• Home
  • Articles
  • CIPP-US Dumps with Practice Exam Questions Answers [Q39-Q54]

CIPP-US Dumps with Practice Exam Questions Answers [Q39-Q54]

Share

CIPP-US Dumps with Practice Exam Questions Answers

CIPP-US by Certified Information Privacy Professional Actual Free Exam Practice Test


IAPP CIPP-US exam is designed for professionals who work in the field of privacy, including privacy officers, privacy consultants, and privacy lawyers. CIPP-US exam is also suitable for those who are interested in pursuing a career in privacy. CIPP-US exam is open to anyone who has a basic understanding of privacy laws and regulations in the US and can demonstrate their knowledge through passing the exam.


IAPP CIPP-US certification is an excellent choice for individuals who work with data privacy laws and regulations in the United States, and who are looking to advance their careers in this field. With its rigorous exam, comprehensive coverage of US privacy laws and regulations, and widespread recognition in the industry, the CIPP-US certification is an excellent investment for anyone looking to build a successful career in data privacy.

 

NEW QUESTION # 39
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?

  • A. Implemented a comprehensive policy for accessing customer information.
  • B. Looked for any persistent threats to security that could compromise the company's network.
  • C. Honored the promise of its privacy policy to acquire information by using an opt-in method.
  • D. Communicated requests for changes to users' preferences across the organization and with third parties.

Answer: A


NEW QUESTION # 40
Sarah lives in San Francisco, Californi
a. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.
Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

  • A. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual's personal information upon request constitutes an unfair practice.
  • B. Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.
  • C. The New York "Stop Hacks and Improve Electronic Data Security" (SHIELD) Act requires that businesses under New York's jurisdiction must delete customers' personal information upon request.
  • D. The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.

Answer: D


NEW QUESTION # 41
Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?

  • A. The consent must be in writing, must contain the number to which calls can be made and must have an end date
  • B. The consent must be in writing, must contain the number to which calls can be made and must be signed
  • C. The consent must be in writing, must have an end data and must state the times when calls can be made
  • D. The consent must be in writing, must state the times when calls can be made to the consumer and must be signed

Answer: B

Explanation:
The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call."1 The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. TheTSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2 The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing.
However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing.
Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3 Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions. References: 1: eCFR :: 16 CFR Part 310 - Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.


NEW QUESTION # 42
The Video Privacy Protection Act of 1988 restricted which of the following?

  • A. Which purchase records of audio visual materials may be disclosed
  • B. When a user's viewing of online video content can be monitored
  • C. When downloading of copyrighted audio visual materials is allowed
  • D. Who advertisements for videos and video games may target

Answer: A

Explanation:
The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer's informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:
* Video Privacy Protection Act - Wikipedia
* 18 U.S. Code ยง 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)


NEW QUESTION # 43
Which of the following privacy rights is NOT available under the Colorado Privacy Act?

  • A. The right to access sensitive data.
  • B. The right to correct sensitive data.
  • C. The right to limit the use of sensitive data.
  • D. The right to delete sensitive data.

Answer: C

Explanation:
"The CPA grants Colorado Consumers new rights with respect to their personal data, including the right to access, delete, and correct their personal data as well as the right to opt out of the sale of their personal data or its use for targeted advertising or certain kinds of profiling."
https://coag.gov/resources/colorado-privacy-act/
Even without knowing for certain the answer, one can reason that it should be D. It would be administratively difficult for businesses to adhere to varying limitation requests for each consumer... Therefore such a right would not make sense from a public policy perspective.


NEW QUESTION # 44
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

  • A. Stare decisis decree
  • B. A consent decree
  • C. Common law judgment
  • D. A judgment rider

Answer: B


NEW QUESTION # 45
Why was the Privacy Protection Act of 1980 drafted?

  • A. To protect individuals from personal privacy invasion by the police
  • B. To assist prosecutors in civil litigation against newspaper companies
  • C. To assist in the prosecution of white-collar crimes
  • D. To respond to police searches of newspaper facilities

Answer: A


NEW QUESTION # 46
U.S. federal laws protect individuals from employment discrimination based on all of the following EXCEPT?

  • A. Pregnancy.
  • B. Age.
  • C. Marital status.
  • D. Genetic information.

Answer: A


NEW QUESTION # 47
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asi a. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

  • A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
  • B. That business contact information could be considered personal information governed by CCPA.
  • C. That CCPA only applies to companies based in California, which exempts the company from compliance.
  • D. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.

Answer: B

Explanation:
CCPA applies regardless of enforcement. Under the CPRA, which amended the CCPA, business contact information is PII.


NEW QUESTION # 48
What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?

  • A. The ability to appeal negative credit-based decisions.
  • B. The ability to investigate incidents of identity theft.
  • C. The ability to correct inaccurate credit information.
  • D. The ability to receive reports from multiple credit reporting agencies.

Answer: C

Explanation:
The Fair Credit Reporting Act (FCRA) was originally intended to provide consumers with the ability to correct inaccurate credit information that could affect their access to credit, employment, insurance, and other benefits. The FCRA gives consumers the right to access their credit reports from the three major credit reporting agencies (Equifax, Experian, and TransUnion) for free once every 12 months, and to dispute any errors or inaccuracies with the credit reporting agencies or the information furnishers (such as lenders, creditors, or debt collectors). The FCRA also requires the credit reporting agencies and the information furnishers to investigate and resolve the disputes within 30 days, and to delete or correct any information that is found to be inaccurate, incomplete, or outdated. The FCRA also provides consumers with the right to place fraud alerts or security freezes on their credit reports if they are victims or potential victims of identity theft, and to receive notifications from users of their credit reports (such as employers or insurers) if any adverse action is taken based on their credit information. References:
* Fair Credit Reporting Act - Wikipedia
* What is the Fair Credit Reporting Act (FCRA)? | Money
* The Fair Credit Reporting Act of 1970 - The Balance
* How the Fair Credit Reporting Act (FCRA) Protects Consumer Rights


NEW QUESTION # 49
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

  • A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.
  • B. The encryption of all personal information of Massachusetts residents when stored on portable devices.
  • C. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
  • D. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.

Answer: B


NEW QUESTION # 50
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?

  • A. Making student education records publicly available
  • B. Relying on verbal consent for a disclosure of education records
  • C. Scanning emails sent to and received by students
  • D. Disclosing education records without obtaining required consent

Answer: C


NEW QUESTION # 51
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the most likely risk of Fitness Coach, Inc. adopting Janice's first draft of the privacy policy?

  • A. Not being in standard compliance with applicable laws
  • B. Leaving the company susceptible to violations by setting unrealistic goals
  • C. Showing a lack of trust in the organization's privacy practices
  • D. Failing to meet the needs of customers who are concerned about privacy

Answer: B


NEW QUESTION # 52
Privacy Is Hiring Inc., a CA-based company, is an online specialty recruiting firm focusing on placing privacy professionals in roles at major companies. Job candidates create online profiles outlining their experience and credentials, and can pay $19.99/month via credit card to have their profiles promoted to potential employers. Privacy Is Hiring Inc. keeps all customer data at rest encrypted on its servers.
Under what circumstances would Privacy Is Hiring Inc., need to notify affected individuals in the event of a data breach?

  • A. If Privacy Is Hiring Inc., reasonably believes that job candidates will be harmed by the data breach.
  • B. If the personal information stolen included the individuals' names and credit card pin numbers.
  • C. If the job candidates' credit card information and the encryption keys were among the information taken.
  • D. If law enforcement has completed its investigation and has authorized Privacy Is Hiring Inc. to provide the notification to clients and applicable regulators.

Answer: C

Explanation:
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].) https://oag.ca.gov/privacy/databreach/reporting


NEW QUESTION # 53
Under state breach notification laws, which is NOT typically included in the definition of personal information?

  • A. State identification number
  • B. Medical Information
  • C. Social Security number
  • D. First and last name

Answer: B


NEW QUESTION # 54
......


IAPP CIPP-US, or Certified Information Privacy Professional/United States, is a highly respected certification for professionals who work with data privacy laws and regulations in the United States. Certified Information Privacy Professional/United States (CIPP/US) certification is offered by the International Association of Privacy Professionals (IAPP), a non-profit organization that provides education and resources for individuals working in the field of privacy.

 

Free Certified Information Privacy Professional CIPP-US Exam Question: https://www.dumpsquestion.com/CIPP-US-exam-dumps-collection.html

CIPP-US dumps & Certified Information Privacy Professional sure practice dumps: https://drive.google.com/open?id=1FL7Sh-FiHzocS5bi3wNYbOO7JJnwfbEo

Related Articles

more
IAPP CIPP-US Certification Practice Exam

Copyright © 2026 DumpsQuestion NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy