Pass Your IAPP CIPP-US Exam with Correct 228 Questions and Answers [Q35-Q60]

Share

Pass Your IAPP CIPP-US Exam with Correct 228 Questions and Answers

Latest [Oct 09, 2025] 2025 Realistic Verified CIPP-US Dumps

NEW QUESTION # 35
What role does the U.S. Constitution play in the area of workplace privacy?

  • A. It provides significant protections to federal and state governments, but not to private-sector employment
  • B. It provides enforcement resources to large employers, but not to small businesses
  • C. It provides legal precedent for physical information security, but not for electronic security
  • D. It provides contractual protections to members of labor unions, but not to employees at will

Answer: A

Explanation:
The U.S. Constitution plays a limited role in the area of workplace privacy, because it mainly applies to the actions of the government, not private employers. The Fourth Amendment protects the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures. The Supreme Court has interpreted this right to include a reasonable expectation of privacy in certain situations, such as in one's home, car, or personal belongings. However, this right does not extend to private-sector employees, who are not protected by the Constitution from the actions of their employers, unless the employer is acting as an agent of the government. Private-sector employees may have some privacy rights under state laws, common law, or contractual agreements, but these vary depending on the jurisdiction and the circumstances.
Public-sector employees, on the other hand, are protected by the Constitution from unreasonable searches and seizures by their employers, who are considered part of the government. Public- sector employees have a reasonable expectation of privacy in their workplace, unless there is a legitimate work-related reason for the search or seizure, such as to ensure safety, security, or efficiency. Public- sector employers must also comply with the due process and equal protection clauses of the Fifth and Fourteenth Amendments, which prohibit the government from depriving any person of life, liberty, or property without due process of law, or from denying any person the equal protection of the laws. These clauses protect public-sector employees from arbitrary or discriminatory actions by their employers that affect their employment status or benefits.
Therefore, the U.S. Constitution plays a significant role in the area of workplace privacy for federal and state governments, but not for private-sector employment, because it only regulates the actions of the government, not private actors.


NEW QUESTION # 36
What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in 2005?

  • A. It was the first substantial U.S.-EU Safe Harbor enforcement.
  • B. It made user consent mandatory after any revisions of policy.
  • C. It made third-party audits a penalty for policy violations.
  • D. It was based on matters of fairness rather than deception.

Answer: D

Explanation:
The Federal Trade Commission (FTC) is the primary federal agency that enforces consumer privacy and data security laws in the United States. The FTC has the authority to bring enforcement actions against businesses that engage in unfair or deceptive acts or practices that affect commerce, under Section 5 of the FTC Act. Unfair acts or practices are those that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or competition. Deceptive acts or practices are those that involve a material representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances.
The FTC's action against B.J.'s Wholesale Club in 2005 was unique because it was based on matters of fairness rather than deception. The FTC alleged that B.J.'s Wholesale Club, a retailer that operates warehouse stores and gas stations, failed to provide reasonable security for the sensitive information of its customers, such as name, card number, and expiration date, that it collected from the magnetic stripes of credit and debit cards. The FTC claimed that this information was used by unauthorized persons to make millions of dollars of fraudulent purchases. The FTC did not allege that B.J.'s Wholesale Club made any false or misleading statements or omissions about its data security practices, but rather that its failure to take appropriate security measures was an unfair practice that violated Section 5 of the FTC Act. The FTC argued that B.J.'s Wholesale Club's lax security caused or was likely to cause substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by any benefits to consumers or competition. The FTC's action against B.J.'s Wholesale Club was one of the first cases in which the FTC used its unfairness authority to address data security issues, and it set a precedent for future enforcement actions against businesses that fail to protect consumer data. The settlement required B.J.'s Wholesale Club to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.


NEW QUESTION # 37
When developing a company privacy program, which of the following relationships will most help a privacy professional develop useful guidance for the organization?

  • A. Relationships with company leaders responsible for approving, implementing, and periodically reviewing the corporate privacy program.
  • B. Relationships with individuals within the privacy professional community who are able to share expertise and leading practices for different industries.
  • C. Relationships with individuals across company departments and at different levels in the organization's hierarchy.
  • D. Relationships with clients, vendors, and customers whose data will be primarily collected and used throughout the organizational program.

Answer: C

Explanation:
When developing a company privacy program, a privacy professional needs to understand the business objectives, processes, and risks of the organization, as well as the legal and regulatory requirements and best practices for privacy. To achieve this, a privacy professional should establish and maintain relationships with individuals across company departments and at different levels in the organization's hierarchy, such as IT, marketing, human resources, legal, compliance, security, and senior management. These relationships will help the privacy professional to gather relevant information, identify privacy issues and gaps, communicate privacy policies and procedures, provide training and awareness, monitor compliance, and resolve conflicts.
The other relationshipslisted are also important, but not as essential as the internal relationships for developing a company privacy program. References:
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Developing a Privacy Program, Section 5.1: Privacy Program Framework, p. 145-146
* IAPP CIPP/US Body of Knowledge, Domain V: Developing a Privacy Program, Objective V.A:
Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 23
* IAPP CIPP/US Exam Blueprint, Domain V: Developing a Privacy Program, Objective V.A: Identify the components of a privacy program framework, Subobjective V.A.1: Identify the roles and responsibilities of individuals within the organization, p. 7


NEW QUESTION # 38
Which of the following practices is NOT a key component of a data ethics framework?

  • A. Data governance.
  • B. Preferability testing.
  • C. Automated decision-making.
  • D. Auditing.

Answer: C

Explanation:
A data ethics framework is a set of principles and guidelines that help organizations ensure that their data practices are ethical, responsible, and trustworthy. According to the IAPP CIPP/US Study Guide, some of the key components of a data ethics framework are1:
* Data governance: the policies, processes, and standards that govern how data is collected, used, stored, and shared within an organization.
* Preferability testing: the process of assessing the potential impacts and risks of data-driven solutions on stakeholders, such as customers, employees, and society.
* Auditing: the process of monitoring, reviewing, and verifying the compliance and performance of data practices against the established ethical standards and legal requirements. Automated decision-making, on the other hand, is not a key component of a data ethics framework, but rather a data practice that may raise ethical issues and challenges. Automated decision-making refers to the use of algorithms, artificial intelligence, or machine learning to make decisions or recommendations without human intervention2. While automated decision-making can offer benefits such as efficiency, accuracy, and consistency, it can also pose risks such as bias, discrimination, lack of transparency, and accountability3. Therefore, automated decision-making should be subject to ethical evaluation and oversight, but it is not itself a part of a data ethics framework. References:
* [IAPP CIPP/US Study Guide], Chapter 10, Section 10.4, page 287
* [IAPP Glossary], Automated Decision-Making
* IAPP Resources, Ethical Data Use and Automated Decision-Making: A Practical Guide


NEW QUESTION # 39
In 2012, the White House and the FTC both issued reports advocating a new approach to privacy enforcement that can best be described as what?

  • A. Harm-based.
  • B. Comprehensive.
  • C. Self-regulatory.
  • D. Notice and choice.

Answer: B

Explanation:
In 2012, the White House released a report titled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy", which proposed a Consumer Privacy Bill of Rights based on the Fair Information Practice Principles (FIPPs). The report called for a comprehensive privacy framework that would apply to all commercial sectors and all personal data, regardless of the technology or business model involved. The report also urged Congress to enact legislation to implement the framework and empower the FTC to enforce it. Similarly, the FTC released a report titled
"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers", which outlined a set of best practices for businesses to protect consumer privacy and foster innovation. The report also advocated for a comprehensive privacy framework that would cover both online and offline data, and apply to all entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device. The report also recommended that Congress consider enacting baseline privacy legislation and giving the FTC rulemaking authority to implement it. Therefore, both reports can be described as advocating a comprehensive approach to privacy enforcement, rather than a harm-based, self-regulatory, or notice and choice approach. References: White House Report, FTC Report, IAPP CIPP/US Study Guide (p. 31-32)


NEW QUESTION # 40
SCENARIO
Please use the following to answer the next QUESTION :
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal dat a. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?

  • A. As a data controller
  • B. As a data supervisor
  • C. As a data manager
  • D. As a data processor

Answer: D

Explanation:
Processor is the answer and correct based on the fact that the EU retailer was collecting consents and sending data internationally to US. The distractor of lack of consent and the instruction somehow implied that it now needs to be adhered to by the processor despite controller EU Retailer messing up should be mindfully sidestepped. Supervisor and Controller are synonymous with both terms used in the GDPR. Data manager is not a term used in GDPR.


NEW QUESTION # 41
Which of the following laws is NOT involved in the regulation of employee background checks?

  • A. The U.S. Fair Credit Reporting Act (FCRA).
  • B. The Civil Rights Act.
  • C. The Gramm-Leach-Bliley Act (GLBA).
  • D. The California Investigative Consumer Reporting Agencies Act (ICRAA).

Answer: C

Explanation:
The law that is not involved in the regulation of employee background checks is B. The Gramm-Leach-Bliley Act (GLBA). The GLBA is a federal law that regulates the privacy and security of financial information collected, used, or shared by financial institutions, such as banks, insurance companies, or securities firms. The GLBA does not apply to employee background checks, unless the employer is a financial institution that obtains financial information from a consumer reporting agency for employment purposes. In that case, the employer must comply with the GLBA's notice and opt-out requirements, as well as the FCRA's requirements for using consumer reports. References:
* [IAPP CIPP/US Study Guide], Chapter 4: Workplace Privacy, pp. 113-114.
* IAPP CIPP/US Body of Knowledge, Section IV: Workplace Privacy, Subsection A: Employee Privacy Expectations, Topic 3: Background Checks.
* IAPP CIPP/US Practice Questions, Question 150.


NEW QUESTION # 42
California's SB 1386 was the first law of its type in the United States to do what?

  • A. Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices
  • B. Require notification of non-California residents of a breach that occurred in California
  • C. Require encryption of sensitive information stored on servers that are Internet connected
  • D. Require commercial entities to disclose a security data breach concerning personal information about the state's residents

Answer: D


NEW QUESTION # 43
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the GDPR, the complainant's request regarding her personal information is known as what?

  • A. Right of Removal
  • B. Right of Rectification
  • C. Right to Be Forgotten
  • D. Right of Access

Answer: C

Explanation:
Under the GDPR, the complainant's request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort. References:
* Everything you need to know about the "Right to be forgotten"
* Right to erasure | ICO
* Art. 17 GDPR - Right to erasure ('right to be forgotten') - General ...
* [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.


NEW QUESTION # 44
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

  • A. Provides the same level of privacy protection as the organization
  • B. Uses the transferred data for limited purposes
  • C. Notifies the organization if it can no longer meet its requirements for proper data handling
  • D. Enters a contract with the organization that states the third party will process data according to the consent agreement

Answer: D

Explanation:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and
; 3: Privacy Shield Framework.


NEW QUESTION # 45
Which entities must comply with the Telemarketing Sales Rule?

  • A. For-profit organizations calling businesses when a binding contract exists between them
  • B. For-profit organizations and for-profit telefunders regarding charitable solicitations
  • C. Nonprofit organizations calling on their own behalf
  • D. For-profit and not-for-profit organizations when selling additional services to establish customers

Answer: D

Explanation:
Explanation/Reference: https://www.ftc.gov/tips-advice/business-center/guidance/complying-telemarketing-sales-rule


NEW QUESTION # 46
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?

  • A. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
  • B. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
  • C. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate
  • D. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

Answer: A

Explanation:
notification to individuals in the state of New York.
Explanation:
https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.html


NEW QUESTION # 47
Privacy Is Hiring Inc., a CA-based company, is an online specialty recruiting firm focusing on placing privacy professionals in roles at major companies. Job candidates create online profiles outlining their experience and credentials, and can pay $19.99/month via credit card to have their profiles promoted to potential employers. Privacy Is Hiring Inc. keeps all customer data at rest encrypted on its servers.
Under what circumstances would Privacy Is Hiring Inc., need to notify affected individuals in the event of a data breach?

  • A. If law enforcement has completed its investigation and has authorized Privacy Is Hiring Inc. to provide the notification to clients and applicable regulators.
  • B. If the personal information stolen included the individuals' names and credit card pin numbers.
  • C. If Privacy Is Hiring Inc., reasonably believes that job candidates will be harmed by the data breach.
  • D. If the job candidates' credit card information and the encryption keys were among the information taken.

Answer: D

Explanation:
Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access.


NEW QUESTION # 48
When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

  • A. When the goods and services sold by its divisions are very similar
  • B. When the entity manages user preferences through multiple platforms
  • C. When a call is not the result of an error or other unforeseen cause
  • D. When the operational structures of its divisions are not transparent

Answer: D

Explanation:
* The Telemarketing Sales Rule (TSR) is a federal regulation that implements the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994. The TSR aims to protect consumers from deceptive or abusive telemarketing practices, such as unwanted calls, false or misleading claims, unauthorized billing, and privacy violations1.
* The TSR requires telemarketers and sellers to comply with the National Do Not Call Registry, which is a list of phone numbers of consumers who have indicated that they do not want to receive telemarketing calls2.
* The TSR also requires telemarketers and sellers to honor the do-not-call requests of individual consumers, regardless of whether their numbers are on the National Do Not Call Registry or not2.
* A do-not-call request is a statement made by a consumer, either orally or in writing, that they do not wish to receive any more calls from a specific telemarketer or seller2.
* The TSR requires an entity to share a do-not-call request across its organization when the operational
* structures of its divisions are not transparent to consumers3. This means that the entity must treat the do-not-call request as if it applies to all of its affiliates and subsidiaries that engage in telemarketing, unless the consumer would reasonably expect them to be separate and distinct entities based on their names, products, or services3.
* The TSR does not require an entity to share a do-not-call request across its organization in the following situations:
* When the goods and services sold by its divisions are very similar. This is not a relevant factor for determining whether the entity must share a do-not-call request across its organization. The key factor is whether the consumers can distinguish between the different divisions based on their operational structures3.
* When a call is not the result of an error or other unforeseen cause. This is not an exception to the requirement to honor a do-not-call request. The TSR prohibits telemarketers and sellers from calling a consumer who has made a do-not-call request, unless the call falls under one of the specific exemptions, such as calls from or on behalf of tax-exempt nonprofit organizations, calls to consumers with whom the seller has an established business relationship, or calls to consumers who have given prior express written consent2.
* When the entity manages user preferences through multiple platforms. This is not an excuse for not sharing a do-not-call request across its organization. The TSR requires telemarketers and sellers to maintain an internal do-not-call list of consumers who have asked them not to call again, and to update the list at least once every 31 days2. The entity must ensure that the do-not-call request is recorded and communicated across all of its platforms that are used for telemarketing purposes3.
References: 1: Telemarketing Sales Rule 2: Q&A for Telemarketers & Sellers About DNC Provisions in TSR 3: Federal Register :: Telemarketing Sales Rule


NEW QUESTION # 49
What is the main purpose of requiring marketers to use the Wireless Domain Registry?

  • A. To prevent unauthorized emails to mobile devices
  • B. To acquire authorization to send emails to mobile devices
  • C. To ensure their emails are sent to actual wireless subscribers
  • D. To access a current list of wireless domain names

Answer: A

Explanation:
The Wireless Domain Registry is a list of domain names that are used to transmit electronic messages to wireless devices, such as cell phones and pagers. The purpose of the registry is to protect wireless consumers from unwanted commercial electronic mail messages, by identifying the domain names for those who send such messages. Marketers are required to use the registry to avoid sending unsolicited emails to wireless devices, which may incur costs or inconvenience for the recipients. Sending such emails without the express prior authorization of the recipient is a violation of the CAN-SPAM Act of 2003. References: https://www.
fcc.gov/cgb/policy/domain-name-input
https://www.prnewswire.com/in/news-releases/the-wireless-registry-launches-worlds-first-global- registry-for-wireless-names-240222521.html


NEW QUESTION # 50
Which action is prohibited under the Electronic Communications Privacy Act of 1986?

  • A. Monitoring all employee telephone calls
  • B. Intercepting electronic communications and unauthorized access to stored communications
  • C. Accessing stored communications with the consent of the sender or recipient of the message
  • D. Monitoring employee telephone calls of a personal nature

Answer: B

Explanation:
The Electronic Communications Privacy Act of 1986 (ECPA) is a federal law that protects the privacy of wire, oral, and electronic communications while they are being made, in transit, or stored on computers. The ECPA has three titles: Title I prohibits the intentional interception, use, or disclosure of wire, oral, or electronic communications, except for certain exceptions, such as consent, provider protection, or law enforcement purposes. Title II, also known as the Stored Communications Act (SCA), prohibits the unauthorized access to or disclosure of stored wire or electronic communications, such as email, voicemail, or online messages, except for certain exceptions, such as consent, provider protection, or law enforcement purposes. Title III regulates the installation and use of pen register and trap and trace devices, which record the numbers dialed to or from a telephone line, but not the content of the communications. Therefore, the action that is prohibited under the ECPA is intercepting electronic communications and unauthorized access to stored communications, which are covered by Title I and Title II of the Act, respectively.


NEW QUESTION # 51
SCENARIO
Please use the following to answer the next QUESTION :
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking QUESTIONS about my opinions."
"Let me see," Matt said, and began reading the list of QUESTIONS that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer QUESTIONS about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Based on the incident, the FTC's enforcement actions against the marketer would most likely include what violation?

  • A. Disregarding the privacy policy of the children's marketing industry.
  • B. Intruding upon the privacy of a family with young children.
  • C. Collecting information from a child under the age of thirteen.
  • D. Failing to notify of a breach of children's private information.

Answer: C


NEW QUESTION # 52
SCENARIO
Please use the following to answer the next QUESTION
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your homework?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking QUESTIONs about my opinions."
"Let me see," Matt said, and began reading the list of
QUESTION s that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer QUESTIONs about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

  • A. Consumer Bill of Rights.
  • B. Red Flag Rules.
  • C. Investigative Consumer Reporting Agencies Act.
  • D. Unfair and Deceptive Acts and Practices laws.

Answer: D


NEW QUESTION # 53
Read this notice:
Our website uses cookies. Cookies allow us to identify the computer or device you're using to access the site, but they don't identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?

  • A. Opt-out
  • B. Opt-in
  • C. Mandatory
  • D. Implied consent

Answer: D

Explanation:
* A cookie is a small piece of data that a website sends to a user's browser and stores on the user's device, usually for the purpose of remembering the user's preferences, settings, or actions1.
* A cookie notice is a message that informs the user about the website's use of cookies and the user's choices regarding the acceptance or rejection of cookies2.
* A legal choice is the mechanism that the website provides to the user to express their consent or dissent to the use of cookies2.
* There are different types of legal choices for cookie notices, depending on the applicable laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States34.
* The four types of legal choices mentioned in the question are:
* Mandatory: The website does not allow the user to access the site unless they accept the use of cookies. This type of choice is generally considered unlawful and non-compliant with the GDPR and the CCPA34.
* Implied consent: The website assumes that the user consents to the use of cookies by continuing to browse the site or by dismissing the cookie notice. This type of choice is often used by websites that operate in the U.S. or other jurisdictions that do not have strict cookie laws, but it may not be sufficient for the GDPR or the CCPA34.
* Opt-in: The website requires the user to explicitly agree to the use of cookies by clicking a button or checking a box. This type of choice is usually compliant with the GDPR and the CCPA, as it ensures that the user gives informed and affirmative consent34.
* Opt-out: The website allows the user to reject the use of cookies by clicking a link or changing their browser settings. This type of choice is also compliant with the GDPR and the CCPA, as it gives the user the right to withdraw their consent at any time34.
* Based on the description of the cookie notice in the question, the type of legal choice that the notice provides is implied consent, as the website does not explicitly ask for the user's agreement, but rather assumes that the user accepts the use of cookies by using the site. The notice also provides a link for the user to opt out of cookies by setting their browser to refuse them.
References: 1: Cookie 2: Cookie Notice 3: INSIGHT: Website Cookies and Privacy-GDPR, CCPA, and Evolving Standards for Online Consent 4: Do You Need A Cookie Notice


NEW QUESTION # 54
Which law provides employee benefits, but often mandates the collection of medical information?

  • A. The Family and Medical Leave Act.
  • B. The Occupational Safety and Health Act.
  • C. The Americans with Disabilities Act.
  • D. The Employee Medical Security Act.

Answer: A

Explanation:
The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child, the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.
The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee' s ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:
* Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee's own serious health condition or that of a family member.
* Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee's own serious health condition or that of a family member, or for planned medical treatment.
* A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.
* Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.
The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:
* Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees' family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.
* Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.
* Limit the disclosure of such records to supervisors and managers who need to know about an employee' s FMLA leave, first aid and safety personnel when an employee's medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.
* Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee's health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.
* Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee's complete medical records or information unrelated to the FMLA leave request.
* Respect the employee's right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.
References:
* The Family and Medical Leave Act (FMLA)
* FMLA Employee Guide
* FMLA Employer Guide
* FMLA Regulations
* FMLA Forms


NEW QUESTION # 55
Under the EU-US Data Privacy Framework, what must participating organizations provide to individuals in regard to complaints and disputes?

  • A. A copy 01 the individual's personal data
  • B. A description of the organization's data processing policies
  • C. A means of communicating with the organization's privacy team.
  • D. An independent recourse mechanism.

Answer: D

Explanation:
Under the EU-US Data Privacy Framework (DPF), organizations that participate in the framework must provide individuals with a way to resolve complaints and disputes about how their personal data is handled.
Specifically, organizations are required to offer an independent recourse mechanism to ensure compliance with the principles of the framework. This mechanism enables individuals to bring their complaints forward and have them addressed through an impartial and accessible process.
The independent recourse mechanism is critical to the DPF as it reinforces accountability and builds trust in cross-border data transfers. Organizations must select a third-party dispute resolution provider (such as an alternative dispute resolution body or a regulatory body) and disclose this mechanism in their privacy policies.
The mechanism must be provided free of charge to the individual.
Explanation of Options:
* A. An independent recourse mechanism: This is the correct answer, as it is explicitly required under the EU-US Data Privacy Framework for resolving disputes and complaints related to data privacy.
* B. A copy of the individual's personal data: While data access rights are part of broader privacy regulations (e.g., GDPR), this is not specific to the EU-US DPF's requirements regarding complaint handling.
* C. A description of the organization's data processing policies: While transparency about data processing is an important requirement under the DPF, it does not address the need for a formal dispute resolution mechanism.
* D. A means of communicating with the organization's privacy team: While communication channels are essential, they do not meet the requirement for an independent recourse mechanism as stipulated by the DPF.
References from CIPP/US Materials:
* EU-US Data Privacy Framework Principles: Specifically, the "Recourse, Enforcement, and Liability" principle requires participating organizations to provide an independent recourse mechanism for complaints.
* IAPP CIPP/US Certification Textbook: Discusses dispute resolution and redress mechanisms as a cornerstone of international data transfer agreements.
* US Department of Commerce Privacy Shield Program Website: Similar requirements under the now-replaced Privacy Shield have been carried over to the DPF, ensuring individuals have access to independent redress mechanisms.


NEW QUESTION # 56
Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?

  • A. Being more closely scrutinized for any breaches of policy
  • B. Attracting skepticism from auditors
  • C. Having a security system failure
  • D. Getting accused of discriminatory practices

Answer: A

Explanation:
A company that develops a privacy policy with standards that are much higher than its competitors may face the risk of being more closely scrutinized for any breaches of policy by regulators, customers, media, or other stakeholders. This is because the company sets a higher expectation for its privacy practices and may be held to a higher standard of accountability and transparency. If the company fails to comply with its own policy or experiences a data breach, it may face more severe consequences, such as reputational damage, loss of trust, legal liability, or regulatory sanctions. References:
* IAPP CIPP/US Body of Knowledge, Section I, B, 2
* [IAPP CIPP/US Study Guide, Chapter 1, Section 1.4]


NEW QUESTION # 57
According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

  • A. Adhere to its industry's code of conduct
  • B. Decide if any enforcement actions are justified
  • C. Appeal decisions made against it
  • D. Determine which bodies will be involved in adjudication

Answer: A

Explanation:
According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to adhere to its industry's code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition. The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self- regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs.


NEW QUESTION # 58
Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?

  • A. A bill of rights for individuals seeking access to their personal information.
  • B. A baseline of marketers' minimum responsibilities for providing opt-out mechanisms.
  • C. A code of responsibilities for medical establishments to uphold privacy laws.
  • D. An international court ruling on personal information held in the commercial sector.

Answer: D

Explanation:
The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section. The APEC information privacy principles are:
Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices. Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.


NEW QUESTION # 59
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.
Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?

  • A. The Occupational Safety and Health Act (OSHA).
  • B. The Americans with Disabilities Act (ADA).
  • C. The Genetic Information Nondiscrimination Act of 2008.
  • D. The Health Insurance Portability and Accountability Act (HIPAA).

Answer: B

Explanation:
The ADA prohibits employers from discriminating against qualified individuals with disabilities in all aspects of employment, including hiring, firing, promotion, compensation, and training. The ADA also limits the types of medical inquiries and examinations that employers can make of applicants and employees. Under the ADA, a disability is defined as a physical or mental impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. The ADA covers current, past, and perceived drug addiction as a disability, unless the individual is currently engaging in the illegal use of drugs. Therefore, Felicia's plan to ask applicants about drug addiction may violate the ADA, unless she can show that the inquiry is job-related and consistent with business necessity. The other laws are not directly relevant to Felicia's plan, although they may have other implications for her business. References: ADA, IAPP CIPP/US Study Guide (p. 95-96)


NEW QUESTION # 60
......

Get 2025 Updated Free IAPP CIPP-US Exam Questions and Answer: https://ucertify.examprepaway.com/IAPP/braindumps.CIPP-US.ete.file.html