100% Free IAPP CIPP-US Practice Test Questions

Question 1

When does the Telemarketing Sales Rule require an entity to share a do-not-call request across its organization?

A : When the operational structures of its divisions are not transparent

B : When the goods and services sold by its divisions are very similar

C : When a call is not the result of an error or other unforeseen cause

D : When the entity manages user preferences through multiple platforms

Answer: C

Question 2

SCENARIO

Please use the following to answer the next question:

Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier

to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French

citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is

an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has

already received a hint from anonymous whistleblower, and jointly with the National Security Agency is

investigating Jane's possible implication in a sophisticated foreign espionage campaign.

Ever since the pandemic, Jane has been working from home. To complete her daily tasks she uses her

corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones

Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has

a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment

contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook

are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal

iPhone that she uses for private purposes only.

Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers.

The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery

purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in

Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are

securely stored in a Microsoft Office 365 data center based in Ireland. Manufacturing data of Jones Labs is

stored in Taiwan and managed by a local supplier that has no presence in the U.S.

When storing Jane's fingerprint for remote authentication. Jones Labs should consider legality issues under

which of the following?

A : The Privacy Rule of the HITECH Act.

B : The California IoT Security Law (SB 327).

C : The applicable state law such as Illinois BIPA.

D : The federal Genetic Information Nondiscrimination Act (GINA).

Answer: C

Question 3

Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

A : The EPPA requires that employers post essential information about the Act in a conspicuous location

B : The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.

C : Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.

D : Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists

Answer: C

Question 4

What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

A : The ability for the consumer to correct inaccurate credit report information

B : The truncation of account numbers on credit card receipts

C : The right to request removal from e-mail lists

D : Consumer notice when third-party data is used to make an adverse decision

Answer: A

Question 5

SCENARIO

Please use the following to answer the next question:

Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend

Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of

security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard

against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission,

Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She

intends to read applicants’ postings on social media, ask questions about drug addiction, and solicit character

references. Felicia believes that if potential employees are serious about becoming part of a dynamic new

business, they will readily agree to these requirements.

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent

mistakes during transactions, which will require video monitoring. She also wants to regularly check the

company vehicle’s GPS for locations visited by employees. She also believes that employees who use their

own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that

many types of background checks are not allowed under California law. Her friend Celeste thinks these worries

are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor

does Celeste share Felicia’s concern about state breach notification laws, which, she claims, would be costly to

implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it’s unlikely that a state agency would

hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense – like remembering to tear up sensitive

documents before throwing them in the recycling bin. Felicia hopes that she’s right, and that all of her concerns

will be put to rest next month when their new business consultant (who is also a privacy professional) arrives

from North Carolina.

Regarding credit checks of potential employees, Celeste has a misconception regarding what?

A : Consent requirements

B : Disclosure requirements.

C : Employment-at-will rules

D : Records retention policies

Answer: A

Free Practice IAPP CIPP-US Exam Questions 2025