Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. IAPP
  3. CIPP-US

IAPP CIPP-US Exam (page: 3)
IAPP Certified Information Privacy Professional/United States (CIPP/US)
Updated on: 12-Feb-2026

Viewing Page 3 of 33
CIPP-US PDF 251 Questions

An organization self-certified under Privacy Shield must, upon request by an individual, do what?

  1. Suspend the use of all personal information collected by the organization to fulfill its original purpose.
  2. Provide the identities of third parties with whom the organization shares personal information.
  3. Provide the identities of third and fourth parties that may potentially receive personal information.
  4. Identify all personal information disclosed during a criminal investigation.

Answer(s): B


Reference:

https://www.lakesidesoftware.com/sites/default/files/Privacy_Shield_Privacy_Statement.pdf



Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

  1. The Office of the Comptroller of the Currency
  2. The Consumer Financial Protection Bureau
  3. The Department of Health and Human Services
  4. The Federal Trade Commission

Answer(s): C


Reference:

https://en.wikipedia.org/wiki/Fair_and_Accurate_Credit_Transactions_Act



SCENARIO
Please use the following to answer the next question:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

At this stage of the investigation, what should the data privacy leader review first?

  1. Available data flow diagrams
  2. The text of the original complaint
  3. The company's data privacy policies
  4. Prevailing regulation on this subject

Answer(s): A



SCENARIO
Please use the following to answer the next question:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete.
What is the data privacy leader's next best source of information to aid the investigation?

  1. Reports on recent purchase histories
  2. Database schemas held by the retailer
  3. Lists of all customers, sorted by country
  4. Interviews with key marketing personnel

Answer(s): C



SCENARIO
Please use the following to answer the next question:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?

  1. As a data supervisor
  2. As a data processor
  3. As a data controller
  4. As a data manager

Answer(s): B



SCENARIO
Please use the following to answer the next question:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the GDPR, the complainant's request regarding her personal information is known as what?

  1. Right of Access
  2. Right of Removal
  3. Right of Rectification
  4. Right to Be Forgotten

Answer(s): D



In which situation would a policy of "no consumer choice" or "no option" be expected?

  1. When a job applicant's credit report is provided to an employer
  2. When a customer's financial information is requested by the government
  3. When a patient's health record is made available to a pharmaceutical company
  4. When a customer's street address is shared with a shipping company

Answer(s): D


Reference:

https://privacyproficient.com/what-is-no-option-or-no-consumer-choice/



What is the main challenge financial institutions face when managing user preferences?

  1. Ensuring they are in compliance with numerous complex state and federal privacy laws
  2. Developing a mechanism for opting out that is easy for their consumers to navigate
  3. Ensuring that preferences are applied consistently across channels and platforms
  4. Determining the legal requirements for sharing preferences with their affiliates

Answer(s): C



Viewing Page 3 of 33



Share your comments for IAPP CIPP-US exam with other users:

trying 7/28/2023 12:37:00 PM

thanks good stuff
UNITED STATES