CIPP-US Exam Practice Questions prepared by IAPP Professionals

Use Valid New CIPP-US Questions - Top choice Help You Gain Success

NEW QUESTION # 128
What role does the U.S. Constitution play in the area of workplace privacy?

• A. It provides contractual protections to members of labor unions, but not to employees at will
• B. It provides legal precedent for physical information security, but not for electronic security
• C. It provides enforcement resources to large employers, but not to small businesses
• D. It provides significant protections to federal and state governments, but not to private-sector employment

Answer: D

Explanation:
The U.S. Constitution has significant workplace privacy provisions that apply to the federal and state governments, but they do not affect private-sector employment. Notably, the Fourth Amendment prohibits unreasonable searches and seizures by state actors. Courts have interpreted this amendment to place limits on the ability of government employers to search employees' private spaces, such as lockers and desks.4 Some states, including California, have extended their constitutional rights to privacy to private-sector employees.5 In general for private-sector actors, however, there is no state action, and no constitutional law governs employment privacy

NEW QUESTION # 129
Which authority supervises and enforces laws regarding advertising to children via the Internet?

• A. The Office for Civil Rights
• B. The Federal Communications Commission
• C. The Federal Trade Commission
• D. The Department of Homeland Security

Answer: C

Explanation:
The Federal Trade Commission (FTC) is the primary federal agency that regulates advertising and marketing practices in the United States, including those targeting children via the Internet. The FTC enforces the Children's Online Privacy Protection Act (COPPA), which requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The FTC also enforces the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, such as making false or misleading claims in advertising. The FTC has issued guidelines and reports on various aspects of digital advertising to children, such as sponsored content, influencers, data collection, persuasive design, and behavioral marketing. The FTC also hosts workshops and events to examine the impact of digital advertising on children and their ability to distinguish ads from entertainment. References:
* FTC website
* Digital Advertising to Children
* IAPP CIPP/US Study Guide, Chapter 5: Marketing and Privacy, pp. 169-170

NEW QUESTION # 130
When designing contact tracing apps in relation to COVID-19 or any other diagnosed virus, all of the following privacy measures should be considered EXCEPT?

• A. Use limitations.
• B. Data retention.
• C. Opt-out choice.
• D. User confidentiality.

Answer: C

Explanation:
Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person.
However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.
Some of the privacy measures that should be considered when designing contact tracing apps are:
* Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.
* Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits.
* User confidentiality: Contact tracing apps should protect the confidentiality of users' personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.
Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose.
Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app's coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.
References:
* [IAPP CIPP/US Study Guide], Chapter 2: Privacy by Design and Default, pp. 35-36.
* [IAPP CIPP/US Body of Knowledge], Section II: Limits on Private-sector Collection and Use of Data,
* Subsection B: Privacy by Design, pp. 9-10.
* [IAPP Glossary], Terms: Contact Tracing, Privacy by Design, Privacy by Default.

NEW QUESTION # 131
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?

• A. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
• B. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.
• C. The EPPA requires that employers post essential information about the Act in a conspicuous location.
• D. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.

Answer: A

Explanation:
Polygraphs (but no other lie detector tests) are permissible in certain circumstances. Under the EPPA, polygraph means an instrument that records continuously, visually, permanently, and simultaneously changes in cardiovascular, respiratory and electrodermal patterns as minimum instrumentation standards and is used to render a diagnostic opinion as to the *honesty or dishonesty* of as individual. https://www.dol.gov/agencies/whd/fact-sheets/36-eppa

NEW QUESTION # 132
What is the main challenge financial institutions face when managing user preferences?

• A. Ensuring that preferences are applied consistently across channels and platforms
• B. Developing a mechanism for opting out that is easy for their consumers to navigate
• C. Determining the legal requirements for sharing preferences with their affiliates
• D. Ensuring they are in compliance with numerous complex state and federal privacy laws

Answer: A

NEW QUESTION # 133
In a case of civil litigation, what might a defendant who is being sued for distributing an employee's private information face?

• A. Probation.
• B. A jail sentence.
• C. An injunction.
• D. Criminal fines.

Answer: C

NEW QUESTION # 134
What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

• A. Where one of the parties has given consent
• B. Only if all parties have given consent
• C. If an organization intercepts an employee's purely personal call
• D. Where state law permits such interception

Answer: C

Explanation:
Explanation/Reference: https://www.sciencedirect.com/topics/computer-science/electronic-communications-privacy-act

NEW QUESTION # 135
Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) "Privacy Rule"?

• A. Office of Public Health and Safety.
• B. Office for Civil Rights.
• C. Office of Inspector General.
• D. Office of Social Services.

Answer: B

Explanation:
The Office for Civil Rights (OCR) within the HHS is the primary enforcer of the HIPAA Privacy Rule, which establishes national standards for the protection of individually identifiable health information by covered entities and business associates. The OCR investigates complaints, conducts compliance reviews, and provides technical assistance and guidance to ensure compliance with the Privacy Rule. The OCR can also impose civil monetary penalties for violations of the Privacy Rule, ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for the same violation. References: HIPAA Enforcement, IAPP CIPP/US Study Guide, Chapter 3, Section 3.1.1

NEW QUESTION # 136
Which of the following is NOT a principle found in the APEC Privacy Framework?

• A. Integrity of Personal Information.
• B. Privacy by Design.
• C. Preventing Harm.
• D. Access and Correction.

Answer: B

Explanation:
Explanation/Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiqtJX4tPHvAhUQG-
wKHUoGBgkQFjAHegQIBRAD&url=https%3A%2F%2Fwww.apec.org%2F-%2Fmedia%2FAPEC%
2FPublications%2F2016%2F11%2F2016-CTI-Report-to-Ministers%2FTOC%2FAppendix-17-Updates-to-the- APEC-Privacy-Framework.pdf&usg=AOvVaw1Yysi4Ym_1VaCw1VZiB70a

NEW QUESTION # 137
An organization self-certified under Privacy Shield must, upon request by an individual, do what?

• A. Provide the identities of third parties with whom the organization shares personal information.
• B. Suspend the use of all personal information collected by the organization to fulfill its original purpose.
• C. Identify all personal information disclosed during a criminal investigation.
• D. Provide the identities of third and fourth parties that may potentially receive personal information.

Answer: A

NEW QUESTION # 138
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S.
Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?

• A. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separatenotification to individuals in the state of New York.
• B. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.
• C. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
• D. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.

Answer: D

Explanation:
The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.
According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.
Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.
References: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and-No
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

NEW QUESTION # 139
A student has left high school and is attending a public postsecondary institution. Under what condition may a school legally disclose educational records to the parents of the student without consent?

• A. If the student has not yet turned 18 years of age
• B. If the student has applied to transfer to another institution
• C. If the student is in danger of academic suspension
• D. If the student is still a dependent for tax purposes

Answer: D

Explanation:
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of students' educational records. FERPA generally requiresschools to obtain written consent from students before disclosing their records to third parties, such as parents. However, FERPA allows some exceptions to this rule, such as when the disclosure is for health or safety emergencies, or when the student is still a dependent for tax purposes. According to FERPA, a school may disclose educational records to the parents of a student who is claimed as a dependent on the parents' most recent federal income tax return, without the student's consent.
This exception applies regardless of the student's age or enrollment status at a postsecondary institution. References:
* IAPP CIPP/US Body of Knowledge, Section III, C, 2
* [IAPP CIPP/US Study Guide, Chapter 3, Section 3.5]
* [FERPA, 34 CFR § 99.31(a)(8)]

NEW QUESTION # 140
SCENARIO
Please use the following to answer the next QUESTION :
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Of the safeguards required by the HIPAA Security Rule, which of the following is NOT at issue due to HealthCo's actions?

• A. Technical Safeguards
• B. Security Safeguards
• C. Administrative Safeguards
• D. Physical Safeguards

Answer: D

Explanation:
Section 8.1.2 of the textbook lists the Security Rule Safeguards as admin, technical and physical. Security safeguards are not considered one of the three categories.

NEW QUESTION # 141
SCENARIO
Please use the following to answer the next question:
Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Secunty Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign.
Ever since the pandemic. Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each togin conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.
Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers The secondary data center, managed by Amazon AWS. is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid- sized mobile delense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data.
When storing Jane's fingerprint for remote authentication. Jones Labs should consider legality issues under which of the following9

• A. The California loT Security Law (SB 327).
• B. The Privacy Rule of the HITECH Act.
• C. The federal Genetic Information Nondiscrimination Act (GINA).
• D. The applicable state law such as Illinois BIPA

Answer: D

Explanation:
When storing biometric data, such as fingerprints, organizations in the U.S. must comply with state- specific biometric privacy laws if they operate in states that regulate biometric information.
The most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), but similar laws also exist or are developing in other states, such as Texas and Washington.
Key Considerations for Storing Biometric Data:
Illinois Biometric Information Privacy Act (BIPA):
BIPA (740 ILCS 14) is a leading and highly influential state law regulating the collection, storage, and use of biometric information. It requires organizations to:
Obtain informed, written consent before collecting biometric data. Establish a publicly available policy governing the retention and destruction of biometric data. Use a reasonable standard of care to protect biometric data from unauthorized access or use. Prohibit the sale or transfer of biometric data without consent.
California and Biometric Data:
While California's California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide general protections for personal information, including biometric data, they do not have the specific consent and handling requirements that BIPA does. Nevertheless, California residents have rights related to access, deletion, and the sale of biometric information.

NEW QUESTION # 142
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?

• A. Establish baseline pnvacy obligations that US companies must comply with for personal information, even if stored in a foreign country
• B. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the General Data Protection Regulation (GDPR).
• C. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country
• D. Prohibit foreign companies from using the personal Information of US. citizens without their consent

Answer: C

Explanation:
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, updates the legal framework for federal law enforcement to access electronic data held by U.S. service providers, even when the data is stored outside the United States. The act resolves jurisdictional issues that arise in cross-border data requests and facilitates international cooperation for law enforcement purposes.
Key Provisions of the CLOUD Act:
* Data Access for Law Enforcement:
* The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based service providers (e.
g., Microsoft, Google) to provide access to data stored abroad using a valid warrant or subpoena, provided the request complies with applicable laws.
* International Data Sharing Agreements:
* The CLOUD Act enables the U.S. to establish bilateral agreements with other countries to streamline access to data for law enforcement purposes. These agreements ensure that U.S. and foreign law enforcement can access data without violating each other's sovereignty or privacy laws.
* Conflict with Foreign Laws:
* The act includes mechanisms for providers to challenge data requests that conflict with the laws of the country where the data is stored, providing safeguards for compliance with foreign privacy laws like the General Data Protection Regulation (GDPR).
Explanation of Options:
* A. Codify a treaty with the EU that permits the cross-border transfer of personal information from the EU to the United States in compliance with the GDPR:This is incorrect. The CLOUD Act is not specific to the EU or GDPR compliance. Instead, it focuses on law enforcement access to data stored abroad.
* B. Update the legal mechanisms through which federal law enforcement may obtain data that service providers maintain in a foreign country:This is correct. The CLOUD Act directly addresses law enforcement's ability to compel data access from U.S. providers, regardless of the data's physical location.
* C. Establish baseline privacy obligations that U.S. companies must comply with for personal information, even if stored in a foreign country:This is incorrect. The CLOUD Act is focused on law enforcement access to data, not privacy obligations for companies.
* D. Prohibit foreign companies from using the personal information of U.S. citizens without their consent:This is incorrect. The CLOUD Act does not regulate foreign companies or impose consent requirements for using personal information.
References from CIPP/US Materials:
* CLOUD Act (18 U.S.C. § 2713): Establishes legal mechanisms for cross-border data access and international agreements.
* IAPP CIPP/US Certification Textbook: Discusses the CLOUD Act's impact on cross-border data requests and its interaction with global privacy laws.

NEW QUESTION # 143
SCENARIO
Please use the following to answer the next question:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department.
As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non- encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
What is the most likely way that Declan might directly violate the Health Insurance Portability and Accountability Act (HIPAA)?

• A. By being present when patients are checking in
• B. By ignoring the conversation about a potential breach
• C. By speaking to a patient without prior authorization
• D. By following through with his plans for his upcoming paper

Answer: D

Explanation:
Declan might directly violate the HIPAA Privacy Rule by using John's name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Declan, as a nursing assistant, is part of the covered entity's workforce and must comply with the Privacy Rule. He cannot disclose John's PHI to anyone, including his classmates or instructors, without John's authorization or a valid exception under the Privacy Rule. Even if he does not use John's full name, he may still reveal enough information to make John identifiable, such as his diagnosis, his father's condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John's written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule's standards.

NEW QUESTION # 144
Under the Fair Credit Reporting Act (FCRA), what must a person who is denied employment based upon his credit history receive?

• A. An opportunity to reapply with the employer.
• B. Information from several consumer reporting agencies (CRAs).
• C. A prompt notification from the employer.
• D. A list of rights from the Consumer Financial Protection Bureau (CFPB).

Answer: C

Explanation:
The FCRA requires that an employer who takes an adverse action against an applicant or employee based on information in a consumer report must provide a notice of the adverse action to the individual. The notice must include the name, address, and phone number of the CRA that supplied the report; a statement that the CRA did not make the decision and cannot explain why the adverse action was taken; a notice of the individual's right to dispute the accuracy or completeness of the information in the report; and a notice of the individual's right to obtain a free copy of the report from the CRA within 60 days12. References:
* CIPP/US Practice Questions (Sample Questions), Question 141, Answer A, Explanation A.
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.2, p. 101-
102.
* Fair Credit Reporting Act (FCRA), Section 615, Subsection (a).

NEW QUESTION # 145
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

• A. Provides the same level of privacy protection as the organization
• B. Uses the transferred data for limited purposes
• C. Notifies the organization if it can no longer meet its requirements for proper data handling
• D. Enters a contract with the organization that states the third party will process data according to the consent agreement

Answer: D

Explanation:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and
; 3: Privacy Shield Framework.

NEW QUESTION # 146
SCENARIO
Please use the following to answer the next QUESTION:
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop.
"Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking Questions about my opinions."
"Let me see," Matt said, and began reading the list of Questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
How could the marketer have best changed its privacy management program to meet COPPA "Safe Harbor" requirements?

• A. By participating in an approved self-regulatory program
• B. By making a COPPA privacy notice available on website
• C. By receiving FTC approval for the content of its emails
• D. By regularly assessing the security risks to consumer privacy

Answer: A

Explanation:
The Children's Online Privacy Protection Act (COPPA) is a federal law that protects the privacy of children under 13 who use online sites and services. COPPA requires operators of such sites and services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to provide notice of their information practices to parents and the public. COPPA also gives parents the right to access, review, and delete their children's personal information, and to limit further collection or use of such information.1 One way for operators to comply with COPPA is to participate in an approved self-regulatory program, also known as a "safe harbor" program. These are programs that are run by industry groups or other organizations that set and enforce standards for privacy protection that meet or exceed the requirements of COPPA.
Operators that join a safe harbor program and follow its guidelines are deemed to be in compliance with COPPA and are subject to the review and disciplinary procedures of the program instead of FTC enforcement actions. The FTC has approved several safe harbor programs, such as CARU, ESRB, iKeepSafe, kidSAFE, PRIVO, and TRUSTe.2 By participating in an approved self-regulatory program, the marketer in the scenario could have best changed its privacy management program to meet COPPA "Safe Harbor" requirements. This would mean that the marketer would have to adhere to the guidelines of the program, which would likely include obtaining verifiable parental consent before collecting personal information from children, providing clear and prominent privacy notices on its website and emails, honoring parents' choices and requests regarding their children's data, and ensuring the security and confidentiality of the data collected. The marketer would also benefit from the oversight and assistance of the program in ensuring compliance and resolving any complaints or disputes.3 References: 1: Complying with COPPA: Frequently Asked Questions4, Section A2: COPPA Safe Harbor Program3: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 143.

NEW QUESTION # 147
Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?

• A. 21 days
• B. 15 days
• C. 7 days
• D. 10 days

Answer: D

Explanation:
According to the CAN-SPAM Act of 2003, a federal law that regulates commercial email messages, a commercial message sender must honor a recipient's opt-out request within 10 business days. The sender must provide a clear and conspicuous way for the recipient to opt out of receiving future emails, such as a link or an email address. The sender must not charge a fee, require the recipient to provide any personal information, or make the recipient take any steps other than sending a reply email or visiting a single web page to opt out. The sender must also not sell, exchange, or transfer the email address of the recipient who has opted out, unless it is necessary to comply with the law or prevent fraud.
References:
* IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section B: Communications and Marketing
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Communications and Marketing
* Practice Exam - International Association of Privacy Professionals

NEW QUESTION # 148
Chanel Hair Studio is a busy high-end hair salon. In an effort to maximize efficiency of its operations and reduce wait times for appointments, Chanel decides to implement artificial intelligence software that will use client profiles and history to predict which clients will likely be late for their appointments. Information used to create the client profile included appointment history, distance from the salon, and any references to being tardy pulled from the client's social media accounts. If a client is predicted to be late, their appointment will be cancelled within 5 minutes.
Based on the details, what is the biggest potential privacy concern related to Chanel's use of this new software?

• A. Using client profile information for any purpose other than setting up an appointment.
• B. Assessing client tardiness history with the salon for predictive purposes.
• C. Scanning a client's social media accounts to use in a client profile without notice to the client.
• D. Calculating client profile address distance from the salon to determine location from salon to help predict if the client will be late.

Answer: C

Explanation:
The biggest potential privacy concern related to Chanel's use of this new software is scanning a client's social media accounts to use in a client profile without notice to the client. This could violate the client's reasonable expectation of privacy and consent, as well as the privacy policies of the social media platforms. The client may not be aware that their social media posts are being used for this purpose, and may not have given their permission or opt-in consent for such data collection and processing. This could also expose the client to potential discrimination or harm based on their social media activity, such as losing their appointment or being charged a cancellation fee. Furthermore, this practice could conflict with the Fair Information Practice Principles (FIPPs), such as transparency, purpose specification, and data minimization12. References:
* CIPP/US Practice Questions (Sample Questions), Question 149, Answer A, Explanation A.
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1, Section 1.1, p. 9-10.

NEW QUESTION # 149
Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?

• A. Marketing (such as appending data to customer information that a marketing company already has).
• B. Research (such as information for understanding consumer trends).
• C. Risk mitigation (such as information that may reduce the risk of fraud).
• D. Location of individuals (such as identifying an individual from partial information).

Answer: D

Explanation:
Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S.
Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled "Data Brokers: A Call for Transparency and Accountability". In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are:
Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships.
Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends).
Risk mitigation products: These products help customers verify and authenticate consumers' identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-provided information with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status.
Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors.
Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports.
The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

NEW QUESTION # 150
Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.
Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?

• A. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
• B. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
• C. If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
• D. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.

Answer: B

Explanation:
The correct answer is D. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output. The Fair Credit Reporting Act (FCRA) protects consumers from unfair, inaccurate, and discriminatory treatment by creditors and other businesses that use credit reports. The FCRA prohibits creditors from using information about protected classes, such as race, color, religion, national origin, sex, marital status, age, or because they receive income from a public assistance program, to make decisions about credit. In the case of Acme Student Loan Company, the algorithm is using information about protected classes to make automated decisions about whether to send payment reminder calls. This could have a disparate impact on protected classes, such as people of color or people with low incomes. For example, people of color may be more likely to be identified as being at risk of default, even if they are just as likely to repay their loans as people of other races. Acme Student Loan Company must ensure that the algorithm does not have a disparate impact on protected classes. This could be done by using a variety of methods, such as:
* Testing the algorithm for accuracy, fairness, and bias before and after deployment
* Providing consumers with notice and consent options for the use of their data
* Allowing consumers to access, correct, or delete their data
* Implementing accountability and oversight mechanisms for the algorithm
* Ensuring compliance with applicable laws and regulations
References: https://economictimes.indiatimes.com/news/how-to/ai-and-privacy-the-privacy-concerns- surrounding-ai-its-potential-impact-on-personal-data/articleshow/99738234.cms
https://pupuweb.com/iapp-cipp-us-qa-privacy-concerns-acme-student-loan-company-artificial-intelligence/

NEW QUESTION # 151
A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?

• A. The vendor's financial health
• B. The vendor's employee retention rates
• C. The vendor's reputation
• D. The vendor's employee training program

Answer: B

Explanation:
When selecting a vendor to manage personal information, the company should consider various criteria, such as the vendor's reputation, financial health, employee training program, privacy policies, security practices, compliance record, contractual terms, and service quality. However, the vendor's employee retention rates may not be as important as the other factors, as they do not directly affect the vendor's ability to protect and process the personal information entrusted to them. While high employee turnover may indicate some issues with the vendor's management or culture, it may not necessarily impact the vendor's performance or reliability, as long as the vendor has adequate measures to ensure continuity, accountability, and confidentiality of the personal information they handle. References:
* Vendor Selection Process: a Step-by-Step Guide, section "Step 2: Define the vendor selection criteria"
* [IAPP CIPP/US Study Guide], p. 81-82, section 3.4.1
* [IAPP CIPP/US Body of Knowledge], p. 18-19, section C.2.a

NEW QUESTION # 152
All of the following common law torts are relevant to employee privacy under US law EXCEPT?

• A. Conversion.
• B. Defamation
• C. Infliction of emotional distress.
• D. Intrusion upon seclusion.

Answer: D

NEW QUESTION # 153
......

CIPP-US Exam Practice Materials Collection: https://prepaway.dumptorrent.com/CIPP-US-braindumps-torrent.html