Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

IAPP CIPP/US Exam Questions

Exam Name: Certified Information Privacy Professional/United States
Exam Code: CIPP/US CIPP/US
Related Certification(s): IAPP Certified Information Privacy Professional Certification
Certification Provider: IAPP
Actual Exam Duration: 150 Minutes
Number of CIPP/US practice questions in our database: 195 (updated: Aug. 02, 2025)
Expected CIPP/US Exam Topics, as suggested by IAPP :
  • Topic 1: Introduction to the U.S. Privacy Environment: This topic equips IAPP Information Privacy Professionals with foundational knowledge of the structure of U.S. law, focusing on its fragmented nature. It also explains enforcement mechanisms for privacy and security laws across the federal and state levels. Lastly, it highlights the U.S. perspective on managing information, offering a comprehensive framework for understanding privacy dynamics critical to professional practice.
  • Topic 2: Limits on Private-Sector Collection and Use of Data: Information Privacy Professionals gain insights into sector-specific data protection frameworks, including the FTC's cross-sector guidelines and rules for healthcare, financial, and educational institutions. These regulations limit data collection and usage practices, emphasizing compliance and consumer protection.
  • Topic 3: Government and Court Access to Private-Sector Information: This topic provides an overview of government and legal system access to private-sector data, addressing privacy challenges related to law enforcement, national security, and civil litigation. It equips Information Privacy Professionals to assess privacy risks and ensure compliance when responding to governmental or judicial data requests.
  • Topic 4: Workplace Privacy: Workplace privacy is explored through its lifecycle before, during, and after employment, providing Information Privacy Professionals with the knowledge to manage employee data responsibly. The topic emphasizes balancing organizational needs with compliance obligations, ensuring privacy standards are upheld in employment settings.
  • Topic 5: State Privacy Laws: This topic examines the interplay between federal and state authority in privacy regulation, highlighting diverse data privacy and security laws. Information Privacy Professionals also learn about state-specific data breach notification laws.
Disscuss IAPP CIPP/US Topics, Questions or Ask Anything Related

Barb

21 days ago
Aced the IAPP CIPP/US exam! Pass4Success's questions were essential. Thanks for the quick and effective prep!
upvoted 0 times
...

Erasmo

2 months ago
CIPP/US certified! Pass4Success's exam questions were incredibly helpful. Grateful for the efficient study material.
upvoted 0 times
...

Casie

3 months ago
Successfully passed CIPP/US! Pass4Success's practice questions were spot-on. Appreciative of the time-saving preparation.
upvoted 0 times
...

Johana

4 months ago
IAPP CIPP/US certification achieved! Pass4Success's relevant questions were a game-changer. Thank you for the quick study guide!
upvoted 0 times
...

Mirta

5 months ago
Passed the CIPP/US exam with flying colors! Pass4Success's questions were crucial. Thanks for the time-effective prep!
upvoted 0 times
...

Lonny

6 months ago
Just became CIPP/US certified! Pass4Success's exam questions were invaluable. Grateful for the efficient study resource.
upvoted 0 times
...

Derick

6 months ago
I passed the IAPP CIPP/US exam, and the Pass4Success practice questions were very helpful. One question that I struggled with was about government and court access to private-sector information, specifically under the Foreign Intelligence Surveillance Act (FISA). It asked about the conditions for surveillance orders, and I was unsure about the specifics. Despite this, I passed the exam.
upvoted 0 times
...

Bettina

7 months ago
IAPP CIPP/US exam success! Pass4Success's relevant questions made all the difference. Thank you for the quick preparation!
upvoted 0 times
...

Devorah

7 months ago
Passing the IAPP CIPP/US exam was a significant achievement for me, and the Pass4Success practice questions were a great resource. A difficult question was about workplace privacy, focusing on the Health Insurance Portability and Accountability Act (HIPAA). It asked about the privacy protections for employee health information, and I wasn't entirely sure. However, I still passed the exam.
upvoted 0 times
...

Stephania

8 months ago
I am happy to report that I passed the IAPP CIPP/US exam, with the help of Pass4Success practice questions. One question that I found challenging was related to state privacy laws, particularly the New York SHIELD Act. It asked about the specific security requirements for businesses, and I was uncertain about the details. Nonetheless, I passed the exam.
upvoted 0 times
...

Rosio

8 months ago
Passed CIPP/US! Pass4Success provided exactly what I needed. Their questions matched the real exam perfectly.
upvoted 0 times
...

Donte

8 months ago
Successfully passing the IAPP CIPP/US exam was a great feeling, and the Pass4Success practice questions were invaluable. There was a question about limits on private-sector collection and use of data, specifically regarding the Children's Online Privacy Protection Act (COPPA). It asked about the requirements for obtaining parental consent, and I was a bit unsure. Still, I passed the exam.
upvoted 0 times
...

Quentin

9 months ago
I passed the IAPP CIPP/US exam, and the Pass4Success practice questions were a big help. One question that I found difficult was about the introduction to the U.S. privacy environment, particularly the historical development of privacy laws. It asked about key milestones in U.S. privacy legislation, and I wasn't sure about the exact timeline. Despite this, I managed to pass.
upvoted 0 times
...

Jacklyn

9 months ago
Aced the IAPP CIPP/US exam! Pass4Success's questions were a lifesaver. Thanks for the time-saving prep!
upvoted 0 times
...

Murray

9 months ago
The IAPP CIPP/US exam was tough, but I passed with the help of Pass4Success practice questions. A question that gave me pause was about government and court access to private-sector information, specifically under the USA PATRIOT Act. It asked about the conditions under which the government can request business records, and I was uncertain about the details. Nevertheless, I passed the exam.
upvoted 0 times
...

Rodolfo

10 months ago
I am thrilled to have passed the IAPP CIPP/US exam, thanks in part to the Pass4Success practice questions. One challenging question was related to workplace privacy, focusing on the Electronic Communications Privacy Act (ECPA). It asked about the extent to which employers can monitor employee communications, and I found it difficult to recall the specifics. However, I still succeeded in passing the exam.
upvoted 0 times
...

Cristal

10 months ago
CIPP/US certified! Pass4Success made it possible with their relevant practice questions. Grateful for the efficient study material.
upvoted 0 times
...

Herschel

10 months ago
Passing the IAPP CIPP/US exam was a great achievement for me, and the practice questions from Pass4Success played a significant role. There was a tricky question about state privacy laws, particularly the California Consumer Privacy Act (CCPA). It asked about the rights of consumers under the CCPA, and I was a bit unsure about the exact provisions. Despite this, I still managed to pass.
upvoted 0 times
...

Hyman

11 months ago
Thanks to Pass4Success, I passed the CIPP/US exam! Their materials covered all the key topics and helped me succeed.
upvoted 0 times
...

Francisca

11 months ago
I recently passed the IAPP Certified Information Privacy Professional/United States exam, and I must say that the Pass4Success practice questions were incredibly helpful. One question that stumped me was about the limitations on private-sector collection and use of data, specifically regarding the Fair Credit Reporting Act (FCRA). I wasn't entirely sure about the specific obligations of companies under the FCRA, but I managed to pass the exam nonetheless.
upvoted 0 times
...

Ellen

11 months ago
Just passed the IAPP CIPP/US exam! Pass4Success's questions were spot-on. Thanks for the quick prep!
upvoted 0 times
...

Noe

12 months ago
Passing the IAPP Certified Information Privacy Professional/United States exam was a significant achievement for me, and I attribute my success to the comprehensive practice questions provided by Pass4Success. The exam covered various topics, including the introduction to the U.S. privacy environment. One question that tested my knowledge was related to the key differences among states in terms of privacy regulations, particularly focusing on the differences between the privacy laws in New York and Texas. Despite my initial hesitation, I managed to answer the question correctly and pass the exam.
upvoted 0 times
...

Deonna

1 years ago
My exam experience was quite challenging, but I am thrilled to announce that I passed the IAPP Certified Information Privacy Professional/United States exam. The topics on elements of key differences among states and recent developments in the U.S. privacy environment were particularly interesting. One question that caught me off guard was related to the recent developments in privacy laws in California, specifically the California Consumer Privacy Act (CCPA). Despite my initial uncertainty, I was able to navigate through the question and pass the exam.
upvoted 0 times
...

Franklyn

1 years ago
Just passed the CIPP/US exam! Be prepared for questions on state privacy laws, especially CCPA. Focus on understanding key differences between state and federal regulations. Pass4Success's practice questions were spot-on and helped me prepare efficiently. Thanks for the excellent resource!
upvoted 0 times
...

Gilberto

1 years ago
I recently passed the IAPP Certified Information Privacy Professional/United States exam with the help of Pass4Success practice questions. The exam covered topics such as enforcement of U.S. privacy and security laws, including criminal vs. civil liability. One question that stood out to me was related to the general theories of legal liability, where I had to differentiate between negligence and strict liability. Despite being unsure of the answer at the time, I managed to pass the exam successfully.
upvoted 0 times
...

Crista

1 years ago
Federal sector privacy was a significant part of the exam. Questions often involved the Privacy Act of 1974 and FOIA. Make sure to understand the key provisions and exemptions of these laws, as well as their practical applications in government agencies.
upvoted 0 times
...

Free IAPP CIPP/US Exam Actual Questions

Note: Premium Questions for CIPP/US were last updated On Aug. 02, 2025 (see below)

Question #1

The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?

Reveal Solution Hide Solution
Correct Answer: B

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, updates the legal framework for federal law enforcement to access electronic data held by U.S. service providers, even when the data is stored outside the United States. The act resolves jurisdictional issues that arise in cross-border data requests and facilitates international cooperation for law enforcement purposes.

Key Provisions of the CLOUD Act:

Data Access for Law Enforcement:

The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based service providers (e.g., Microsoft, Google) to provide access to data stored abroad using a valid warrant or subpoena, provided the request complies with applicable laws.

International Data Sharing Agreements:

The CLOUD Act enables the U.S. to establish bilateral agreements with other countries to streamline access to data for law enforcement purposes. These agreements ensure that U.S. and foreign law enforcement can access data without violating each other's sovereignty or privacy laws.

Conflict with Foreign Laws:

The act includes mechanisms for providers to challenge data requests that conflict with the laws of the country where the data is stored, providing safeguards for compliance with foreign privacy laws like the General Data Protection Regulation (GDPR).

Explanation of Options:

A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the GDPR: This is incorrect. The CLOUD Act is not specific to the EU or GDPR compliance. Instead, it focuses on law enforcement access to data stored abroad.

B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country: This is correct. The CLOUD Act directly addresses law enforcement's ability to compel data access from U.S. providers, regardless of the data's physical location.

C. Establish baseline privacy obligations that U.S. companies must comply with for personal information, even if stored in a foreign country: This is incorrect. The CLOUD Act is focused on law enforcement access to data, not privacy obligations for companies.

D. Prohibit foreign companies from using the personal information of U.S. citizens without their consent: This is incorrect. The CLOUD Act does not regulate foreign companies or impose consent requirements for using personal information.

Reference from CIPP/US Materials:

CLOUD Act (18 U.S.C. 2713): Establishes legal mechanisms for cross-border data access and international agreements.

IAPP CIPP/US Certification Textbook: Discusses the CLOUD Act's impact on cross-border data requests and its interaction with global privacy laws.


Question #2

Which act violates the Family Educational Rights and Privacy Act of 1974 (FERPA)?

Reveal Solution Hide Solution
Correct Answer: A

The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. FERPA grants parents or eligible students the right to access, amend, and control the disclosure of their education records, with some exceptions.Schools must obtain written consent from the parent or eligible student before disclosing any personally identifiable information from the education records, unless an exception applies123

Option A violates FERPA because it involves the disclosure of a student's personally identifiable information (PII) from the education records without consent.A student's signed essay about her hometown is considered an education record under FERPA, as it is directly related to the student and maintained by the school12A K-12 assessment vendor is not a school official with a legitimate educational interest, nor does it fall under any of the exceptions that allow disclosure without consent12Therefore, the school must obtain the student's (or the parent's, if the student is a minor) written consent before providing the essay to the vendor for public release.

Option B does not violate FERPA because it involves the disclosure of directory information, which is not considered PII under FERPA.Directory information is information that would not generally be considered harmful or an invasion of privacy if disclosed, such as name, address, phone number, e-mail address, major, etc12Schools may disclose directory information without consent, unless the parent or eligible student has opted out of such disclosure12However, schools must notify parents and eligible students of the types of directory information they designate and their right to opt out annually12

Option C does not violate FERPA because it involves the disclosure of information that is not part of the education records.FERPA only applies to education records that are directly related to a student and maintained by the school or a party acting for the school12A newspaper's publication of the names, grade levels, and hometowns of students who made the quarterly honor roll is not based on the education records, but on the newspaper's own sources and reporting. Therefore, FERPA does not prohibit such disclosure.

Option D does not violate FERPA because it involves the disclosure of information under an exception that allows disclosure without consent.FERPA permits schools to disclose education records, or PII from education records, without consent to comply with a judicial order or lawfully issued subpoena, or to appropriate officials in connection with a health or safety emergency123If the university police provide an arrest report to the student's hometown police in response to a subpoena or to prevent a serious threat to the student or others, they are not violating FERPA.


Question #3

SCENARIO

Please use the following to answer the next QUESTION

When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor

procedures for purging and destroying outdated dat

a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.

Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.

When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.

Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.

Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?

Reveal Solution Hide Solution
Correct Answer: B

The Consumer Privacy Bill of Rights is a set of principles proposed by the Obama administration in 2012 to protect the privacy of consumers online and offline. The principles are based on the Fair Information Practice Principles, which are widely accepted as the foundation of privacy protection. One of the principles is the right to reasonable limits on the personal data that a company retains, which means that companies should collect and keep only the personal data they need for legitimate purposes, and dispose of it securely when it is no longer needed. This principle would best reform the company's privacy program in the scenario, as it would address the major concerns that Roberta identified in her report, such as the lack of rules and procedures for purging and destroying outdated data, and the excessive access to customer information by low-level employees. By implementing reasonable limits on the personal data that the company retains, the company would reduce the risk of data breaches, enhance customer trust, and comply with state breach notification laws.Reference:

Fact Sheet: Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to U.S. Privacy Law, Section 1.2: The Consumer Privacy Bill of Rights


Question #4

SCENARIO

Please use the following to answer the next QUESTION:

Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.

Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.

On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.

He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.

On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.

Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.

Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.

In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.

Although Declan's day ended with many Questions, he was pleased about his new position.

How can the radiology department address Declan's concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

Reveal Solution Hide Solution
Correct Answer: D

HIPAA requires covered entities to provide a notice of privacy practices (NPP) to individuals who receive health care services from the covered entity. The NPP must describe how the covered entity may use and disclose protected health information (PHI), the individual's rights with respect to their PHI, and the covered entity's obligations to protect the privacy of PHI. The NPP must be provided to the individual no later than the date of the first service delivery, either in person or electronically. The covered entity must also make the NPP available on request and post it on its website if it has one. The covered entity must also make a good faith effort to obtain a written acknowledgment from the individual that they received the NPP. If the individual refuses to sign the acknowledgment, the covered entity must document the attempt and the reason for the refusal.

The other options are not sufficient to comply with HIPAA. Stating the privacy policy verbally (option A) does not provide the individual with a written or electronic copy of the NPP that they can keep for future reference. Posting the privacy notice in a prominent location (option B) does not ensure that the individual receives the NPP or has an opportunity to review it before receiving services. Directing patients to the correct area of the hospital website (option C) does not provide the individual with the NPP at the time of service delivery, unless the individual agrees to receive the NPP electronically and has access to the website at that time.Reference:

Notice of Privacy Practices for Protected Health Information

Model Notices of Privacy Practices

Sample Notice: Availability of Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices (NPP) Distribution and Acknowledgement


Question #5

All of the following are tasks in the ''Discover'' phase of building an information management program EXCEPT?

Reveal Solution Hide Solution
Correct Answer: B

The ''Discover'' phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.

Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.

Understanding the laws that regulate a company's collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the ''Discover'' phase, but rather in the ''Implement'' phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant. The tasks in this phase include:

Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.

Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.

Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency.

Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.


IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective, Section A: Building a Privacy Program

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information Management from a U.S. Perspective, Section 1.1: Building a Privacy Program

Practice Exam - International Association of Privacy Professionals


Unlock Premium CIPP/US Exam Questions with Advanced Practice Test Features:
  • Select Question Types you want
  • Set your Desired Pass Percentage
  • Allocate Time (Hours : Minutes)
  • Create Multiple Practice tests with Limited Questions
  • Customer Support
Get Full Access Now

Save Cancel