IAPP CIPP-US Actual Free Exam Questions & Community Discussion

If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in 2005?

Within what time period must a commercial message sender remove a recipient's address once they have asked to stop receiving future e-mail?

Which of the following does Title VII of the Civil Rights Act prohibit an employer from asking a job applicant?

Which statute is considered part of U.S. federal privacy law?

Under Section 702 of FISA, which surveillance program allows data requests of Internet Service Providers?

Which of the following would best provide a sufficient consumer disclosure under the Fair Credit Reporting Act (FCRA) prior to a consumer report being obtained for employment purposes?

According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

Which form of malicious online threat targets an individual user and pretends to be a legitimate party, such as a bank, to steal personal data?

Why was the Privacy Protection Act of 1980 drafted?

All of the following are tasks in the "Discover" phase of building an information management program EXCEPT?

SCENARIO
Please use the following to answer the next question:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US- based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the General Data Protection Regulation (GDPR), how would the U.S.-based startup company most likely be classified?