Most Recent IAPP CIPP-US Exam Dumps

Prepare for the IAPP Certified Information Privacy Professional/United States exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the IAPP CIPP-US exam and achieve success.

The questions for CIPP-US were last updated on Apr 22, 2026.

Viewing page 1 out of 39 pages.
Viewing questions 1-5 out of 195 questions

Get All 195 Questions & Answers

Question No. 1

The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?

AThe third party stores personal information to trigger a response to a consumer's request to exercise their right to opt in.

BThe analytics cookies placed by the service provider are capable of being tracked but cannot be linked to a particular consumer of that business.

CThe service provider retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors.

DThe information collected by the service provider is necessary to perform debugging and the business and service provider have entered into an appropriate agreement.

Show Answer

Correct Answer: D

The California Consumer Privacy Act (CCPA) defines a 'sale' of personal information as any transfer or disclosure of personal information to another business or third party for monetary or other valuable consideration. However, the CCPA also provides some exceptions to this definition, such as:

If the consumer has directed the business to intentionally disclose the personal information or use the personal information to interact with a third party, provided the third party does not also sell the personal information.

If the business transfers the personal information to a service provider that is contractually prohibited from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract with the business.

If the business transfers the personal information to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided the information is used or shared consistently with the CCPA.

The use of cookies on a website by a service provider is generally not deemed a sale of personal information by the CCPA, as long as the information collected by the service provider is necessary to perform the services specified in the contract with the business, and the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose. One of the examples of a valid business purpose is to perform debugging to identify and repair errors that impair existing intended functionality.

Therefore, option D is the correct answer, as it describes a scenario where the use of cookies by a service provider is not a sale of personal information under the CCPA, assuming the service provider complies with the contractual obligations and does not further use or disclose the information.

Option A is incorrect, as it does not describe a valid exception to the definition of a sale. The third party that stores personal information to trigger a response to a consumer's request to opt in is not acting as a service provider, but as a separate entity that may have its own interest in the personal information. The consumer's request to opt in does not necessarily imply that the consumer has directed the business to disclose the personal information to the third party.

Option B is incorrect, as it does not describe a valid exception to the definition of a sale. The analytics cookies placed by the service provider may still constitute a sale of personal information, even if they cannot be linked to a particular consumer of that business. The CCPA defines personal information broadly to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Therefore, the analytics cookies may still fall within the scope of personal information, and their use by the service provider may still be a sale, unless one of the exceptions applies.

Option C is incorrect, as it does not describe a valid exception to the definition of a sale. The service provider that retains personal information obtained in the course of providing the services specified in the agreement with the subcontractors is not acting as a service provider to the business, but as a separate entity that may have its own interest in the personal information. The agreement with the subcontractors does not necessarily imply that the business has authorized the service provider to retain, use, or disclose the personal information for any purpose other than performing the services specified in the contract with the business.

[IAPP CIPP/US Study Guide], Chapter 10: California Consumer Privacy Act, pp. 223-226.

CIPP/US Practice Questions (Sample Questions), Question 30.

Question No. 2

Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?

AThe entity must conduct business in the state

BThe entity must have employees in the state

CThe entity must be registered in the state

DThe entity must be an information broker

Show Answer

Correct Answer: A

Most state laws require that a person or business that conducts business in the state and owns or licenses personal information of residents of that state must notify those residents of any breach of the security of the system involving their personal information. This means that the entity does not have to be physically located in the state, have employees in the state, or be registered in the state to be subject to the breach notification requirements, as long as it conducts business in the state and holds personal information of state residents. Conducting business in the state can be interpreted broadly to include any transaction or activity that involves the state or its residents, such as selling goods or services, collecting payments, or maintaining a website accessible by state residents. The other options (B, C, and D) are not commonly required by most state laws, although some states may have additional or specific requirements for certain types of entities, such as information brokers, health care providers, or financial institutions.Reference:

Security Breach Notification Chart | Perkins Coie

Security Breach Notification Laws - National Conference of State Legislatures

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.2: State Security Breach Notification Laws.

Question No. 3

Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?

AThe consent must be in writing, must state the times when calls can be made to the consumer and must be signed

BThe consent must be in writing, must contain the number to which calls can be made and must have an end date

CThe consent must be in writing, must contain the number to which calls can be made and must be signed

DThe consent must be in writing, must have an end data and must state the times when calls can be made

Show Answer

Correct Answer: C

The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as 'a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call.'1The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services.The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry.2

The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services.However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.3

Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.Reference:1: eCFR :: 16 CFR Part 310 -- Telemarketing Sales Rule3, Section 310.22: Telemarketing Sales Rule | Federal Trade Commission1, Rule Summary3: Complying with the Telemarketing Sales Rule - Federal Trade Commission2, Exemptions to the TSR.

Question No. 4

According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

ADetermine which bodies will be involved in adjudication

BDecide if any enforcement actions are justified

CAdhere to its industry's code of conduct

DAppeal decisions made against it

Show Answer

Correct Answer: C

According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to adhere to its industry's code of conduct. Self-regulation is a process by which an industry or a group of companies voluntarily adopts and enforces standards or guidelines to protect consumers and promote fair competition. The FTC encourages self-regulation as a way to complement its enforcement efforts and address emerging issues in the marketplace. The FTC also monitors self-regulatory programs and may take action against companies that fail to comply with their own codes of conduct or misrepresent their participation in such programs.Reference:

Federal Trade Commission Act, Section 5 of

Self-Regulation | Federal Trade Commission

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 3, page 79

Question No. 5

The Video Privacy Protection Act of 1988 restricted which of the following?

AWhich purchase records of audio visual materials may be disclosed

BWhen downloading of copyrighted audio visual materials is allowed

CWhen a user's viewing of online video content can be monitored

DWho advertisements for videos and video games may target

Show Answer

Correct Answer: A

The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer's informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA.Reference:

Video Privacy Protection Act - Wikipedia

18 U.S. Code 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)

Unlock All Questions for IAPP CIPP-US Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 195 Questions & Answers