppa


NEW QUESTION # 112
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social media. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
Based on the way he uses social media, Evan is susceptible to a lawsuit based on?

  • A. Defamation
  • B. Publicity given to private life
  • C. Discrimination
  • D. Intrusion upon seclusion

Answer: C

Explanation:
Discrimination is the unfair or prejudicial treatment of people based on certain characteristics, such as race, gender, age, religion, or political affiliation. Discrimination can occur in various contexts, such as employment, education, housing, or public accommodations. Discrimination can violate federal, state, or local laws that prohibit discrimination on the basis of protected categories. In the scenario, Evan is susceptible to a lawsuit based on discrimination because he uses social media to favor employees who share his political views and deny promotions to those who do not. This could constitute political discrimination, which is prohibited by some state and local laws, such as the District of Columbia Human Rights Act and the New York City Human Rights Law. Additionally, Evan's use of social media could reveal other protected characteristics of his employees, such as their race, gender, age, religion, or sexual orientation, and expose him to claims of discrimination based on those grounds as well. For example, if Evan posts derogatory comments about a certain race or religion, and then denies a promotion to an employee of that race or religion, that employee could sue Evan for discrimination under federal laws, such as Title VII of the Civil Rights Act of 1964 or the Civil Rights Act of 1991. References:
* Political Discrimination in the Workplace | Nolo
* Social Media and Employment Law Summary of Key Cases and Legal Issues
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.1: State Anti-Discrimination Laws.


NEW QUESTION # 113
If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

  • A. The organization will still be in compliance with most sector-specific privacy and security laws.
  • B. Temporary employees will be able to find the data necessary to fulfill their responsibilities.
  • C. The impact of an organizational data breach will be more severe than if the data had been segregated.
  • D. The organization will be able to address legal discovery requests efficiently without producing more information than necessary.

Answer: C

Explanation:
Data classification is the process of categorizing data based on its sensitivity and importance to determine its level of confidentiality and protection. Data classification helps organizations apply appropriate security and compliance measures to ensure each category receives proper protection1. Data classification also helps organizations identify which data is subject to specific privacylaws and regulations, such as the GDPR, HIPAA, or CCPA, and how to handle data subject requests, data breaches, or legal discovery2. If an organization maintains data classified as high sensitivity, such as personal information, financial information, or health information, in the same system as data classified as low sensitivity, such as public information or internal information, it increases the risk of exposing the high sensitivity data in the event of a data breach. A data breach can result in legal consequences, reputational damage, and loss of trust from customers and stakeholders. Therefore, it is advisable to segregate data based on its classification and apply different levels of encryption, access control, and monitoring to each category3. This way, the organization can minimize the impact of a data breach and protect the privacy and security of its data assets. References:
* Why Is Data Classification Important?
* Data Classification for GDPR Explained
* Data classification and privacy considerations


NEW QUESTION # 114
What was the original purpose of the Foreign Intelligence Surveillance Act?

  • A. To further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.
  • B. To further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.
  • C. To further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect's home, stemming from the Olmstead v. United States decision.
  • D. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.

Answer: D


NEW QUESTION # 115
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

  • A. Uses the transferred data for limited purposes
  • B. Enters a contract with the organization that states the third party will process data according to the consent agreement
  • C. Notifies the organization if it can no longer meet its requirements for proper data handling
  • D. Provides the same level of privacy protection as the organization

Answer: B

Explanation:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and
; 3: Privacy Shield Framework.


NEW QUESTION # 116
......

Verified CIPP-US dumps Q&As - Pass Guarantee Exam Dumps Test Engine: https://www.examcollectionpass.com/IAPP/CIPP-US-practice-exam-dumps.html

CIPP-US Dumps for Pass Guaranteed - Pass CIPP-US Exam: https://drive.google.com/open?id=1hJ78Fu_4zfXpR8yBCq_44ZnJScPjEOZe

Related Articles

more
IAPP CIPP-US Certification Practice Exam