Browse Certification Practice Tests by Exam Family

IAPP CIPP/US Sample Questions & Practice Test

May 1, 2026

Try 12 Certified Information Privacy Professional/United States (CIPP/US) sample questions on U.S. privacy law, notices, rights, enforcement, sectors, and compliance judgment.

On this page

Certified Information Privacy Professional/United States (CIPP/US) preparation focuses on U.S. privacy frameworks, sector rules, enforcement, rights, notice, consent, governance, and practical compliance judgment.

Use these 12 original sample questions for initial self-assessment. They are not official IAPP questions and do not reproduce a live exam.

What this route should test

  • recognizing U.S. sectoral privacy patterns and federal/state roles
  • applying notice, consent, consumer rights, enforcement, and vendor-control concepts
  • distinguishing legal obligations from privacy-program best practices

Official-source check

Verify current certification names, exam policies, and requirements with the IAPP certification page .

Sample Exam Questions

Question 1

Topic: sectoral privacy

What is a key feature of U.S. privacy regulation compared with one comprehensive national private-sector privacy law?

  • A. It has no privacy enforcement
  • B. It applies only to government agencies
  • C. It treats all data as anonymous
  • D. It often uses sector-specific and state-level rules

Best answer: D

Explanation: U.S. privacy commonly combines sector-specific federal laws, state privacy statutes, enforcement actions, and consumer-protection principles.

Question 2

Topic: notice

What makes a privacy notice misleading?

  • A. It is written in clear language
  • B. It identifies categories of data
  • C. It describes data practices that differ from what the organization actually does
  • D. It explains choices available to users

Best answer: C

Explanation: A notice must align with actual processing. Inaccurate privacy representations can create enforcement and trust risk.

Question 3

Topic: consumer rights

A consumer submits a deletion request. What should an organization evaluate first?

  • A. Identity verification, applicable rights, exceptions, systems affected, and response timing
  • B. Whether the request can be ignored because it is inconvenient
  • C. Whether to delete all audit logs immediately
  • D. Whether marketing can keep using the data without review

Best answer: A

Explanation: Rights requests require process discipline: identity, scope, exceptions, deadline, downstream systems, and documentation.

Question 4

Topic: service providers

Why are vendor contracts important in U.S. privacy compliance?

  • A. They remove all responsibility from the business
  • B. They can define permitted use, confidentiality, security, assistance, deletion, and audit expectations
  • C. They allow unrestricted secondary use by default
  • D. They replace all consumer notices

Best answer: B

Explanation: Service-provider and processor relationships need contractual controls that match privacy obligations and business purpose.

Question 5

Topic: enforcement

Which practice creates enforcement risk?

  • A. Maintaining a data inventory
  • B. Promising not to share personal information while sharing it for undisclosed advertising purposes
  • C. Training employees on rights requests
  • D. Reviewing vendor contracts

Best answer: B

Explanation: Broken privacy promises and deceptive practices can trigger consumer-protection and privacy enforcement.

Question 6

Topic: health privacy

Why does regulated health information require special handling?

  • A. Health data is never sensitive
  • B. Health data can always be sold without restriction
  • C. Health privacy applies only to marketing emails
  • D. Health-sector privacy obligations may impose specific use, disclosure, safeguard, and rights requirements

Best answer: D

Explanation: U.S. health privacy includes sector-specific obligations and safeguards depending on the entity and data context.

Question 7

Topic: children’s privacy

A service directed to children collects personal information. What should the privacy team assess?

  • A. Age-related consent, notice, parental involvement, data minimization, and retention obligations
  • B. Only logo placement
  • C. Whether children can waive all privacy rights
  • D. Whether privacy rules never apply online

Best answer: A

Explanation: Children’s privacy raises special notice, consent, use, and retention concerns.

Question 8

Topic: breach response

What is usually needed before deciding whether notification is required after a data incident?

  • A. A public statement before facts are known
  • B. Immediate deletion of evidence
  • C. Facts about data involved, individuals affected, risk of harm, laws triggered, and timing
  • D. No involvement from legal or privacy teams

Best answer: C

Explanation: Breach notification analysis depends on facts, applicable law, affected data, risk, and timelines.

Question 9

Topic: data minimization

Why does collecting unnecessary personal information increase privacy risk?

  • A. More data always improves compliance
  • B. More data expands exposure, retention burden, access risk, and compliance obligations
  • C. Unused data cannot be breached
  • D. Unnecessary data is automatically anonymous

Best answer: B

Explanation: Minimization reduces risk by limiting what is collected, retained, accessed, and protected.

Question 10

Topic: sensitive data

What is a common compliance concern with sensitive personal information?

  • A. It may require heightened notice, choice, access controls, or use limitations
  • B. It can always be processed without review
  • C. It is unrelated to privacy
  • D. It cannot create consumer harm

Best answer: A

Explanation: Sensitive data often receives stronger protections because misuse can create greater harm.

Question 11

Topic: privacy governance

Which evidence best supports a defensible privacy program?

  • A. A statement that privacy is important with no records
  • B. A design mockup
  • C. Policies, training, records of processing, assessments, vendor controls, and documented request handling
  • D. An unrelated sales report

Best answer: C

Explanation: Documentation and repeatable controls demonstrate that privacy obligations are managed, not improvised.

Question 12

Topic: cross-border transfers

Why should cross-border data transfers be reviewed?

  • A. Transfers remove privacy obligations
  • B. Data becomes non-personal when it crosses a border
  • C. Only finance data can cross borders
  • D. Different jurisdictions may impose transfer, notice, contractual, security, or rights obligations

Best answer: D

Explanation: Transfer rules and contractual safeguards can vary by jurisdiction and processing context.

Revised on Thursday, May 21, 2026
CIPP/E
CIPT