CIPP/US Sample Questions

An IAPP Publication
v 3.4a
 The CIPP/US Sample Questions and references are for the use of the
original purchaser only and may not be reproduced in any manner.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of
the International Association of Privacy Professionals, Inc. registered in the U.S. CIPP,
CIPP/E, CIPM and CIPT are also registered in the EU as Community Trademarks (CTM).

© 2020 by the International Association of Privacy Professionals (IAPP). All rights

reserved. No part of this publication may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, mechanical, photocopying, recording or
otherwise, without the prior, written permission of the publisher, International
Association of Privacy Professionals, Pease International Tradeport, 75 Rochester Ave.,
Portsmouth, NH 03801 United States of America.
 About the IAPP CIPP/US Sample Questions

The IAPP CIPP/US Sample Questions are designed to support your preparation
for the CIPP/US certification exam. Developed using IAPP study resources, the
sample questions can help identify your relative strengths and weaknesses in
the major domains of the CIPP/US Body of Knowledge.

All items on the IAPP CIPP/US Sample Questions were reviewed for accuracy at
the time of publication and may therefore contain information that is out-of-
date.

The IAPP CIPP/US Sample Questions were developed independently of the

CIPP/US certification exam and are not intended to represent actual CIPP/US
certification exam content.

Your performance on the IAPP CIPP/US Sample Questions is not a predictor

of your performance on the CIPP/US certification exam.

Do you have questions or comments?

Please contact us at training@iapp.org.

 Instructions

1. Remove a copy of the Answer Sheet.

2. To simulate a timed test, set a timer for 45 minutes.

3. Complete the test without referring to the Answer Key or References.

4. Check your answers against the Answer Key.

5. For each correct response, write a “1” in the corresponding domain column
of the Answer Key.

6. Add up the number of correct answers under each domain column.

7. To compare how you did in each domain, calculate your scores as a percent:
a) Divide the number of correct answers by the total number of
questions in that domain
b) Multiply that number by 100

8. Consult the References for detailed explanations of each answer and links
to additional study material.
This page intentionally left blank.
 CIPP/US Sample Questions
1. Which is the best description of the
U.S. legal concept of "preemption"?
A. States are prevented by federal
law from passing any laws that
regulate financial privacy.
B. The superior government has
the right to supersede the lesser
government’s laws. The lesser
government cannot pass a law
that is inconsistent with the
superior government’s law.
C. State laws supersede federal
law in certain areas such as
marketing.
D. The EU General Data Protection
Regulation (GDPR) takes
precedence over U.S. law,
federal or state.
2. What is one reason consent decrees
are posted publicly on the FTC
website?
A. to announce the amount of civil
penalties the FTC levies
B. to prove that companies have
complied with FTC rulings
C. to punish companies that violate
FTC rulings
D. to provide guidance about what
practices the FTC finds
inappropriate
3. Which of the following is considered
an acceptable method for U.S.-
based multinational transportation
companies to achieve compliance
with the EU General Data
Protection Regulation?
A. global consent
B. transparency
C. binding corporate rules
D. disclosure
4. Which statement is true regarding
transfers of personal information to
locations outside of the U.S.?
A. U.S. laws generally do not
restrict geographic transfers of
personal information.
B. U.S. data exporters are not
liable for any inappropriate uses
of the personal information.
C. U.S. data exports are immune
from legal enforcement if
handled by service providers.
D. U.S. laws have "reciprocity"
arrangements with most
national data protection laws.
5. What is the primary basis of
common law?
A. statutes enacted by legislative
bodies.
B. legal precedent and social
customs.
C. laws guaranteed by the
Constitution of the United
States of America.
D. regulations that are
promulgated by state and
federal agencies.
6. What should a U.S.-based
organization do before it shares
personal information with a U.S.-
based third party?
A. convert personal data from opt-
out to opt-in
B. have a Standard Model Clause in
place
C. assure appropriate privacy
terms and conditions are
included in a contract with the
third party
D. perform a test of the vendor's
disaster recovery / business
contingency plan
7. What is the role of a U.S.-based
software-as-a-service provider that
stores employee personal data for a
global company headquartered in
the U.S. with subsidiaries in the EU?
A. data controller
B. data owner
C. data processor
D. data subject
8. Which federal agency has specific
statutory responsibility for issues
such as children's privacy online and
commercial email marketing?
A. Securities and Exchange
Commission
B. Consumer Financial Protection
Bureau
C. Department of Justice
D. Federal Trade Commission
 9. Under the Children's Online Privacy 11.
Protection Act, which is an
accepted means for an organization
to validate parental consent when
it intends to disclose a child's
information to a third party?
A. Email a consent form. The
parent can provide consent by
responding to the email.
B. Email a consent form. The
parent can provide consent by
signing and mailing back the
form.
C. Request in an email that the
parent consent by reply email
and also provide email, phone
12.
number, or fax.”
D. Email a consent form to the
parent allowing 30 days to
object to the data disclosure.
10. In addition to the Security Rule,
what other rule was promulgated by
Health and Human Services and
mandated by the Health Insurance
Portability and Accountability Act?
A. Operations Rule
B. Transaction Rule
C. Privacy Rule
D. Disclosure Rule
Which of the following examples
best illustrates the concept of
"consumer report" for pre-
employment screening as defined
under the U.S. Fair Credit Reporting
Act?
A. library records released by a
municipal body
B. driving history obtained from an
information aggregator
C. academic records obtained from
an accredited university
D. purchase transactions obtained
from an online retailer
Which of the statements about the
requirements for privacy under the
U.S. Gramm-Leach-Bliley Act
(GLBA) is true?
A. Financial institutions can share
customer information with non-
affiliated third-party companies
without obtaining an opt-in from
the customer.
B. GLBA privacy rules are overseen
by many regulatory
organizations such as the
Department of Commerce.
C. GLBA retains the legislative
power to preempt any financial
services laws as currently
enforced by U.S. states.
D. U.S.-based financial institutions
may not share any information
with companies that are
affiliated with financial
institutions.
13. What does the "red flags rule" 15.
require of financial institutions?
A. They must develop and
implement methods of
detecting identity theft.
B. They must identify who might
be a poor credit risk for new
mortgages, such as sub-prime
lending.
C. They must determine whether
their corporate databases have
been breached and react
according to data breach
regulations.
16.
D. They must locate unencrypted
transmissions of their customer's
financial data.
14. The "Digital Telephony Bill" is
another name for which legislation?
A. Electronic Communications
Privacy Act
B. Stored Communications Act
17.
C. Telecommunications Act
D. U.S. Communications Assistance
to Law Enforcement Act
Which condition must be met to
satisfy the Right to Financial
Privacy Act requirements for
disclosure of individual records by
financial institutions?
A. The customer authorizes access.
B. There is a qualified search
warrant.
C. There is an appropriate judicial
subpoena.
D. The financial records are
reasonably described.
Which U.S. state requires daily
electronic notice in order for an
employer to monitor or intercept
electronic mail?
A. New Hampshire
B. Alaska
C. Delaware
D. Connecticut
Under the USA PATRIOT Act and its
amendments, which statement is
correct concerning National
Security Letters (NSL)?
A. NSL recipients must fulfill the
request, even if compliance is
oppressive.
B. New restrictions reduced the
number of NSLs issued.
C. Issuance of an NSL requires
judicial authorization.
D. An organization receiving an NSL
may disclose the request to an
attorney for legal assistance.
18. Which investigative tactic requires
a probable cause and other
requirements, such as exhausting
alternative means of acquiring the
evidence?
A. telephone wiretap
B. access to store emails
C. pen register order
D. traditional search warrant
19. Based on Aerospaciale v. S.D. of
Iowa, which is NOT a factor
American courts will use to
reconcile a conflict between U.S.
and foreign law regarding electronic
discovery requests?
A. specificity of the request
B. whether the information
originated in the U.S.
C. whether counsel for both parties
are based in the U.S.
D. availability of alternative means
of acquiring the information
20. What changes did the FISA
Amendments Act of 2008 make to
the original Foreign Intelligence
Surveillance Act of 1978?
A. express authorization of foreign
intelligence wiretaps
B. legal authorization of some new
surveillance practices
C. a series of checks and balances
on the president and attorney
general
D. access to stored communication
records without judicial
authorization
21. Which two actions are required
under the Fair Credit Reporting Act
in order for an employer to obtain a
consumer report on a job applicant?
A. provide notice to applicant after
taking adverse action and
provide the applicant with a
method to appeal the decision
B. obtain data only from a
qualified credit reporting
agency and certify that the
agency has administrative,
technical and physical
safeguards in place
C. certify to the credit reporting
agency that the employer has a
permissible purpose and provide
a written consent from the
employer
D. obtain applicant's written
consent and provide applicant
with a copy of the credit report
before taking an adverse action
22. All of the following are considered
acceptable reasons for sharing
records of U.S. employees with
third parties without obtaining the
consent of the employees except:
A. test marketing the company's
new products
B. determining legal standing or
citizen status
C. retirement planning
D. group insurance underwriting
23. All of the following are considered
acceptable lines of questioning by
U.S. employers to applicants in the
pre-employment process except:
A. questions about the applicant's
duration of stay on the job or
any anticipated absences
B. questions regarding any medical
conditions or disabilities that
would inhibit the performance
of the job function
C. questions on whether an
applicant has applied for or
received worker's compensation
D. questions about the applicant's
height or weight as this relates
to a specific job function
24. In terms of U.S. employees'
workplace privacy rights, all of the
following are acceptable monitoring
techniques available to employers
except:
A. internet access and usage
B. badge cards and ID readers
C. secret surveillance
D. closed-circuit television
25. All of the following are valid privacy
protection procedures when
terminating an employee who has
access to sensitive personal
information except:
A. removing the employee's access
rights to sensitive personal
information before escorting the
employee from the premises
B. reminding the employee of a
non-disclosure agreement signed
at the time of employment
C. demanding that the employee
not remove paper and
electronic files, and only
remove personal effects under
direct observation
D. asking the employee to sign the
privacy policy immediately
before conducting the exit
interview
26. Security laws in U.S. states often
restrict:
A. the collection of Social Security
numbers via paper employment
applications
B. the business hours during which
organizations are allowed to
make telemarketing calls
C. the display of Social Security
numbers on identification cards
D. the disclosure of biometric
records to law enforcement
agencies
27. For those states that have security
breach notification requirements,
what general information must the
breach-of-personally-identifiable-
information notification letter to
the individual include?
A. name of the affected individual,
brief description of the
incident, date the incident
occurred, and the number for a
credit monitoring service
B. name and Social Security
number of the affected
individual, full description of
the incident, date the incident
occurred, and the number for a
credit monitoring service
C. name, Social Security number
and address of the affected
individual, full description of
the incident, and a toll-free
number for answers to questions
D. brief description of the
incident, type of information
involved, and a toll-free number
for answers to questions
28. The act of video monitoring the
workplace is likely to survive a legal
challenge under U.S. law provided
that:

A. the videotaping is proportional

to the organization's need for
surveillance
B. monitoring is limited to "non-
private" areas of the workplace
C. complete video archives are
kept by the employer and not
edited or altered
D. each employee signs an
agreement that consents to the
surveillance

29. The loss of names and what other

data point would require an
employer to notify affected
individuals?

A. student records
B. intellectual property
C. Social Security numbers
D. street addresses

30. If a company located

in Massachusetts maintains all of its
employees' personal information in
a hosted online database in Florida,
what must the third-party service
provider agree to?

A. a confidentiality provision
B. periodic audits
C. a ban on the use of
subcontractors
D. upgrades in technology END OF SAMPLE QUESTIONS
This page intentionally left blank.
 References

1. The correct answer is B: [States are prevented by federal law from enforcing laws that
impose different or stricter laws in the same area.]
Article VI, Section 2, of the U.S. Constitution provides that the "…Constitution, and the
Laws of the United States … shall be the supreme Law of the Land." This Supremacy
Clause has come to mean that the national government, in exercising any of the powers
enumerated in the Constitution, must prevail over any conflicting or inconsistent state
exercise of power. The federal preemption doctrine is a judicial response to the conflict
between federal and state legislation. When it is clearly established that a federal law
preempts a state law, the state law must be declared invalid. Also, a doctrine of state law
that holds that a state law displaces a local law or regulation that is in the same field and
is in conflict or inconsistent with the state law. West's Encyclopedia of American Law,
edition 2. Copyright 2008 The Gale Group, Inc.

2. The correct answer is D: [To provide guidance about what practices the FTC finds
inappropriate.]
FTC privacy enforcement actions have been settled through consent decrees and
accompanying consent orders. Consent decrees are posted publicly on the FTC website,
and the details of these decrees provide guidance about what practices the FTC finds
inappropriate.

3. The correct answer is C: [Binding corporate rules.]

Binding corporate rules (BCRs) are data protection policies adhered to by companies
established in the EU. They are one method through which organizations can transfer data
to non-EU member states under the GDPR. Supervisory authorities participate in the
review and approval process of BCRs.

4. The correct answer is A: [U.S. laws generally do not restrict geographic transfer of
personal information.]
This stands in contrast to the restrictions imposed by Chapter V of the EU General Data
Protection Regulation (GDPR), which states, in part, “ Any transfer of personal data which
are undergoing processing or are intended for processing after transfer to a third country
or to an international organisation shall take place only if, subject to the other provisions
of this Regulation, the conditions laid down in this Chapter are complied with by the
controller and processor, including for onward transfers of personal data from the third
country or an international organisation to another third country or to another
international organization...” GDPR Chapter V then outlines specific data transfer
mechanisms, including “an adequacy decision,” “appropriate safeguards,” “binding
corporate rules,” and “derogations.”
5. The correct answer is B: [Legal precedent and social custom.]
In the absence of statutes, common law has long drawn on precedent to provide special
privilege rules such as attorney-client privilege and doctor-patient confidentiality.

6. The correct answer is C: [Assure appropriate privacy terms and conditions are included in
a contract with the third party.]
This question involves data transfers within the U.S., so no special restrictions apply other
than those imposed on certain sectors, such as healthcare or financial. As a matter of best
practices, however, an organization should apply due diligence to ensure that a third
party treats personal information with at least the same protections as the originating
organization. A contract with appropriate privacy terms and conditions is a good way to
assure such is the case.

7. The correct answer is C: [Data processor.]

The terms “data subject,” “data processor” and “data controller” originated in the EU
Data Protection Directive and are not universally used in the U.S. A data subject is an
individual about whom information is being processed. A data controller is an organization
or individual with the authority to decide how and why information about data subjects is
to be processed. A data processor is an organization or individual that processes data on
behalf of the data controller. In the question then, the U.S. SaaS provider is processing
data of behalf of the data controller, it is a data processor.

8. The correct answer is D: [Federal Trade Commission.]

In addition to its general authority to enforce “unfair and deceptive trade practices,” the
Federal Trade Commission (FTC) has been legislatively charged with enforcing specific
privacy-related laws. COPPA required the FTC to issue and enforce a rule concerning
children’s online privacy, which the Commission did in 1999. The Children’s Online Privacy
Protection Rule, 16 C.F.R. Part 312, became effective on April 21, 2000. CAN-SPAM
authorized the FTC to enforce the CAN-SPAM Act, and the Commission subsequently issued
the “Telemarketing Sales Rule” (TSR). Between these actions and many others, including
consent decrees, the FTC has indeed played a prominent role in the development of U.S.
privacy standards. See also web-based information sources, such as
http://www.ftc.gov/privacy/coppafaqs.shtm
9. The correct answer is B: [E-mail a consent form and the parent can provide consent by
signing and mailing back the form.]
According to the FTC website, if a website operator is going to disclose children’s personal
information to third parties…then it must use one of the more reliable methods to obtain
verifiable parental consent enumerated in the rule:

• provide a form for the parent to print, fill out, sign, and mail or fax back to you (the
“print-and-send” method);
• require the parent to use a credit card in connection with a transaction (which could
consist of a membership or subscription fee, a purchase, or a charge to cover the cost
of processing the credit card).
• maintain a toll-free telephone number staffed by trained personnel for parents to call
in their consent; or
• obtain consent through an email from the parent, if that email contains a digital
signature, or other digital certificate that uses public key technology obtained through
one of the above methods. http://www.ftc.gov/privacy/coppafaqs.shtm#consent

10. The correct answer is C: [The Privacy Rule.]

HIPAA required the Department of Health and Human Services (HHS) to promulgate
regulations to protect the privacy and security of healthcare information, and HHS issued
the Privacy Rule in December 2000 (revised in 2002) and the Security Rule in February
2003. HHS also promulgated the Transactions Rule, but this related not to privacy or data
security but to standard electronic formats to fulfill another important reason for the
legislation—to improve the efficiency of healthcare delivery. There is no “operations rule”
under HIPAA.

11. The correct answer is B: [Driving history obtained from an information aggregator.]
Under the Fair Credit Reporting Act (FCRA), users must have a permissible purpose in
order to obtain an individual’s credit report. Among these permissible purposes is the
determination of a consumer’s eligibility for a license. Library records, purchase
transactions and academic records do not represent a permissible purpose.

12. The correct answer is A: [Financial institutions can share customer information with non-
affiliated third-party companies without obtaining an opt-in from the customer.]
GLBA does not preempt stricter state laws. The Department of Commerce has no role in
enforcing GLBA privacy rules. While financial institutions are prohibited from disclosing
consumer account numbers to nonaffiliated companies even if the consumer has not opted
out of sharing information, other information can be shared without obtaining an opt in,
such as information shared the outside companies that provide essential services like data
processing.
13. The correct answer is A: [That they develop and implement methods of detecting identity
theft.]
Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires
regulators to develop a set of rules to mandate the detection, prevention and mitigation
of identity theft. http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

14. The correct answer is D: [The U.S. Communications Assistance to Law Enforcement Act.]
CALEA is also known as the Digital Telephony Bill.

15. The correct answer is D: [The financial records are reasonably described.]
The Right to Financial Privacy Act of 1978 (RFPA) states that “no Government authority
may have access to or obtain copies of, or the information contained in the financial
records of any customer from a financial institution unless the financial records are
reasonably described” and meet at least one additional conditions. Options B-D are three
of these five conditions and are not absolutely required.

16. The correct answer is C: [Delaware.]

Delaware Code, Section 705: Notice of monitoring of telephone transmissions, electronic
mail and internet usage states: “No employer, nor any agent or any representative of any
employer, shall monitor or otherwise intercept any telephone conversation or
transmission, electronic mail or transmission, or Internet access or usage of or by a
Delaware employee unless the employer…(p)rovides an electronic notice of such
monitoring or intercepting policies or activities to the employee at least once during each
day the employee accesses the employer-provided e-mail or Internet access services.”
http://codes.lp.findlaw.com/decode/19/7/I/705

17. The correct answer is D: [An organization receiving an NSL may disclose the request to an
attorney for legal assistance.]
NSL recipients may disclose the request to those necessary to comply with the request and
to an attorney for legal assistance. NSLs can be issued by authorized officials, often the
special agent in charge of an FBI field office, and requires no judicial authorization. The
number of NSLs issued has increased in recent years. Under the 2006 amendments to the
USA Patriot Act, recipients can petition a federal court to modify or set aside an NSL if
compliance would be unreasonable or oppressive.

18. The answer is A: [A telephone wiretap.]

A telephone wiretap requires a probable cause and other requirements, such as the
exhaustion of alternative means of acquiring the evidence. The Supreme Court has held
that police need warrants to use telephone wiretaps, but that police do not need warrants
to obtain information from a third party, such as from the telephone company. There may
be changes in the near future to the third party exception because of increased
technologies.
19. The correct answer is C: [Whether counsel for both parties are based in the United
States.]
The factors an American court will use to reconcile trans-border eDiscovery conflicts are
(1) the importance of the documents or data to the litigation at hand, (2) The specificity
of the request, (3) whether the information originated in the United States, (4) the
availability of alternative means of securing the information and (5) the extent to which
the important interests of the United States and the foreign state would be undermined
by an adverse ruling. The location of opposing counsel is irrelevant.

20. The correct answer is B: [Legal authorization of some new surveillance practices.]
FISA gave legal authorization to new surveillance practices, including when one party is
reasonably believed to be outside of the United States. It also granted immunity to the
telephone companies so they would not be liable for the records they had provided to the
government in the wake of September 11. The new rules required more reporting from
the government to Congress and put limits on some of the secrecy about NSLs and other
government requests for records in the national security realm. FISA itself expressly
authorized foreign intelligence wiretaps and put checks and balances on the
Administration. Neither FISA nor its amendments authorized access to stored
communications without judicial authorization.

21. The correct answer is D: [Obtain applicant’s written consent and provide applicant with a
copy of the credit report before taking an adverse action.]
To obtain any consumer report under FCRA, an employer must meet the following
standards: (1) provide written notice to the applicant that it is obtaining a consumer
report for employment purposes and indicate if an investigative consumer report will be
obtained; (2) obtain written consent from the applicant; (3) obtain data only from a
qualified consumer reporting agency that has taken steps to assure the accuracy and
currency of the data; (4) certify to the consumer reporting agency that the employer has
a permissible purpose and has obtained consent from the employee; (5) before taking an
adverse action, provide a pre-adverse action notice to the applicant with a copy of the
consumer report in order to give the applicant an opportunity to dispute the report and
(6) after taking adverse action, provide an adverse action notice.

22. The correct answer is A: [Test marketing the company’s new products.]
Determining legal standing or citizen status, retirement planning and group insurance
underwriting all constitute legitimate organizational activities in the course of doing
business or managing employees. Sharing employee records with a third party for the
purpose of test marketing the company’s products, however, would be an inappropriate
disclosure of the employee’s personal information.
23. The correct answer is C: [Questions on whether an applicant has applied for or received
worker’s compensation.]
A number of U.S. federal laws prohibit discrimination in employment and place limits on
the information an employer is entitled to ascertain in the screening process. Generally
speaking questions that specifically relate to a candidate’s ability to perform the job for
which he or she has applied are allowable, such as medical conditions, disabilities and
physical characteristics and anticipated absences. Questions about past worker’s
compensation applications, however, are specifically prohibited by the Americans with
Disabilities Act (ADA).

24. The correct answer is C: [Secret surveillance.]

In the United States, private-sector employees in general have limited expectations of
privacy at the workplace, and there are sometimes significant incentives to monitor
employees. Except as limited by state statute or a collective bargaining agreement, video
monitoring is allowable unless placed in a “private place,” such as a restroom or locker
rooms. Employers also have a right to monitor internet usage if such a policy is publicized
and applied to all employees. Furthermore, employers certainly have the right, and often
the obligation, to limit access to company property through the use of badges, readers
and other techniques. The key to avoiding a privacy issue, beyond adherence to specific
laws and regulations, is to ensure that all policies regarding monitoring are made known
to employees—secret surveillance is not acceptable in most settings.

25. The correct answer is D: [Asking employees to sign the privacy policy immediately before
conducting the exit interview.]
Employers have the right to terminate a former employee’s access to the physical and
informational assets of the organization. In the case of a terminated employee, it is
reasonable to require the individual, under observation, to remove only personal effects
and to remove the individual’s access right to personal information held by the
organization. When an employee signed a non-disclosure agreement at the time of
employment, it is also appropriate to remind a terminated employee of that agreement.
The time to ask employees to sign a privacy policy, however, is not upon termination but
upon employment or at the time an employee first has access to personal information
stored by the organization.

26. The correct answer is C: [The display of Social Security numbers on identification cards.]
While the disclosure of biometric data may be restricted by law, this is a privacy issue,
not a security one. Similarly, the FTC Telemarketing Sales Rule (TSR) restricts the hours
that organizations may make telemarketing calls, but that is not a security issue. The
collection of Social Security numbers in hiring is permissible as long as there is a
legitimate purpose and the data is secured. On the other hand, Social Security numbers
are widely considered to be personal information and should not therefore be displayed
publicly, such as on an identification card. The practice is specifically prohibited by
privacy laws in many states.
27. The correct answer is D: [A brief description of the incident, the type of information
involved, and a toll-free number for answers to questions.]
Most states do not specify what must be included in the notification letter. Privacy
professionals residing in states that do not provide guidance should use the guidelines of
states that do.

28. The correct answer is B: [Monitoring is limited to “non-private” areas of the workplace.]
Many states have specific laws prohibiting workplace video monitoring of private places
such as restrooms and locker rooms. Even in the absence of a statute, employees may be
able to bring a common-law tort claim for invasion of privacy, especially where a jury
would find the use of the camera to be offensive. Monitoring of private areas in the
workplace would be unlikely to survive a legal challenge.

29. The correct answer is C: [Social Security numbers.]

The definition of what constitutes personal information varies state by state. However,
there are some factors that are included in the definition of personal information in all
states. These include the loss of a name combined with another form of personal
information. Generally, student records and intellectual property are not considered
personal information.

30. The answer is A: [A confidentiality provision.]

If a company plans to share personal data with a third-party processor, it is important to
consider incorporating a written contract including a confidentiality provision, no further
use of shared information, requirement to notify and disclose a breach, and information
security provisions.
 Answer Sheet

1 A B C D 6 A B C D 11 A B C D 16 A B C D

2 A B C D 7 A B C D 12 A B C D 17 A B C D

3 A B C D 8 A B C D 13 A B C D 18 A B C D

4 A B C D 9 A B C D 14 A B C D 19 A B C D

5 A B C D 10 A B C D 15 A B C D 20 A B C D

21 A B C D 26 A B C D

22 A B C D 27 A B C D
This page may be reproduced.

23 A B C D 28 A B C D

24 A B C D 29 A B C D

25 A B C D A B C D
30
This page intentionally left blank.
 Answer Sheet

1 A B C D 6 A B C D 11 A B C D 16 A B C D

2 A B C D 7 A B C D 12 A B C D 17 A B C D

3 A B C D 8 A B C D 13 A B C D 18 A B C D

4 A B C D 9 A B C D 14 A B C D 19 A B C D

5 A B C D 10 A B C D 15 A B C D 20 A B C D

21 A B C D 26 A B C D

22 A B C D 27 A B C D
This page may be reproduced.

23 A B C D 28 A B C D

24 A B C D 29 A B C D

25 A B C D 30 A B C D
This page intentionally left blank.
 Answer Key This page may be
reproduced.
Item Number Correct Answer Introduction to Limits on Private- Government Workplace State Privacy
the U.S. sector Collection and and Court Privacy Laws
Privacy Use of Data Access to
Environment Private-sector
Information
1 B
2 D
3 C
4 A
5 B
6 C
7 C
8 D
9 B
10 C
11 B
12 A
13 A
14 D
15 D
16 C
17 D
18 A
19 C
20 B
21 D
22 A
23 C
24 C
25 D
26 C
27 D
28 B
29 C
30 A

SUMMARY ___ of 7 ___ of 6 ___ of 7 ___ of 6 ___ of 4

correct correct correct correct correct
PERCENTAGE
(# correct / # total) x 100
This page intentionally left blank.
 Answer Key This page may be
reproduced.
Item Number Correct Answer Introduction to Limits on Private- Government Workplace State Privacy
the U.S. sector Collection and and Court Privacy Laws
Privacy Use of Data Access to
Environment Private-sector
Information
1 B
2 D
3 C
4 A
5 B
6 C
7 C
8 D
9 B
10 C
11 B
12 A
13 A
14 D
15 D
16 C
17 D
18 A
19 C
20 B
21 D
22 A
23 C
24 C
25 D
26 C
27 D
28 B
29 C
30 A

SUMMARY ___ of 7 ___ of 6 ___ of 7 ___ of 6 ___ of 4

correct correct correct correct correct
PERCENTAGE
(# correct / # total) x 100