Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IAPP
  5. CIPP-US

IAPP CIPP-US Exam
Certified Information Privacy Professional/United States (CIPP/US) (Page 4 )

Updated On: 7-Feb-2026
Page 4 of 52
PDF with 251 Questions

SCENARIO
Please use the following to answer the next question:

Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers' privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.

Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hires Janice, a privacy professional, to help her develop one.

After an initial assessment, Janice creates a first draft of a new policy. Cheryl reads through the draft and becomes concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long gaps between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.

Janice understands Cheryl's concerns and is already formulating some ideas for revision. She tries to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl is skeptical. It seems to her that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.

Even though the privacy policy is only a draft, Cheryl is beginning to see that changes within her company are going to be necessary. She tells Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She also expresses interest in employing a layered approach, creating documents listing applicable parts of the new policy for each department.

Based on the scenario, which of the following would have helped Janice to better meet the company's needs?

  1. Creating a more comprehensive plan for implementing a new policy.
  2. Spending more time understanding the company's information goals.
  3. Explaining the importance of transparency in implementing a new policy.
  4. Removing the financial burden of the company's employee training program.

Answer(s): B



According to the FTC Report of 2012, what is the main goal of Privacy by Design?

  1. Obtaining consumer consent when collecting sensitive data for certain purposes
  2. Establishing a system of self-regulatory codes for mobile-related services
  3. Incorporating privacy protections throughout the development process
  4. Implementing a system of standardization for privacy notices

Answer(s): C


Reference:

https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report- protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf



What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?

  1. A large amount of money may have to be spent on improved technology and security
  2. Industries may not be strict enough in the creation and enforcement of rules
  3. A new business owner may not understand the regulations
  4. Human rights may be disregarded for the sake of privacy

Answer(s): B



What is the main purpose of the Global Privacy Enforcement Network (GPEN)?

  1. To promote universal cooperation among privacy authorities
  2. To investigate allegations of privacy violations internationally
  3. To protect the interests of privacy consumer groups worldwide
  4. To arbitrate disputes between countries over jurisdiction for privacy laws

Answer(s): A


Reference:

https://en.wikipedia.org/wiki/Global_Privacy_Enforcement_Network



In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?

  1. Scanning emails sent to and received by students
  2. Making student education records publicly available
  3. Relying on verbal consent for a disclosure of education records
  4. Disclosing education records without obtaining required consent

Answer(s): A


Reference:

https://www.edweek.org/ew/articles/2014/03/13/26google.h33.html






Post your Comments and Discuss IAPP CIPP-US exam prep with other Community members:

Join the CIPP-US Discussion