CIPP-US Online Practice Questions and Answers

According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

A. Determine which bodies will be involved in adjudication

B. Decide if any enforcement actions are justified

C. Adhere to its industry's code of conduct

D. Appeal decisions made against it

What is the main purpose of the Global Privacy Enforcement Network?

A. To promote universal cooperation among privacy authorities

B. To investigate allegations of privacy violations internationally

C. To protect the interests of privacy consumer groups worldwide

D. To arbitrate disputes between countries over jurisdiction for privacy laws

All of the following are tasks in the "Discover" phase of building an information management program EXCEPT?

A. Facilitating participation across departments and levels

B. Developing a process for review and update of privacy policies

C. Deciding how aggressive to be in the use of personal information

D. Understanding the laws that regulate a company's collection of information

SCENARIO

Please use the following to answer the next question:

Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop.

"Doing your homework?" Matt asked hopefully.

"No," the boy said. "I'm filling out a survey."

Matt looked over his son's shoulder at his computer screen. "What kind of survey?"

"It's asking questions about my opinions."

"Let me see," Matt said, and began reading the list of questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten."

Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and

the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.

To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his

name, address, telephone number, and date of birth, and to answer questions about his favorite games and toys.

Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and

he decided it was time to report the incident to the proper authorities.

How does Matt come to the decision to report the marketer's activities?

A. The marketer failed to make an adequate attempt to provide Matt with information

B. The marketer did not provide evidence that the prize books were appropriate for children

C. The marketer seems to have distributed his son's information without Matt's permission

D. The marketer failed to identify himself and indicate the purpose of the messages

What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

A. Where one of the parties has given consent

B. Where state law permits such interception

C. If an organization intercepts an employee's purely personal call

D. Only if all parties have given consent

Which action is prohibited under the Electronic Communications Privacy Act of 1986?

A. Intercepting electronic communications and unauthorized access to stored communications

B. Monitoring all employee telephone calls

C. Accessing stored communications with the consent of the sender or recipient of the message

D. Monitoring employee telephone calls of a personal nature

Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?

A. A bill of rights for individuals seeking access to their personal information.

B. A code of responsibilities for medical establishments to uphold privacy laws.

C. An international court ruling on personal information held in the commercial sector.

D. A baseline of marketers' minimum responsibilities for providing opt-out mechanisms.

SCENARIO

Please use the following to answer the next question:

Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use.

The company is based in Seattle, Washington, with offices throughout the U.S. and Asia. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system

of the APEC Privacy Framework.

Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human

Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing

database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.

The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the

various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.

The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

A. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.

B. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.

C. That business contact information could be considered personal information governed by CCPA.

D. That CCPA only applies to companies based in California, which exempts the company from compliance.

Under what conditions will personal data processing be subject to the Virginia Consumer Data Protection Act (VCDPA) requirements for a documented data protection assessment?

A. If the data subject is younger than 13 years of age and the data is processed after January 1, 2023.

B. If the data processor processes personal data beyond the controller's instructions.

C. If the personal data is stored by a California-based third-party service provider.

D. If the personal data is processed for purposes of targeted advertising.

As a result of the Schrems II decision and CJEU opinion, what would the preferred course of action be if a Section 702 disclosure related to a foreign entity is required?

A. Ensure that the most recent SCC from the European Commission is being executed as a valid method of adequacy.

B. Provide 30 days notice to affected parties to allow the opportunity for ling a motion to quash with the court.

C. Seek redress from the court pursuing a protective order, since the consumer is unable to le a motion to quash.

D. Seek the advice of outside counsel and conduct a transfer impact assessment.