IAPP CIPP-US Exam Questions

Question 6 of 216

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

A consent decree

Stare decisis decree

A judgment rider

Common law judgment

Correct Answer: A

A consent decree is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party. The consent decree describes the actions the defendant will take without admitting guilt or wrongdoing and is considered to have the effect of a court decision.

Question 7 of 216

Read this notice:
Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?

Mandatory

Implied consent

Opt-in

Opt-out

Correct Answer: C

The notice about cookies does not provide an opt-in choice. An opt-in approach requires users to take an affirmative action to give consent, such as ticking a box. The notice only mentions how to refuse cookies (opt-out) and does not provide an option to actively agree to the use of cookies (opt-in). Thus, the legal choice not provided in the notice is the opt-in.

Question 8 of 216

SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice’s suggestion about classifying customer data?

It will help employees stay better organized

It will help the company meet a federal mandate

It will increase the security of customers’ personal information (PI)

It will prevent the company from collecting too much personal information (PI)

Correct Answer: C

Classifying customer data helps in increasing the security of personal information. By categorizing data according to its sensitivity, Fitness Coach, Inc. can implement appropriate security measures for each category. This practice ensures that highly sensitive information receives higher levels of protection, thereby reducing the risk of unauthorized access or data breaches. Implementing data classification aligns with Cheryl's concern about maintaining privacy while allowing necessary access to customer information for operational purposes.

Question 9 of 216

SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the most likely risk of Fitness Coach, Inc. adopting Janice’s first draft of the privacy policy?

Leaving the company susceptible to violations by setting unrealistic goals

Failing to meet the needs of customers who are concerned about privacy

Showing a lack of trust in the organization’s privacy practices

Not being in standard compliance with applicable laws

Correct Answer: A

Cheryl's company may be at risk if the privacy policy sets unrealistic goals because the policy could become too difficult to implement effectively. Unrealistically strict requirements, such as only storing customer information for one year or requiring written consent before sharing data with third parties, might hinder daily operations and the company's ability to serve its customers. It could also lead to non-compliance with the created policy, resulting in potential legal and reputational issues. Therefore, a more balanced approach that is practical and achievable ensures the maintenance of service quality while upholding privacy standards.

Question 10 of 216

SCENARIO -
Please use the following to answer the next question:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customers’ privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer’s personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worries Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl’s concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company’s day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the main problem with Cheryl’s suggested method of communicating the new privacy policy?

The policy would not be considered valid if not communicated in full.

The policy might not be implemented consistency across departments.

Employees would not be comfortable with a policy that is put into action over time.

Employees might not understand how the documents relate to the policy as a whole.

Correct Answer: B

The main problem with Cheryl’s suggested method of communicating the new privacy policy is that the policy might not be implemented consistently across departments. Implementing the policy gradually over several months and by department could lead to variations in how each section interprets and applies the guidelines, causing inconsistencies and potential gaps in privacy protection throughout the company.