IAPP Certified Information Privacy Professional/United States CIPP/US Exam Practice Test

Page: 1 / 14
Total 195 questions

Want more questions? Get Premium Access.
()

Question 1

Which authority supervises and enforces laws regarding advertising to children via the Internet?

AThe Office for Civil Rights

BThe Federal Trade Commission

CThe Federal Communications Commission

DThe Department of Homeland Security

Answer : B

The Federal Trade Commission (FTC) is the primary federal agency that regulates advertising and marketing practices in the United States, including those targeting children via the Internet. The FTC enforces the Children's Online Privacy Protection Act (COPPA), which requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The FTC also enforces the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, such as making false or misleading claims in advertising. The FTC has issued guidelines and reports on various aspects of digital advertising to children, such as sponsored content, influencers, data collection, persuasive design, and behavioral marketing. The FTC also hosts workshops and events to examine the impact of digital advertising on children and their ability to distinguish ads from entertainment.Reference:

FTC website

Digital Advertising to Children

IAPP CIPP/US Study Guide, Chapter 5: Marketing and Privacy, pp. 169-170

Question 2

An organization self-certified under Privacy Shield must, upon request by an individual, do what?

ASuspend the use of all personal information collected by the organization to fulfill its original purpose.

BProvide the identities of third parties with whom the organization shares personal information.

CProvide the identities of third and fourth parties that may potentially receive personal information.

DIdentify all personal information disclosed during a criminal investigation.

Answer : B

According to the Privacy Shield Principles, an organization that self-certifies under the Privacy Shield Framework must provide individuals with the choice to opt out of the disclosure of their personal information to a third party or the use of their personal information for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. To facilitate this choice, the organization must inform the individual of the type or identity of the third parties to which it discloses personal information and the purposes for which it does so. The organization must also provide a readily available and affordable independent recourse mechanism to investigate and resolve complaints and disputes regarding its compliance with the Privacy Shield Principles. If the organization transfers personal information to a third party acting as an agent, it must ensure that the agent provides at least the same level of privacy protection as is required by the Privacy Shield Principles and that it takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Privacy Shield Principles.Reference:

Privacy Shield Principles, section II. Choice Principle and section III. Accountability for Onward Transfer Principle

[IAPP CIPP/US Study Guide], p. 67-68, section 3.2.1 and p. 69-70, section 3.2.2

[IAPP CIPP/US Body of Knowledge], p. 15-16, section C.1.b and p. 16-17, section C.1.c

Question 3

What is the main purpose of the CAN-SPAM Act?

ATo diminish the use of electronic messages to send sexually explicit materials

BTo authorize the states to enforce federal privacy laws for electronic marketing

CTo empower the FTC to create rules for messages containing sexually explicit content

DTo ensure that organizations respect individual rights when using electronic advertising

Answer : D

The CAN-SPAM Act is a federal law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations1.The main purpose of the act is to protect consumers from unwanted and deceptive email messages and to give them more control over their online privacy2.The act applies to all commercial messages, which are defined as 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service'1.The act does not apply to transactional or relationship messages, which are messages that facilitate an agreed-upon transaction or update a customer about an existing business relationship1.The act also does not apply to non-commercial messages, such as political or charitable solicitations3.Reference:1:CAN-SPAM Act: A Compliance Guide for Business2:What is the CAN-SPAM Act? | Proton3:What is the CAN-SPAM Act? | Cloudflare

Question 4

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal dat

a. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: ''Please act immediately by identifying all personal data received from our company.''

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the GDPR, the complainant's request regarding her personal information is known as what?

ARight of Access

BRight of Removal

CRight of Rectification

DRight to Be Forgotten

Answer : D

Under the GDPR, the complainant's request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort.Reference:

Everything you need to know about the ''Right to be forgotten''

Right to erasure | ICO

Art. 17 GDPR -- Right to erasure ('right to be forgotten') - General ...

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.

Question 5

Under the California Consumer Privacy Act (as amended by the California Pnvacy Rights Act), a consumer may Initiate a civil action against a business for?

AAny personal information that is subject to unauthorized access or disclosure.

BA security breach of certain categories of personal information that is nonencrypted and nonredacted

CFailure to implement and maintain reasonable security procedures and practices to protect the personal information held.

DFailure to implement and maintain security practices set out in regulations issued by the California Privacy Protection Agency (CPPA).

Answer : B

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), consumers have the right to initiate a civil action if a business fails to adequately protect their personal information and a security breach occurs. This right applies specifically to breaches of certain categories of personal information that are unencrypted and unredacted.

Key Details of CCPA/CPRA Civil Actions:

Security Breaches:

A consumer can sue a business if the breach involves personal information such as Social Security numbers, driver's license numbers, or financial account information, provided that the data was unencrypted and unredacted.

Reasonable Security Practices:

Businesses are required to implement and maintain reasonable security practices to protect personal information. Failure to do so may expose the business to liability in case of a breach.

Categories of Data Covered:

The law specifies that only certain sensitive categories of personal information are actionable under a civil suit.

Explanation of Options:

A . Any personal information that is subject to unauthorized access or disclosure: This is incorrect. The civil action is limited to specific sensitive data categories, not all personal information.

B . A security breach of certain categories of personal information that is nonencrypted and nonredacted: This is correct. Civil actions under the CCPA/CPRA apply to breaches involving specific sensitive data that is not encrypted or redacted.

C . Failure to implement and maintain reasonable security procedures and practices to protect the personal information held: While this is a requirement under the law, it does not by itself provide grounds for a civil action. A security breach must occur for a consumer to sue.

D . Failure to implement and maintain security practices set out in regulations issued by the California Privacy Protection Agency (CPPA): This is incorrect. Civil actions are tied to breaches of sensitive data, not a failure to meet specific agency guidelines.

Reference from CIPP/US Materials:

CCPA/CPRA (Civil Code 1798.150): Outlines the private right of action for security breaches involving certain unencrypted and unredacted data.

IAPP CIPP/US Certification Textbook: Discusses the conditions under which consumers may bring civil actions under the CCPA/CPRA.

Question 6

What is the most important action an organization can take to comply with the FTC position on retroactive changes to a privacy policy?

ADescribing the policy changes on its website.

BObtaining affirmative consent from its customers.

CPublicizing the policy changes through social media.

DReassuring customers of the security of their information.

Answer : B

The FTC has stated that it is a deceptive practice to make retroactive changes to a privacy policy that affect how a company uses or shares previously collected personal information, unless the company obtains affirmative consent from the affected consumers. This means that the company must clearly and conspicuously disclose the changes and obtain the consumers' express agreement to them. Simply describing the policy changes on the website, publicizing them through social media, or reassuring customers of the security of their information are not sufficient to comply with the FTC's position.Reference:

FTC Staff Revises Online Behavioral Advertising Principles, paragraph 3.

Do I really have to obtain consent from all my customers to make a change to my privacy policy?, paragraph 2.

IAPP CIPP/US Study Guide, page 64.

Question 7

SCENARIO

Please use the following to answer the next QUESTION:

You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state

AHealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals -- ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Which of the following would be HealthCo's best response to the attorney's discovery request?

AReject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations

BRespond with a request for satisfactory assurances such as a qualified protective order

CTurn over all of the compromised patient records to the plaintiff's attorney

DRespond with a redacted document only relative to the plaintiff

Answer : B

The HIPAA privacy rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as ''protected health information'') and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (collectively defined as ''covered entities'')1The rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual's authorization1The rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections1

The HIPAA privacy rule permits a covered entity to disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512 (e) for disclosures for judicial and administrative proceedings are met2These requirements include:

In response to a court order or administrative tribunal order, the covered entity may disclose only the protected health information expressly authorized by such order2

In response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order or administrative tribunal order, the covered entity must receive satisfactory assurances that the party seeking the information has made reasonable efforts to ensure that the individual who is the subject of the information has been given notice of the request, or that the party seeking the information has made reasonable efforts to secure a qualified protective order2

A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested and requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding2

Option A is incorrect because the HIPAA privacy rule does not only permit disclosure for payment, treatment or healthcare operations.The rule also allows disclosure for other purposes, such as public health, research, law enforcement, judicial and administrative proceedings, as long as the applicable conditions and limitations are met1

Option B is correct because it is consistent with the HIPAA privacy rule's requirement for disclosures for judicial and administrative proceedings.By responding with a request for satisfactory assurances such as a qualified protective order, HealthCo is ensuring that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2

Option C is incorrect because it is not consistent with the HIPAA privacy rule's requirement for disclosures for judicial and administrative proceedings.By turning over all of the compromised patient records to the plaintiff's attorney, HealthCo is disclosing more information than necessary and may violate the privacy rights of other individuals who are not parties to the lawsuit2

Option D is incorrect because it is not consistent with the HIPAA privacy rule's requirement for disclosures for judicial and administrative proceedings.By responding with a redacted document only relative to the plaintiff, HealthCo is not providing satisfactory assurances that the protected health information will be used only for the litigation and will be returned or destroyed afterwards2