Free Preparation Discussions
MENU
IAPP CIPP/US Exam Questions
- Topic 1: Introduction to the U.S. Privacy Environment: This topic equips IAPP Information Privacy Professionals with foundational knowledge of the structure of U.S. law, focusing on its fragmented nature. It also explains enforcement mechanisms for privacy and security laws across the federal and state levels. Lastly, it highlights the U.S. perspective on managing information, offering a comprehensive framework for understanding privacy dynamics critical to professional practice.
- Topic 2: Limits on Private-Sector Collection and Use of Data: Information Privacy Professionals gain insights into sector-specific data protection frameworks, including the FTC's cross-sector guidelines and rules for healthcare, financial, and educational institutions. These regulations limit data collection and usage practices, emphasizing compliance and consumer protection.
- Topic 3: Government and Court Access to Private-Sector Information: This topic provides an overview of government and legal system access to private-sector data, addressing privacy challenges related to law enforcement, national security, and civil litigation. It equips Information Privacy Professionals to assess privacy risks and ensure compliance when responding to governmental or judicial data requests.
- Topic 4: Workplace Privacy: Workplace privacy is explored through its lifecycle before, during, and after employment, providing Information Privacy Professionals with the knowledge to manage employee data responsibly. The topic emphasizes balancing organizational needs with compliance obligations, ensuring privacy standards are upheld in employment settings.
- Topic 5: State Privacy Laws: This topic examines the interplay between federal and state authority in privacy regulation, highlighting diverse data privacy and security laws. Information Privacy Professionals also learn about state-specific data breach notification laws.
Free IAPP CIPP/US Exam Actual Questions
Note: Premium Questions for CIPP/US were last updated On Jun. 06, 2026 (see below)
The rules for ''e-discovery'' mainly prevent which of the following?
E-discovery is the process by which parties share, review, and collect electronically stored information (ESI) to use as evidence in a legal matter1.The rules for e-discovery mainly prevent a conflict between business practice and technological safeguards, because they establish the standards and procedures for preserving, collecting, reviewing, and producing ESI in a way that balances the needs of litigation with the realities of technology2.For example, the Federal Rules of Civil Procedure (FRCP) provide guidance on the scope, timing, format, and methods of e-discovery, as well as the sanctions for failing to comply with e-discovery obligations3.The rules also encourage cooperation and communication among parties and courts to resolve e-discovery issues efficiently and effectively4. By following the rules for e-discovery, parties can avoid disputes, delays, and costs that may arise from incompatible or inconsistent business and technological practices.
The other options are not the main purpose of the rules for e-discovery, although they may be related or affected by them.The rules for e-discovery do not directly prevent the loss of information due to poor data retention practices, although they do impose a duty to preserve relevant ESI when litigation is reasonably anticipated5.The rules for e-discovery do not directly prevent the practice of employees using personal devices for work, although they do require parties to identify and disclose the sources of ESI that may be subject to discovery, including personal devices6.The rules for e-discovery do not directly prevent a breach of an organization's data retention program, although they do require parties to produce ESI in a reasonably usable form and to protect privileged or confidential information7.
Under state breach notification laws, which is NOT typically included in the definition of personal information?
Under state breach notification laws, personal information is typically defined as an individual's first name or first initial and last name plus one or more other data elements, such as Social Security number, state identification number, account number, medical information, etc. However, first and last name alone are not usually considered personal information, unless they are combined with other data elements that could identify the individual or compromise their security or privacy.Therefore, option B is the correct answer, as it is not typically included in the definition of personal information under state breach notification laws.Reference: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws https://iapp.org/resources/article/state-data-breach-notification-chart/
Your company, an online store selling digital keys to video games, has received a data access request from an individual. Specifically, the individual wants access to her recent purchase history, as she has misplaced the emails containing the digital keys to multiple game purchases she made last month.
From a security standpoint, what would the user have to do under CCPA in order to acceptably verify her identity?
Under the California Consumer Privacy Act (CCPA), businesses must verify the identity of individuals making data access requests to ensure the security of personal information. The most secure and straightforward way to verify a consumer's identity is by requiring the individual to log in to their password-protected account, as this demonstrates that the requester is the account owner.
Why Password-Protected Accounts Are Best for Verification:
Account-Based Relationship: If the consumer has a password-protected account with the business, verification can typically be achieved by having the consumer log in to the account. This is considered a sufficient method of verifying identity under CCPA guidelines.
Minimizing Risk: Verifying identity through account login reduces the risk of fraudulent access to personal information, as only the account owner has access to the login credentials.
Explanation of Options:
A. Take a photo of herself with her driver license: While this might verify identity, it is more intrusive and poses unnecessary risks of identity theft. This is not a preferred or common method under the CCPA.
B. Provide a notarized affidavit signed by two witnesses: This is excessive and impractical for verifying identity in most cases, particularly for an online store.
C. Log in to her password-protected account with the company: This is correct. Logging into a password-protected account is a straightforward and secure way to verify the identity of a requester under the CCPA.
D. Phone the company and provide her contact details and credit card number: This method is insecure, as it could lead to identity theft or fraudulent access if someone else provides this information.
Reference from CIPP/US Materials:
CCPA Regulations (11 CCR 999.323): Specifies identity verification requirements, including the use of password-protected accounts.
IAPP CIPP/US Certification Textbook: Covers secure methods for verifying consumer identity under the CCPA.
Which of the following accurately describes the purpose of a particular federal enforcement agency?
The FTC is the primary federal agency responsible for enforcing privacy and data security laws in the United States. The FTC has broad jurisdiction over most commercial entities that collect, use, or share personal information from consumers. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, which includes unfair or deceptive privacy practices. The FTC can bring enforcement actions against companies that violate their own privacy policies, fail to provide adequate notice or choice to consumers, engage in unfair or harmful data practices, or breach consumers' reasonable expectations of privacy. The FTC can also issue rules, guidelines, and reports on privacy and data security issues, as well as conduct investigations, workshops, and educational campaigns.Reference:
IAPP CIPP/US Body of Knowledge, Section I.A.1.a
IAPP CIPP/US Textbook, Chapter 1, pp. 9-12
FTC Privacy and Security Enforcement
What practice does the USA FREEDOM Act NOT authorize?
The USA FREEDOM Act is a law that was enacted in 2015 to reform the surveillance practices of the U.S. government. The law was a response to the revelations by Edward Snowden about the mass collection of phone records and internet data by the National Security Agency (NSA) under the authority of Section 215 of the USA PATRIOT Act. The USA FREEDOM Act ended the bulk collection of telephone data and internet metadata by the NSA, and instead required the government to obtain a specific order from the Foreign Intelligence Surveillance Court (FISC) to access such data from the telecommunication providers. The law also authorized the following practices:
Emergency exceptions that allow the government to target roamers: The law allows the government to temporarily target a non-U.S. person who is using a phone number or identifier of a U.S. person, without a court order, if there is an emergency situation that involves a threat of death or serious bodily harm. The government must obtain a court order within seven days to continue the surveillance.
An increase in the maximum penalty for material support to terrorism: The law increases the maximum prison term for providing material support or resources to a foreign terrorist organization from 15 years to 20 years.
An extension of the expiration for roving wiretaps: The law extends the sunset date for the roving wiretap provision of the USA PATRIOT Act, which allows the government to obtain a single order from the FISC to conduct surveillance on a target who switches devices or locations, without specifying the device or location. The law extends the expiration date from June 1, 2015 to December 15, 2019.Reference:
USA FREEDOM Act
USA FREEDOM Act Summary
USA FREEDOM Act FAQs
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Emily Edwards
14 days agoLaura Rogers
18 days agoBarbara Brown
1 month agoAndrew Perez
2 months agoDennis Davis
1 month agoCharles Cooper
1 month agoHarold Perez
1 month agoDaniel Miller
28 days agoDavid Hill
25 days agoNieves
2 months agoBlondell
2 months agoTasia
3 months agoSkye
3 months agoHarris
3 months agoElvera
3 months agoMadalyn
4 months agoKatina
4 months agoJules
4 months agoCarey
4 months agoJohnna
5 months agoCarylon
5 months agoClaudia
5 months agoVan
5 months agoEulah
6 months agoShantell
6 months agoMaile
6 months agoAshlyn
6 months agoMose
7 months agoGeorgiann
7 months agoMarya
7 months agoCarey
7 months agoLeslie
8 months agoRikki
8 months agoReena
8 months agoJohana
8 months agoJade
9 months agoFranklyn
9 months agoTran
9 months agoPhil
9 months agoBarb
11 months agoErasmo
1 year agoCasie
1 year agoJohana
1 year agoMirta
1 year agoLonny
1 year agoDerick
1 year agoBettina
1 year agoDevorah
1 year agoStephania
2 years agoRosio
2 years agoDonte
2 years agoQuentin
2 years agoJacklyn
2 years agoMurray
2 years agoRodolfo
2 years agoCristal
2 years agoHerschel
2 years agoHyman
2 years agoFrancisca
2 years agoEllen
2 years agoNoe
2 years agoDeonna
2 years agoFranklyn
2 years agoGilberto
2 years agoCrista
2 years ago