Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-C

IAPP CIPP-C Exam
Certified Information Privacy Professional/ Canada (CIPP/C) (Page 4 )

Updated On: 30-Jan-2026
Page 4 of 31
PDF with 150 Questions

Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S. Department of Health and Human Services about the breach.

Which statement accurately describes SMH’s notification responsibilities?

  1. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
  2. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
  3. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
  4. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separate notification to individuals in the state of New York.

Answer(s): C



Sarah lives in San Francisco, California. Based on a dramatic increase in unsolicited commercial emails, Sarah believes that a major social media platform with over 50 million users has collected a lot of personal information about her. The company that runs the platform is based in New York and France.
Why is Sarah entitled to ask the social media platform to delete the personal information they have collected about her?

  1. Any company with a presence in Europe must comply with the General Data Protection Regulation globally, including in response to data subject deletion requests.
  2. Under Section 5 of the FTC Act, the Federal Trade Commission has held that refusing to delete an individual’s personal information upon request constitutes an unfair practice.
  3. The California Consumer Privacy Act entitles Sarah to request deletion of her personal information.
  4. The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act requires that businesses under New York’s jurisdiction must delete customers’ personal information upon request.

Answer(s): C


Reference:

https://www.varonis.com/blog/ccpa-vs-gdpr/



Which of the following is an example of federal preemption?

  1. The Payment Card Industry’s (PCI) ability to self-regulate and enforce data security standards for payment card data.
  2. The U.S. Federal Trade Commission’s (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries.
  3. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and- mortal presence in California, but which do business there.
  4. The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act prohibiting states from passing laws that impose greater obligations on senders of email marketing.

Answer(s): B


Reference:

https://scholarship.law.uwyo.edu/cgi/viewcontent.cgi?article=1012&context=faculty_articles



Which of these organizations would be required to provide its customers with an annual privacy notice?

  1. The Four Winds Tribal College.
  2. The Golden Gavel Auction House.
  3. The King County Savings and Loan.
  4. The Breezy City Housing Commission.

Answer(s): B



Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) “Privacy Rule”?

  1. Office for Civil Rights.
  2. Office of Social Services.
  3. Office of Inspector General.
  4. Office of Public Health and Safety.

Answer(s): A


Reference:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how- ocr-enforces- the-hipaa-privacy-and-security-rules/index.html



Viewing page 4 of 31
Viewing questions 16 - 20 out of 150 questions



Post your Comments and Discuss IAPP CIPP-C exam prep with other Community members:

Join the CIPP-C Discussion