IAPP CIPP-US Certified Information Privacy Professional/United States (CIPP/US) Online Training

Question #21

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her

withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?

A . As a data supervisor
B . As a data processor
C . As a data controller
D . As a data manager

Reveal Solution Hide Solution

Question #22

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Under the GDPR, the complainant’s request regarding her personal information is known as what?

A . Right of Access
B . Right of Removal
C . Right of Rectification
D . Right to Be Forgotten

Reveal Solution Hide Solution

Question #23

In which situation would a policy of “no consumer choice” or “no option” be expected?

A . When a job applicant’s credit report is provided to an employer
B . When a customer’s financial information is requested by the government
C . When a patient’s health record is made available to a pharmaceutical company
D . When a customer’s street address is shared with a shipping company

Reveal Solution Hide Solution

Question #24

What is the main challenge financial institutions face when managing user preferences?

A . Ensuring they are in compliance with numerous complex state and federal privacy laws
B . Developing a mechanism for opting out that is easy for their consumers to navigate
C . Ensuring that preferences are applied consistently across channels and platforms
D . Determining the legal requirements for sharing preferences with their affiliates

Reveal Solution Hide Solution

Question #25

A large online bookseller decides to contract with a vendor to manage Personal Information (PI).

What is the least important factor for the company to consider when selecting the vendor?

A . The vendor’s reputation
B . The vendor’s financial health
C . The vendor’s employee retention rates
D . The vendor’s employee training program

Reveal Solution Hide Solution

Question #26

In which situation is a company operating under the assumption of implied consent?

A . An employer contacts the professional references provided on an applicant’s resume
B . An online retailer subscribes new customers to an e-mail list by default
C . A landlord uses the information on a completed rental application to run a credit report
D . A retail clerk asks a customer to provide a zip code at the check-out counter

Reveal Solution Hide Solution

Question #27

All of the following are tasks in the “Discover” phase of building an information management program EXCEPT?

A . Facilitating participation across departments and levels
B . Developing a process for review and update of privacy policies
C . Deciding how aggressive to be in the use of personal information
D . Understanding the laws that regulate a company’s collection of information

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The “Discover” phase of building an information management program is the first step in the process of creating a privacy framework. It involves identifying the types, sources, and flows of personal information within an organization, as well as the legal, regulatory, and contractual obligations that apply to it. The tasks in this phase include:

Conducting a data inventory and mapping exercise to document what personal information is collected, used, shared, and stored by the organization, and how it is protected.

Assessing the current state of privacy compliance and risk by reviewing existing policies, procedures, and practices, and identifying any gaps or weaknesses.

Understanding the laws that regulate a company’s collection of information, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

Facilitating participation across departments and levels to ensure that all stakeholders are involved and informed of the privacy goals and objectives, and to foster a culture of privacy awareness and accountability.

Developing a process for review and update of privacy policies is not a task in the “Discover” phase, but rather in the “Implement” phase, which is the third step in the process of creating a privacy framework. It involves putting the privacy policies and procedures into action, and ensuring that they are effective and compliant.

The tasks in this phase include:

Developing a process for review and update of privacy policies to reflect changes in the business environment, legal requirements, and best practices, and to incorporate feedback from internal and external audits and assessments.

Implementing privacy training and awareness programs to educate employees and other relevant parties on their roles and responsibilities regarding privacy, and to promote a privacy-by-design approach.

Establishing privacy governance and oversight mechanisms to monitor and measure the performance and outcomes of the privacy program, and to ensure accountability and transparency. Developing a process for responding to privacy incidents and requests from data subjects, regulators, and other parties, and to mitigate and remediate any privacy risks or harms.

Reference: IAPP CIPP/US Body of Knowledge, Domain I: Information Management from a U.S. Perspective,

Section A: Building a Privacy Program

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Information

Management from a U.S. Perspective, Section 1.1: Building a Privacy Program Practice Exam – International Association of Privacy Professionals

Question #28

Which of the following describes the most likely risk for a company developing a privacy policy with standards that are much higher than its competitors?

A . Being more closely scrutinized for any breaches of policy
B . Getting accused of discriminatory practices
C . Attracting skepticism from auditors
D . Having a security system failure

Reveal Solution Hide Solution

Question #29

If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?

A . Uses the transferred data for limited purposes
B . Provides the same level of privacy protection as the organization
C . Notifies the organization if it can no longer meet its requirements for proper data handling
D . Enters a contract with the organization that states the third party will process data according to the consent agreement

Reveal Solution Hide Solution

Question #30

What was the original purpose of the Federal Trade Commission Act?

A . To ensure privacy rights of U.S. citizens
B . To protect consumers
C . To enforce antitrust laws
D . To negotiate consent decrees with companies violating personal privacy

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The Federal Trade Commission Act (FTCA) was adopted in 1914 as part of the Progressive Era reforms that aimed to curb the power and influence of monopolies and trusts in the U.S. economy. The FTCA created the Federal Trade Commission (FTC) as an independent agency to investigate and prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. The FTCA also gave the FTC the authority to issue cease and desist orders, seek injunctions, and impose civil penalties for violations of the law. The FTCA was intended to complement and supplement the existing antitrust laws, such as the Sherman Act and the Clayton Act, that prohibited restraints of trade, price-fixing, mergers, and other anticompetitive conduct.

The other options are not correct, because:

The FTCA did not explicitly address privacy rights of U.S. citizens, although the FTC later used its authority under the FTCA to enforce against unfair or deceptive privacy practices, such as making false or misleading claims, failing to disclose material information, or violating consumers’ choices or expectations regarding their personal data.

The FTCA did not specifically focus on consumer protection, although the FTC later expanded its scope to include consumer protection issues, such as advertising and marketing, credit and finance, privacy and security, and consumer education. The FTC also enforced other consumer protection laws, such as the Truth in Lending Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and the CAN-SPAM Act.

The FTCA did not authorize the FTC to negotiate consent decrees with companies violating personal privacy, although the FTC later used consent decrees as a common tool to settle privacy cases and impose remedial measures, such as audits, reports, and compliance programs. Consent decrees are agreements between the FTC and the parties involved in a case that resolve the FTC’s charges without admitting liability or wrongdoing.

Reference: FTC website, Federal Trade Commission Act

Britannica website, Federal Trade Commission Act (FTCA)

IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 11-12 IAPP website, Federal Trade Commission Act, Section 5 of