US privacy law and information management knowledge for the IAPP CIPP/US exam, with a worked explanation on every practice question.
Free sample questions
No account needed. Every question has a worked explanation, just like the full bank.
lock_openFree sampleGovernment and Court Access to Private-Sector Informationhard
An FBI agent serves a provider with a National Security Letter and includes a nondisclosure requirement barring the provider from telling anyone, including the affected customer, that it received the NSL. The provider's counsel wants to know how the USA FREEDOM Act altered the legal posture of that nondisclosure requirement. Which statement is correct?
- AThe provider may seek judicial review of the nondisclosure requirement, and the government must periodically reassess whether continued secrecy remains justified.check_circle Correct
- BThe nondisclosure requirement is now permanent once imposed, and the provider has no statutory mechanism to seek its removal at any later time.
- CThe nondisclosure requirement was abolished entirely, so providers receiving NSLs may now freely publish the specific contents of any NSL they receive.
- DThe provider may disclose the NSL only after first obtaining written authorisation from the Foreign Intelligence Surveillance Court for each individual customer affected.
USA FREEDOM added judicial review and periodic reassessment for National Security Letter nondisclosure requirements rather than abolishing them. The USA FREEDOM Act left NSL authority intact but reformed the gag provisions, giving recipients access to judicial review and obliging the government to reassess and terminate nondisclosure when secrecy is no longer needed.
Why A is correct: Correct: USA FREEDOM established judicial-review procedures for NSL gag orders and reciprocal notice requiring the government to revisit whether nondisclosure is still warranted.
Why B is wrong: Tempting because NSL gag orders were historically open-ended, but USA FREEDOM created review and termination mechanisms, so the gag is not permanent and unchallengeable.
Why C is wrong: Tempting because reforms increased transparency, but USA FREEDOM did not abolish NSL gags; it added procedures and reciprocal-notice rules rather than removing them.
Why D is wrong: Tempting because the FISC oversees national security matters, but NSL nondisclosure review runs through ordinary judicial-review procedures, not per-customer FISC authorisation.
lock_openFree sampleIntroduction to the U.S. Privacy Environmentmedium
A technology company has not violated any specific privacy statute, yet the Federal Trade Commission opens an enforcement action alleging the company misrepresented its data-sharing practices to consumers. On what legal source does the FTC most directly rely to bring this action?
- AThe common law tort of intrusion upon seclusion, which the FTC enforces on behalf of consumers in federal court.
- BIts statutory authority under Section 5 of the FTC Act to challenge unfair or deceptive acts or practices.check_circle Correct
- CA constitutional right to fair dealing implied by the Due Process Clause of the Fourteenth Amendment.
- DA self-regulatory code of conduct that the company adopted and the FTC enforces as binding federal regulation.
Identify Section 5 of the FTC Act as the statutory basis for FTC enforcement against deceptive privacy representations. The FTC's general enforcement power comes from Section 5 of the FTC Act, which bars unfair or deceptive acts or practices, allowing action against misrepresentations even absent a sector-specific privacy statute.
Why A is wrong: Tempting because intrusion is a privacy wrong, but it is a private tort claim brought by individuals, not a statutory power the FTC invokes for enforcement.
Why B is correct: Correct: Section 5 of the FTC Act prohibits unfair or deceptive acts or practices, letting the FTC act on a misrepresentation even where no specific privacy statute applies.
Why C is wrong: Tempting because due process sounds protective, but it limits government conduct toward individuals and is not the source of FTC authority over deceptive business practices.
Why D is wrong: Tempting because broken promises in a code can support a case, but the code is not itself the legal source, and the FTC's authority flows from the FTC Act.
lock_openFree sampleState Privacy Lawshard
A bank that does business in several states uses a fully automated model to approve or deny consumer credit-line increases with no human involvement. Counsel is mapping which state comprehensive privacy laws give the consumer a right to opt out of this kind of profiling. Under the leading state comprehensive privacy model, what is the threshold that determines whether the consumer has an opt-out right over this automated decision?
- AWhether the automated model processes any personal data at all, since all automated processing triggers the profiling opt-out.
- BWhether the consumer has previously exercised a separate right to delete their personal data held by the bank.
- CWhether the profiling is carried out in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.check_circle Correct
- DWhether the bank has annual revenue above a fixed dollar figure set by each state's profiling provision.
Recognise that state comprehensive privacy laws tie the profiling opt-out to automated decisions producing legal or similarly significant effects on the consumer. Under the Virginia, Colorado, and Connecticut comprehensive privacy models, the consumer's right to opt out of profiling is limited to profiling in furtherance of decisions that produce legal or similarly significant effects, such as credit, housing, or employment outcomes, rather than to all automated processing.
Why A is wrong: It is tempting to assume any automated processing triggers the right, but the opt-out is tied to significant-effect profiling, not to processing generally, so this overstates the scope.
Why B is wrong: Deletion and profiling opt-out are independent rights, so making one a precondition of the other confuses two distinct consumer entitlements under these statutes.
Why C is correct: State comprehensive laws such as the Colorado, Connecticut, and Virginia models grant an opt-out of profiling specifically when it is in furtherance of decisions producing legal or similarly significant effects, which a credit-line decision is.
Why D is wrong: Revenue thresholds appear in the applicability sections of some privacy laws, but the profiling opt-out is defined by the nature of the decision and its effect, not by a revenue figure inside the profiling provision.
Examworthy is not affiliated with or endorsed by IAPP. All questions are original, blueprint-aligned practice material. We never reproduce live exam items. CIPP-US and related marks belong to their respective owners.
