[Q97-Q114] CIPP-US Practice Test Give You First Time Success with 100% Money Back Guarantee!

CIPP-US Practice Test Give You First Time Success with 100% Money Back Guarantee!

All Obstacles During CIPP-US Exam Preparation with CIPP-US Real Test Questions

Topics of IAPP CIPP-US: Certified Information Privacy Professional/United States (CIPP/US) Exam

Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our IAPP CIPP/US exam dumps will include the following topics:

1. Introduction to Data Protection

Origins and Historical Context of Data Protection Law

• Rationale for data protection, human rights laws, early laws and regulations, the need for a harmonised European approach, the Treaty of Lisbon; a modernized framework

Legislative Framework

• The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (the CoE Convention), the EU Data Protection Directive (95/46/EC), the EU Directive on Privacy and Electronic Communications (2000/31/EC), European data retention regimes, The General Data Protection Regulation (GDPR) and related legislation.

2. European Data Protection Law and Regulation

Data Protection Concepts

• Personal data, sensitive personal data, pseudonymous and anonymous data,processing, controller,processor, data subject

Territorial and Material Scope of the GDPR

• Establishment in the EU, non-establishment in the EU

Data Processing Principles

• Fairness and lawfulness, purpose limitation, proportionality, accuracy, storage limitation (retention), integrity and confidentiality

Lawful Processing Criteria

• Consent, contractual necessity, legal obligation, vital interests and public interest,legitimate interests, special categories of processing

Information Provision Obligations

• Transparency principle, privacy notices, layered notices

Data Subjects' Rights

• Access, rectification, erasure and the right to be forgotten, restriction and objection,consent (and withdrawal of), automated decision making, including profiling, data portability, restrictions

Security of Personal Data

• Appropriate technical and organisational measures, breach notification, vendor management, data sharing

Accountability Requirements

• Responsibility of controllers and processors, data protection by design and by default, documentation and cooperation with regulators, data protection impact assessments, mandatory data protection officers

International Data Transfers

• Rationale for prohibition, safe jurisdictions, Safe Harbor and Privacy Shield, model contracts,Binding Corporate Rules (BCRs), codes of conduct and certifications, derogations

Supervision and Enforcement

• Supervisory authorities and their powers, the European Data Protection Board, role of the European Data Protection Supervisor (EDPS)

Consequences for GDPR Violations

• Process and procedures, infringement and fines, data subject compensation

3. Compliance with European Data Protection Law and Regulation

Employment Relationships

• Surveillance by public authorities, interception of communications, closed-circuit television (CCTV), geolocation

• Legal basis for processing of employee data, storage of personnel records,workplace monitoring and data loss prevention, EU Works councils, whistleblowing systems, ‘Bring your own device' (BYOD) programs Surveillance Activities

Direct Marketing

• Telemarketing, direct marketing, online behavioural targeting

Internet Technologies and Communications

• Cloud computing,web cookies, search engine marketing (SEM), social networking services

 

NEW QUESTION # 97
A company's employee wellness portal offers an app to track exercise activity via users' mobile devices. Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?

• A. Present a privacy policy to users during the wellness program registration process.
• B. Publish a privacy policy written in clear, concise, and understandable language.
• C. Provide a link to the wellness program privacy policy at the bottom of each screen.
• D. Offer information about data collection and uses at key data entry points.

Answer: A

NEW QUESTION # 98
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

• A. If the data involved was accessed but not exported.
• B. If the entity followed internal notification procedures compatible with state law.
• C. If the entity was subject to the GLBA Safeguards Rule.
• D. If the data involved was encrypted.

Answer: C

Explanation:
While compliance with the Safeguards Rule helps in preventing breaches and ensuring data security, it does not necessarily exempt an entity from having to provide breach notifications as required by state laws. State breach notification laws typically have their own criteria for when notification is required, which may include factors like the type of data compromised, the potential risk of harm to individuals, and other circumstances surrounding the breach. While following the GLBA Safeguards Rule may demonstrate a commitment to data security, it doesn't automatically override the notification obligations imposed by state laws when a data breach occurs.

NEW QUESTION # 99
In which situation would a policy of "no consumer choice" or "no option" be expected?

• A. When a customer's financial information is requested by the government
• B. When a patient's health record is made available to a pharmaceutical company
• C. When a job applicant's credit report is provided to an employer
• D. When a customer's street address is shared with a shipping company

Answer: D

NEW QUESTION # 100
Federal laws establish which of the following requirements for collecting personal information of minors under the age of 13?

• A. Affirmative consent of a parent or guardian before collecting personal information of a minor offline (e.g., in person), which also satisfies any requirements for online consent.
• B. Implied consent from a minor's parent or guardian before collecting a minor's personal information online, such as when they permit the minor to use the internet.
• C. Implied consent from a minor's parent or guardian, or affirmative consent from the minor.
• D. Affirmative consent from a minor's parent or guardian before collecting the minor's personal information online.

Answer: D

NEW QUESTION # 101
Which of the following best describes an employer's privacy-related responsibilities to an employee who has left the workplace?

• A. An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.
• B. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.
• C. An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.
• D. An employer has a responsibility to maintain a former employee's access to computer systems and company data needed to support claims against the company such as discrimination.

Answer: B

Explanation:
Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed. References: IAPP CIPP/US Study Guide, Chapter 4, Section
4.1.1, IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

NEW QUESTION # 102
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asi a. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
What can Otto do to most effectively minimize the privacy risks involved in using a cloud provider for the HR data?

• A. Ensure that the cloud provider abides by the contractual requirements by conducting an on-site audit.
• B. Obtain express consent from employees for storing the HR data in the cloud and keep a record of the employee consents.
• C. Request that the Board sign off in a written document on the choice of cloud provider.
• D. Negotiate a Business Associate Agreement with the cloud provider to protect any health-related data employees might share with Filtration Station.

Answer: A

NEW QUESTION # 103
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the most likely risk of Fitness Coach, Inc. adopting Janice's first draft of the privacy policy?

• A. Leaving the company susceptible to violations by setting unrealistic goals
• B. Showing a lack of trust in the organization's privacy practices
• C. Failing to meet the needs of customers who are concerned about privacy
• D. Not being in standard compliance with applicable laws

Answer: A

Explanation:
Janice's first draft of the privacy policy may be too restrictive and impractical for Fitness Coach, Inc. to follow, given the nature of its business and the expectations of its customers. By limiting the retention of personal information to one year and requiring written consent for any third-party sharing, the policy may create operational challenges and customer dissatisfaction. For example, customers may want to resume their fitness programs after a long hiatus and expect the company to have their previous records and preferences.
Similarly, third-party contractors may need access to customer information to provide better services and tailor their classes. If the company fails to adhere to its own privacy policy, it may face legal consequences, reputational damage, and loss of trust from its customers. Therefore, the company should adopt a more realistic and flexible privacy policy that balances its business needs and its customers' privacy rights. References:
* Privacy Policy for Health Coaches
* Privacy Policies for Online Coaches
* Privacy Policy - Coaching.com

NEW QUESTION # 104
In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

• A. It mandates the use of updated technology for securing credit records
• B. It requires the owner to implement an identity theft warning system
• C. It does not apply because the owner is not a creditor
• D. It is not usually enforced in the case of a small financial institution

Answer: C

Explanation:
The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1. A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2. A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service. References:
* 1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule
* 2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business,
https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-
* 3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks,
https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/

NEW QUESTION # 105
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

• A. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
• B. The EPPA requires that employers post essential information about the Act in a conspicuous location.
• C. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.
• D. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.

Answer: A

Explanation:
Section: (none)
Explanation

NEW QUESTION # 106
Which statute is considered part of U.S. federal privacy law?

• A. The e-Privacy Directive.
• B. The Personal Information Protection and Electronic Documents Act.
• C. The Fair Credit Reporting Act.
• D. SB 1386.

Answer: C

NEW QUESTION # 107
SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
How can the radiology department address Declan's concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

• A. Post the privacy notice in a prominent location instead
• B. State the privacy policy to the patient verbally
• C. Direct patients to the correct area of the hospital website
• D. Confirm that patients are given the privacy notice on their first visit

Answer: C

Explanation:
Section: (none)
Explanation

NEW QUESTION # 108
What role does the U.S. Constitution play in the area of workplace privacy?

• A. It provides enforcement resources to large employers, but not to small businesses
• B. It provides legal precedent for physical information security, but not for electronic security
• C. It provides significant protections to federal and state governments, but not to private-sector employment
• D. It provides contractual protections to members of labor unions, but not to employees at will

Answer: C

Explanation:
The U.S. Constitution has significant workplace privacy provisions that apply to the federal and state governments, but they do not affect private-sector employment. Notably, the Fourth Amendment prohibits unreasonable searches and seizures by state actors. Courts have interpreted this amendment to place limits on the ability of government employers to search employees' private spaces, such as lockers and desks.4 Some states, including California, have extended their constitutional rights to privacy to private-sector employees.5 In general for private-sector actors, however, there is no state action, and no constitutional law governs employment privacy

NEW QUESTION # 109
When may a financial institution share consumer information with non-affiliated third parties for marketing purposes?

• A. After disclosing information-sharing practices to customers and after giving them an opportunity to opt out.
• B. After disclosing marketing practices to customers and after giving them an opportunity to opt out.
• C. After disclosing information-sharing practices to customers and after giving them an opportunity to opt in.
• D. After disclosing marketing practices to customers and after giving them an opportunity to opt in.

Answer: A

Explanation:
According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing.
The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. A non-affiliated third party is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the financial institution's affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.
The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer's opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.
The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.
The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.
References:
* Guide to the Gramm-Leach-Bliley Act
* GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates
* Existing Privacy Laws Already Regulate Information Sharing
* Why Do Banks Share Your Financial Information and Are They Allowed To?
* [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

NEW QUESTION # 110
Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.
Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?

• A. If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
• B. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.
• C. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
• D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.

Answer: B

NEW QUESTION # 111
What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in 2005?

• A. It made user consent mandatory after any revisions of policy.
• B. It was based on matters of fairness rather than deception.
• C. It made third-party audits a penalty for policy violations.
• D. It was the first substantial U.S.-EU Safe Harbor enforcement.

Answer: B

Explanation:
Per the FTC Press Release in 2005, "BJ's Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law."

NEW QUESTION # 112
What is the most likely reason that states have adopted their own data breach notification laws?

• A. Many states have unique types of businesses that require specific legislation
• B. Many lawmakers believe that federal enforcement of current laws has not been effective
• C. Many large businesses have intentionally breached the personal information of their customers
• D. Many types of organizations are not currently subject to federal laws regarding breaches

Answer: B

NEW QUESTION # 113
What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?

• A. Publicizing the policy changes through social media.
• B. Describing the policy changes on its website.
• C. Reassuring customers of the security of their information.
• D. Obtaining affirmative consent from its customers.

Answer: D

NEW QUESTION # 114
......

Fully Updated Free Actual IAPP CIPP-US Exam Questions: https://www.dumpsfree.com/CIPP-US-valid-exam.html

Free CIPP-US Questions for IAPP CIPP-US Exam [Apr-2024]: https://drive.google.com/open?id=15dty1N0-Lghxr3cxfUc9vbjHkIgiBGfj