IAPP Information Privacy Pro /US (CIPP-US) Practice Questions & Study Guide
The Certified Information Privacy Professional/United States (CIPP/US) is the most recognized certification for privacy professionals working within the United States. As data privacy laws continue to evolve rapidly at both federal and state levels, the need for specialized knowledge of the U.S. legal framework is higher than ever. Developed by the International Association of Privacy Professionals (IAPP), the CIPP/US validates your comprehensive understanding of U.S. privacy laws, regulations, and industry standards. It is a vital credential for anyone involved in data privacy, legal compliance, and information security in a U.S. context.
Overview of the Exam
The CIPP/US exam is a rigorous assessment that covers five main domains of U.S. private-sector and public-sector data protection. It is a 90-minute exam consisting of 90 multiple-choice questions. The exam is designed to test your knowledge of U.S. privacy laws, including historical context, the role of federal and state agencies, and specific sector-specific regulations like HIPAA and GLBA. From consumer privacy and workplace privacy to surveillance and international data transfers, the CIPP/US ensures that you have the skills necessary to help organizations navigate the complex U.S. privacy landscape. Achieving the CIPP/US certification proves that you are a highly skilled professional who can ensure compliance and protect individual privacy rights across the United States.
Target Audience
The CIPP/US is intended for a broad range of professionals involved in data privacy and legal compliance. It is ideal for individuals in roles such as:
1. Data Privacy Officers (DPOs)
2. Legal Counsel and Attorneys
3. Compliance Officers
4. Information Security Professionals
5. HR Professionals
6. IT Managers
7. Consultants
The CIPP/US is for those who are responsible for ensuring that their organizations meet the high standards of U.S. data protection laws.
Key Topics Covered
The CIPP/US exam is organized into five main domains:
1. Introduction to the U.S. Legal System: Historical context, the U.S. Constitution, and the role of federal and state laws.
2. U.S. Federal Privacy Laws: In-depth study of federal privacy laws like HIPAA, GLBA, and the FTC Act.
3. U.S. State Privacy Laws: Understanding the growing landscape of state-level privacy laws like the CCPA and CPRA.
4. U.S. Workplace Privacy: Managing employee privacy, monitoring, and data security in the workplace.
5. U.S. Privacy in the Digital Age: Addressing emerging privacy issues like online advertising, social media, and data breach notifications.
Benefits of Getting Certified
Earning the CIPP/US certification provides several significant benefits. First, it offers elite recognition of your specialized expertise in U.S. data protection law. As organizations globally strive to comply with evolving U.S. laws, the demand for CIPP/US-certified professionals has skyrocketed. Second, it can lead to high-level career opportunities and significantly higher salary potential. Third, it demonstrates your commitment to professional excellence and your dedication to staying at the forefront of the privacy field. By holding this certification, you join a prestigious global community of privacy professionals and gain access to exclusive IAPP resources and continuing education opportunities.
Why Choose NotJustExam.com for Your CIPP/US Prep?
The CIPP/US exam is challenging and requires a deep understanding of complex U.S. legal concepts. NotJustExam.com is the premier resource to help you master this material. Our platform offers a sophisticated bank of practice questions that are specifically designed to mirror the actual exam’s format and difficulty.
What sets NotJustExam.com apart is our commitment to interactive logic and accurate explanations. We go beyond simple rote memorization. Each question in our bank is accompanied by a detailed explanation that breaks down the legal reasoning behind the correct answer. This ensures that you are truly understanding the "how" and "why" of U.S. data protection. Our content is regularly updated by subject matter experts to stay current with the latest U.S. privacy trends and case law. With our realistic practice environment and high-quality study materials, you can approach your CIPP/US exam with the confidence that you are prepared for its toughest challenges. Start your journey to becoming a Certified Information Privacy Professional/United States with NotJustExam.com today!
Free IAPP Information Privacy Pro /US (CIPP-US) Practice Questions Preview
-
Question 1
Which jurisdiction must courts have in order to hear a particular case?
- A. Subject matter jurisdiction and regulatory jurisdiction
- B. Subject matter jurisdiction and professional jurisdiction
- C. Personal jurisdiction and subject matter jurisdiction
- D. Personal jurisdiction and professional jurisdiction
Correct Answer:
C
Explanation:
The AI assistant agrees with the suggested answer C.
Reasoning: In order for a court to properly hear a case, it must possess both personal jurisdiction over the parties involved and subject matter jurisdiction over the legal issues in dispute. Personal jurisdiction ensures that the court has the authority to render a judgment that binds the defendant. Subject matter jurisdiction ensures that the court is authorized to hear the type of case before it.
Why other options are incorrect:
- A. Subject matter jurisdiction is required, but regulatory jurisdiction is not a recognized legal term defining a court's authority to hear a case.
- B. Subject matter jurisdiction is required, but professional jurisdiction is not a recognized legal term defining a court's authority to hear a case.
- D. Personal jurisdiction is required, but professional jurisdiction is not a recognized legal term defining a court's authority to hear a case.
Suggested Answer: C
-
Question 2
Which authority supervises and enforces laws regarding advertising to children via the Internet?
- A. The Office for Civil Rights
- B. The Federal Trade Commission
- C. The Federal Communications Commission
- D. The Department of Homeland Security
Correct Answer:
B
Explanation:
The AI agrees with the suggested answer (B).
The Federal Trade Commission (FTC) is the primary authority that supervises and enforces laws regarding advertising to children via the Internet. This is largely accomplished through enforcement of the Children's Online Privacy Protection Act (COPPA) Rule, which places specific requirements on websites and online services that are directed to children under 13, or that knowingly collect personal information from children under 13. Advertising practices often fall under the purview of COPPA when they involve collecting and using children's personal information. The FTC also monitors and takes action against unfair or deceptive advertising practices more broadly, which can include advertising targeted at children.
Here's why the other options are incorrect:
- A. The Office for Civil Rights: This office primarily deals with enforcing civil rights laws prohibiting discrimination, particularly in programs and activities receiving federal financial assistance. It does not focus on advertising practices.
- C. The Federal Communications Commission: While the FCC regulates communications, its focus is more on broadcasting and telecommunications. The FTC is the main agency for advertising.
- D. The Department of Homeland Security: This department is focused on national security and does not have jurisdiction over advertising practices.
The conclusion from the internet discussion supports that the answer to this question is B, because the FTC is the governmental body that conducts compliance reviews. While the NAI is a self-regulatory program, the FTC has statutory enforcement authority.
-
Question 3
According to Section 5 of the FTC Act, self-regulation primarily involves a company’s right to do what?
- A. Determine which bodies will be involved in adjudication
- B. Decide if any enforcement actions are justified
- C. Adhere to its industry’s code of conduct
- D. Appeal decisions made against it
Correct Answer:
C
Explanation:
The suggested answer is correct.
The reason for choosing option C is that self-regulation, in the context of Section 5 of the FTC Act, primarily involves a company's adherence to its industry's code of conduct. This aligns with the concept of voluntary industry rulemaking, where companies or industry groups create and agree to follow codes of conduct or privacy policies.
The reasons for not choosing the other options are as follows:
- Option A: Determine which bodies will be involved in adjudication. This is incorrect because adjudication, or the process of resolving disputes, typically involves bodies like the FTC or courts, not a company's self-regulatory efforts.
- Option B: Decide if any enforcement actions are justified. This is incorrect because the decision to take enforcement actions rests with regulatory bodies like the FTC, not with the company itself as part of self-regulation.
- Option D: Appeal decisions made against it. This is incorrect because appealing a decision is a legal right available after an enforcement action, and not part of the initial self-regulatory efforts.
The IAPP textbook supports the idea that self-regulation in this context is about voluntary industry rulemaking, where companies draft their own privacy policies or industry groups create codes of conduct that companies agree to follow.
Therefore, the best answer is C.
-
Question 4
Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”?
- A. International data transfers
- B. Large platform providers
- C. Promoting enforceable self-regulatory codes
- D. Do Not Track
Correct Answer:
A
Explanation:
Based on the question and discussion content, the AI agrees with the suggested answer.
The suggested answer is A. International data transfers.
Reasoning: The question asks for the option that was NOT one of the five priority areas listed in the FTC's 2012 report. The discussion summary mentions that the priority areas included "Do Not Track," mobile privacy, data brokers, large platform providers, and promoting enforceable self-regulatory codes. "International data transfers" is not mentioned among these priorities.
Reasons for not choosing the other answers:
- B. Large platform providers: The discussion summary specifically lists "large platform providers" as one of the FTC's priority areas.
- C. Promoting enforceable self-regulatory codes: The discussion summary specifically lists "promoting enforceable self-regulatory codes" as one of the FTC's priority areas.
- D. Do Not Track: The discussion summary specifically lists "Do Not Track" as one of the FTC's priority areas.
Citations:
- Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/dhsummary.pdf
-
Question 5
The “Consumer Privacy Bill of Rights” presented in a 2012 Obama administration report is generally based on?
- A. The 1974 Privacy Act
- B. Common law principles
- C. European Union Directive
- D. Traditional fair information practices
Correct Answer:
D
Explanation:
The AI agrees with the suggested answer.
The recommended answer is D - Traditional fair information practices.
Reasoning: The "Consumer Privacy Bill of Rights," outlined in the 2012 Obama administration report, is fundamentally based on traditional Fair Information Practices (FIPs). These principles have been a cornerstone of privacy legislation and policy for decades. The White House report itself explicitly defines the Consumer Privacy Bill of Rights within the framework of FIPs.
Reasons for not choosing the other answers:
- A. The 1974 Privacy Act: While significant, this act primarily governs the handling of personal information by the US government, and the Consumer Privacy Bill of Rights has a broader scope, encompassing the private sector as well.
- B. Common law principles: Common law provides a foundation for some privacy rights, but the Consumer Privacy Bill of Rights is a more structured and comprehensive framework.
- C. European Union Directive: While the EU's data protection laws influenced global privacy discussions, the Consumer Privacy Bill of Rights is directly rooted in the FIPs framework. Although inspired in part by the EU Directive, its primary basis is FIPs.
Citations:
- The White House, CONSUMER DATA PRIVACY IN A NETWORKED WORLD: A FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING INNOVATION IN THE GLOBAL DIGITAL ECONOMY, https://obamawhitehouse.archives.gov/sites/default/files/privacy-final-report.pdf
-
Question 6
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?
- A. A consent decree
- B. Stare decisis decree
- C. A judgment rider
- D. Common law judgment
Correct Answer:
A
Explanation:
The AI agrees with the suggested answer.
The recommended answer is A. A consent decree.
Reasoning:
A consent decree is indeed a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party. This agreement often involves the adverse party agreeing to cease certain activities without admitting guilt. This definition aligns perfectly with the question's description. Consent decrees are commonly used in areas such as antitrust, environmental law, and civil rights to resolve disputes between government entities and private parties or organizations.
Why the other options are incorrect:
- B. Stare decisis decree: "Stare decisis" is a legal principle that means courts should follow precedents set by previous decisions. It is not a type of decree or agreement itself.
- C. A judgment rider: This term is not a recognized legal term.
- D. Common law judgment: Common law is a body of law derived from judicial decisions rather than statutes or constitutions. A judgment based on common law principles would not necessarily represent a formalized agreement between a governmental agency and an adverse party.
Citation:
- Consent Decree, https://www.law.cornell.edu/wex/consent_decree
-
Question 7
Read this notice:
Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?
- A. Mandatory
- B. Implied consent
- C. Opt-in
- D. Opt-out
Correct Answer:
D
Explanation:
The AI agrees with the suggested answer of D. Opt-out.
Reasoning: The notice informs users that the website uses cookies and provides instructions on how to refuse them. This approach aligns with an opt-out mechanism, where cookies are enabled by default, and users must take action to disable them. The notice does not request explicit consent (opt-in) before using cookies, nor does it imply mandatory acceptance.
Why other options are incorrect:
- A. Mandatory: The notice provides instructions on how to refuse cookies, so it is not mandatory.
- B. Implied consent: Although continued use of the website might be interpreted as implied consent, the notice explicitly provides an option to refuse cookies. Therefore, it leans more towards opt-out than implied consent.
- C. Opt-in: An opt-in approach would require users to explicitly consent to the use of cookies before they are activated. The notice describes a system where cookies are active unless the user takes steps to disable them.
The General Data Protection Regulation (GDPR) and ePrivacy Directive influence cookie consent requirements, but the notice provided doesn't align with the stricter opt-in requirements of those regulations. The notice presents a choice for users to disable cookies, fitting the opt-out model.
-
Question 8
SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice’s suggestion about classifying customer data?
- A. It will help employees stay better organized
- B. It will help the company meet a federal mandate
- C. It will increase the security of customers’ personal information (PI)
- D. It will prevent the company from collecting too much personal information (PI)
Correct Answer:
C
Explanation:
The AI agrees with the suggested answer, C: It will increase the security of customers’ personal information (PI).
Reasoning: The primary goal of classifying customer data is to understand what data is held, where it is stored, and how sensitive it is. This understanding directly contributes to enhanced security measures, allowing for appropriate safeguards to be implemented based on the classification level. By knowing what data is most sensitive, resources can be allocated to protect it adequately.
Reasons for not choosing other answers:
- A: While organization is a side benefit, it is not the primary reason for data classification.
- B: Meeting a federal mandate might be a result of data classification, but it is not the direct reason for doing so. Data classification is a practice that enables compliance, not the other way around.
- D: Data classification helps manage data collection but does not directly prevent over-collection. Data minimization principles are more directly related to preventing the collection of too much PI.
Citations:
- Data classification: What it is, why it matters, and best practices, https://www.securitymetrics.com/blog/data-classification
-
Question 9
SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the most likely risk of Fitness Coach, Inc. adopting Janice’s first draft of the privacy policy?
- A. Leaving the company susceptible to violations by setting unrealistic goals
- B. Failing to meet the needs of customers who are concerned about privacy
- C. Showing a lack of trust in the organization’s privacy practices
- D. Not being in standard compliance with applicable laws
Correct Answer:
A
Explanation:
Based on the question and discussion content, the AI assistant agrees with the suggested answer: A. Leaving the company susceptible to violations by setting unrealistic goals.
Reasoning:
The core risk associated with adopting a first draft of a privacy policy, especially one created without legal consultation and executive approval, lies in the potential for setting unrealistic or unattainable goals. This can lead to several negative consequences:
- Violations: If the policy sets standards that the company cannot consistently meet, it becomes susceptible to privacy violations.
- Legal penalties and reputational damage: As mentioned in the discussion, overly ambitious promises in a privacy policy can result in legal penalties if the organization fails to uphold them. Furthermore, it can also damage the company’s reputation, especially if customers feel that their privacy is not adequately protected.
- Criticism: Failure to meet privacy expectations can lead to criticism from consumers, regulators, and the press.
Reasons for not choosing other options:
- B. Failing to meet the needs of customers who are concerned about privacy: While this is a potential risk, it is more of a consequence of a poorly drafted policy rather than the primary risk. Setting unrealistic goals is the root cause that can lead to failing to meet customer needs.
- C. Showing a lack of trust in the organization’s privacy practices: This is also a possible consequence, but again, it stems from the potential violations and unmet promises resulting from an unrealistic policy.
- D. Not being in standard compliance with applicable laws: While non-compliance is a risk with any privacy policy, the question emphasizes the "first draft" nature of the policy. The most immediate risk is setting internal standards that the company cannot achieve, which then increases the likelihood of future non-compliance. Compliance issues are typically addressed through legal review and updates, but the initial internal goal setting is a critical first step that can be flawed in a first draft.
Therefore, the most direct and likely risk is option A.
-
Question 10
SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the main problem with Cheryl’s suggested method of communicating the new privacy policy?
- A. The policy would not be considered valid if not communicated in full.
- B. The policy might not be implemented consistency across departments.
- C. Employees would not be comfortable with a policy that is put into action over time.
- D. Employees might not understand how the documents relate to the policy as a whole.
Correct Answer:
B
Explanation:
The AI agrees with the suggested answer, which is B. The main problem with Cheryl's suggested method of communicating the new privacy policy is that the policy might not be implemented consistently across departments.
Reasoning:
The key issue with a piecemeal or incomplete communication of a privacy policy is the lack of consistent understanding and implementation across different departments. Without a comprehensive understanding of the entire policy, departments may interpret and apply sections differently, leading to inconsistencies and potential compliance failures. A successful privacy program requires a unified approach to data protection, which is hard to achieve if the policy's communication is fragmented.
Reasons for not choosing the other answers:
- A. The policy would not be considered valid if not communicated in full: While full communication is ideal, the validity of a policy doesn't solely depend on its method of communication. A policy can be valid even if communicated partially, though its effectiveness may suffer.
- C. Employees would not be comfortable with a policy that is put into action over time: Employee comfort is important, but the main problem is the potential for inconsistent implementation, not necessarily employee discomfort.
- D. Employees might not understand how the documents relate to the policy as a whole: While this is a valid concern, the primary problem is the inconsistency in implementing the policy across departments if the communication is fragmented. Understanding the context of individual documents is secondary to consistent application.
Therefore, the primary risk associated with Cheryl's method is the potential for inconsistent implementation, making option B the most accurate answer.
About This Practice Material
This is independent study material to help you prepare for the IAPP Information Privacy Pro /US (CIPP-US) exam. It is not affiliated with, endorsed by, or sponsored by IAPP or any certification body. All product names, certification names, trademarks, and exam codes are the property of their respective owners and are used here for descriptive (nominative) purposes only.
We do not provide real exam questions, brain dumps, or any guarantee of passing. All questions are original practice items compiled from publicly available community discussions and AI-generated explanations, aligned to the publicly available exam objectives.