Professional Documents
Culture Documents
An IAPP Publication
v 3.4a
The CIPP/US Sample Questions and references are for the use of the
original purchaser only and may not be reproduced in any manner.
CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of
the International Association of Privacy Professionals, Inc. registered in the U.S. CIPP,
CIPP/E, CIPM and CIPT are also registered in the EU as Community Trademarks (CTM).
The IAPP CIPP/US Sample Questions are designed to support your preparation
for the CIPP/US certification exam. Developed using IAPP study resources, the
sample questions can help identify your relative strengths and weaknesses in
the major domains of the CIPP/US Body of Knowledge.
All items on the IAPP CIPP/US Sample Questions were reviewed for accuracy at
the time of publication and may therefore contain information that is out-of-
date.
5. For each correct response, write a “1” in the corresponding domain column
of the Answer Key.
7. To compare how you did in each domain, calculate your scores as a percent:
a) Divide the number of correct answers by the total number of
questions in that domain
b) Multiply that number by 100
8. Consult the References for detailed explanations of each answer and links
to additional study material.
This page intentionally left blank.
CIPP/US Sample Questions
1. Which is the best description of the 3. Which of the following is considered
U.S. legal concept of "preemption"? an acceptable method for U.S.-
based multinational transportation
A. States are prevented by federal companies to achieve compliance
law from passing any laws that with the EU General Data
regulate financial privacy. Protection Regulation?
B. The superior government has
the right to supersede the lesser A. global consent
government’s laws. The lesser B. transparency
government cannot pass a law C. binding corporate rules
that is inconsistent with the D. disclosure
superior government’s law.
C. State laws supersede federal
4. Which statement is true regarding
law in certain areas such as
transfers of personal information to
marketing.
locations outside of the U.S.?
D. The EU General Data Protection
Regulation (GDPR) takes A. U.S. laws generally do not
precedence over U.S. law, restrict geographic transfers of
federal or state. personal information.
B. U.S. data exporters are not
2. What is one reason consent decrees liable for any inappropriate uses
are posted publicly on the FTC of the personal information.
website? C. U.S. data exports are immune
from legal enforcement if
A. to announce the amount of civil handled by service providers.
penalties the FTC levies
D. U.S. laws have "reciprocity"
B. to prove that companies have arrangements with most
complied with FTC rulings national data protection laws.
C. to punish companies that violate
FTC rulings
D. to provide guidance about what
practices the FTC finds
inappropriate
5. What is the primary basis of 7. What is the role of a U.S.-based
common law? software-as-a-service provider that
stores employee personal data for a
A. statutes enacted by legislative global company headquartered in
bodies. the U.S. with subsidiaries in the EU?
B. legal precedent and social
customs. A. data controller
C. laws guaranteed by the B. data owner
Constitution of the United C. data processor
States of America. D. data subject
D. regulations that are
promulgated by state and 8. Which federal agency has specific
federal agencies. statutory responsibility for issues
such as children's privacy online and
6. What should a U.S.-based commercial email marketing?
organization do before it shares
personal information with a U.S.- A. Securities and Exchange
based third party? Commission
B. Consumer Financial Protection
A. convert personal data from opt- Bureau
out to opt-in C. Department of Justice
B. have a Standard Model Clause in D. Federal Trade Commission
place
C. assure appropriate privacy
terms and conditions are
included in a contract with the
third party
D. perform a test of the vendor's
disaster recovery / business
contingency plan
9. Under the Children's Online Privacy 11. Which of the following examples
Protection Act, which is an best illustrates the concept of
accepted means for an organization "consumer report" for pre-
to validate parental consent when employment screening as defined
it intends to disclose a child's under the U.S. Fair Credit Reporting
information to a third party? Act?
A. student records
B. intellectual property
C. Social Security numbers
D. street addresses
A. a confidentiality provision
B. periodic audits
C. a ban on the use of
subcontractors
D. upgrades in technology END OF SAMPLE QUESTIONS
This page intentionally left blank.
References
1. The correct answer is B: [States are prevented by federal law from enforcing laws that
impose different or stricter laws in the same area.]
Article VI, Section 2, of the U.S. Constitution provides that the "…Constitution, and the
Laws of the United States … shall be the supreme Law of the Land." This Supremacy
Clause has come to mean that the national government, in exercising any of the powers
enumerated in the Constitution, must prevail over any conflicting or inconsistent state
exercise of power. The federal preemption doctrine is a judicial response to the conflict
between federal and state legislation. When it is clearly established that a federal law
preempts a state law, the state law must be declared invalid. Also, a doctrine of state law
that holds that a state law displaces a local law or regulation that is in the same field and
is in conflict or inconsistent with the state law. West's Encyclopedia of American Law,
edition 2. Copyright 2008 The Gale Group, Inc.
2. The correct answer is D: [To provide guidance about what practices the FTC finds
inappropriate.]
FTC privacy enforcement actions have been settled through consent decrees and
accompanying consent orders. Consent decrees are posted publicly on the FTC website,
and the details of these decrees provide guidance about what practices the FTC finds
inappropriate.
4. The correct answer is A: [U.S. laws generally do not restrict geographic transfer of
personal information.]
This stands in contrast to the restrictions imposed by Chapter V of the EU General Data
Protection Regulation (GDPR), which states, in part, “ Any transfer of personal data which
are undergoing processing or are intended for processing after transfer to a third country
or to an international organisation shall take place only if, subject to the other provisions
of this Regulation, the conditions laid down in this Chapter are complied with by the
controller and processor, including for onward transfers of personal data from the third
country or an international organisation to another third country or to another
international organization...” GDPR Chapter V then outlines specific data transfer
mechanisms, including “an adequacy decision,” “appropriate safeguards,” “binding
corporate rules,” and “derogations.”
5. The correct answer is B: [Legal precedent and social custom.]
In the absence of statutes, common law has long drawn on precedent to provide special
privilege rules such as attorney-client privilege and doctor-patient confidentiality.
6. The correct answer is C: [Assure appropriate privacy terms and conditions are included in
a contract with the third party.]
This question involves data transfers within the U.S., so no special restrictions apply other
than those imposed on certain sectors, such as healthcare or financial. As a matter of best
practices, however, an organization should apply due diligence to ensure that a third
party treats personal information with at least the same protections as the originating
organization. A contract with appropriate privacy terms and conditions is a good way to
assure such is the case.
• provide a form for the parent to print, fill out, sign, and mail or fax back to you (the
“print-and-send” method);
• require the parent to use a credit card in connection with a transaction (which could
consist of a membership or subscription fee, a purchase, or a charge to cover the cost
of processing the credit card).
• maintain a toll-free telephone number staffed by trained personnel for parents to call
in their consent; or
• obtain consent through an email from the parent, if that email contains a digital
signature, or other digital certificate that uses public key technology obtained through
one of the above methods. http://www.ftc.gov/privacy/coppafaqs.shtm#consent
11. The correct answer is B: [Driving history obtained from an information aggregator.]
Under the Fair Credit Reporting Act (FCRA), users must have a permissible purpose in
order to obtain an individual’s credit report. Among these permissible purposes is the
determination of a consumer’s eligibility for a license. Library records, purchase
transactions and academic records do not represent a permissible purpose.
12. The correct answer is A: [Financial institutions can share customer information with non-
affiliated third-party companies without obtaining an opt-in from the customer.]
GLBA does not preempt stricter state laws. The Department of Commerce has no role in
enforcing GLBA privacy rules. While financial institutions are prohibited from disclosing
consumer account numbers to nonaffiliated companies even if the consumer has not opted
out of sharing information, other information can be shared without obtaining an opt in,
such as information shared the outside companies that provide essential services like data
processing.
13. The correct answer is A: [That they develop and implement methods of detecting identity
theft.]
Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires
regulators to develop a set of rules to mandate the detection, prevention and mitigation
of identity theft. http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
14. The correct answer is D: [The U.S. Communications Assistance to Law Enforcement Act.]
CALEA is also known as the Digital Telephony Bill.
15. The correct answer is D: [The financial records are reasonably described.]
The Right to Financial Privacy Act of 1978 (RFPA) states that “no Government authority
may have access to or obtain copies of, or the information contained in the financial
records of any customer from a financial institution unless the financial records are
reasonably described” and meet at least one additional conditions. Options B-D are three
of these five conditions and are not absolutely required.
17. The correct answer is D: [An organization receiving an NSL may disclose the request to an
attorney for legal assistance.]
NSL recipients may disclose the request to those necessary to comply with the request and
to an attorney for legal assistance. NSLs can be issued by authorized officials, often the
special agent in charge of an FBI field office, and requires no judicial authorization. The
number of NSLs issued has increased in recent years. Under the 2006 amendments to the
USA Patriot Act, recipients can petition a federal court to modify or set aside an NSL if
compliance would be unreasonable or oppressive.
20. The correct answer is B: [Legal authorization of some new surveillance practices.]
FISA gave legal authorization to new surveillance practices, including when one party is
reasonably believed to be outside of the United States. It also granted immunity to the
telephone companies so they would not be liable for the records they had provided to the
government in the wake of September 11. The new rules required more reporting from
the government to Congress and put limits on some of the secrecy about NSLs and other
government requests for records in the national security realm. FISA itself expressly
authorized foreign intelligence wiretaps and put checks and balances on the
Administration. Neither FISA nor its amendments authorized access to stored
communications without judicial authorization.
21. The correct answer is D: [Obtain applicant’s written consent and provide applicant with a
copy of the credit report before taking an adverse action.]
To obtain any consumer report under FCRA, an employer must meet the following
standards: (1) provide written notice to the applicant that it is obtaining a consumer
report for employment purposes and indicate if an investigative consumer report will be
obtained; (2) obtain written consent from the applicant; (3) obtain data only from a
qualified consumer reporting agency that has taken steps to assure the accuracy and
currency of the data; (4) certify to the consumer reporting agency that the employer has
a permissible purpose and has obtained consent from the employee; (5) before taking an
adverse action, provide a pre-adverse action notice to the applicant with a copy of the
consumer report in order to give the applicant an opportunity to dispute the report and
(6) after taking adverse action, provide an adverse action notice.
22. The correct answer is A: [Test marketing the company’s new products.]
Determining legal standing or citizen status, retirement planning and group insurance
underwriting all constitute legitimate organizational activities in the course of doing
business or managing employees. Sharing employee records with a third party for the
purpose of test marketing the company’s products, however, would be an inappropriate
disclosure of the employee’s personal information.
23. The correct answer is C: [Questions on whether an applicant has applied for or received
worker’s compensation.]
A number of U.S. federal laws prohibit discrimination in employment and place limits on
the information an employer is entitled to ascertain in the screening process. Generally
speaking questions that specifically relate to a candidate’s ability to perform the job for
which he or she has applied are allowable, such as medical conditions, disabilities and
physical characteristics and anticipated absences. Questions about past worker’s
compensation applications, however, are specifically prohibited by the Americans with
Disabilities Act (ADA).
25. The correct answer is D: [Asking employees to sign the privacy policy immediately before
conducting the exit interview.]
Employers have the right to terminate a former employee’s access to the physical and
informational assets of the organization. In the case of a terminated employee, it is
reasonable to require the individual, under observation, to remove only personal effects
and to remove the individual’s access right to personal information held by the
organization. When an employee signed a non-disclosure agreement at the time of
employment, it is also appropriate to remind a terminated employee of that agreement.
The time to ask employees to sign a privacy policy, however, is not upon termination but
upon employment or at the time an employee first has access to personal information
stored by the organization.
26. The correct answer is C: [The display of Social Security numbers on identification cards.]
While the disclosure of biometric data may be restricted by law, this is a privacy issue,
not a security one. Similarly, the FTC Telemarketing Sales Rule (TSR) restricts the hours
that organizations may make telemarketing calls, but that is not a security issue. The
collection of Social Security numbers in hiring is permissible as long as there is a
legitimate purpose and the data is secured. On the other hand, Social Security numbers
are widely considered to be personal information and should not therefore be displayed
publicly, such as on an identification card. The practice is specifically prohibited by
privacy laws in many states.
27. The correct answer is D: [A brief description of the incident, the type of information
involved, and a toll-free number for answers to questions.]
Most states do not specify what must be included in the notification letter. Privacy
professionals residing in states that do not provide guidance should use the guidelines of
states that do.
28. The correct answer is B: [Monitoring is limited to “non-private” areas of the workplace.]
Many states have specific laws prohibiting workplace video monitoring of private places
such as restrooms and locker rooms. Even in the absence of a statute, employees may be
able to bring a common-law tort claim for invasion of privacy, especially where a jury
would find the use of the camera to be offensive. Monitoring of private areas in the
workplace would be unlikely to survive a legal challenge.
1 A B C D 6 A B C D 11 A B C D 16 A B C D
2 A B C D 7 A B C D 12 A B C D 17 A B C D
3 A B C D 8 A B C D 13 A B C D 18 A B C D
4 A B C D 9 A B C D 14 A B C D 19 A B C D
5 A B C D 10 A B C D 15 A B C D 20 A B C D
21 A B C D 26 A B C D
22 A B C D 27 A B C D
This page may be reproduced.
23 A B C D 28 A B C D
24 A B C D 29 A B C D
25 A B C D A B C D
30
This page intentionally left blank.
Answer Sheet
1 A B C D 6 A B C D 11 A B C D 16 A B C D
2 A B C D 7 A B C D 12 A B C D 17 A B C D
3 A B C D 8 A B C D 13 A B C D 18 A B C D
4 A B C D 9 A B C D 14 A B C D 19 A B C D
5 A B C D 10 A B C D 15 A B C D 20 A B C D
21 A B C D 26 A B C D
22 A B C D 27 A B C D
This page may be reproduced.
23 A B C D 28 A B C D
24 A B C D 29 A B C D
25 A B C D 30 A B C D
This page intentionally left blank.
Answer Key This page may be
reproduced.
Item Number Correct Answer Introduction to Limits on Private- Government Workplace State Privacy
the U.S. sector Collection and and Court Privacy Laws
Privacy Use of Data Access to
Environment Private-sector
Information
1 B
2 D
3 C
4 A
5 B
6 C
7 C
8 D
9 B
10 C
11 B
12 A
13 A
14 D
15 D
16 C
17 D
18 A
19 C
20 B
21 D
22 A
23 C
24 C
25 D
26 C
27 D
28 B
29 C
30 A