CIPP/US PRACTICE EXAM II 2026 QUESTION
COLLECTION DATA GOVERNANCE AND
COMPLIANCE MODULE SOLVED ITEMS AND
RESPONSE KEY
◉ What is an important step in data flow mapping for regulatory
compliance? Answer: Identify custodians who are responsible for
the data.
◉ Why is the medical information provided to Medical Quizzes not
protected by HIPAA? Answer: Because the app is not provided by a
covered entity.
◉ Is a U.S.-based website collecting IP addresses considered
personal data under U.S. law? Answer: It depends on whether the
website can link the IP address to other identifying information
about the visitor.
◉ Which state's biometric law imposes penalties for violations?
Answer: The Illinois Biometric Information Privacy Act (BIPA).
◉ What is a layered privacy notice? Answer: A short privacy notice
with key points at the top.
,◉ Which telecommunications carriers are NOT subject to the U.S.
Communications Assistance to Law Enforcement Act of 1994
(CALEA)? Answer: Search engine platforms.
◉ What is broadband internet? Answer: A high-speed internet
connection.
◉ What are search engine platforms? Answer: Websites that allow
users to search for information on the internet.
◉ What is voice-over-internet-protocol? Answer: A technology that
allows voice communication over the internet.
◉ What should the privacy officer consider first regarding a new
state privacy law? Answer: Who enforces the law?
◉ On what basis should data be classified for accountability?
Answer: Sensitivity.
◉ What must the School provide John regarding his grade appeal?
Answer: Copies of the communications between the nurse and
school officials.
, ◉ Can the School provide information about John to the Hospital
without his consent? Answer: Yes, if it relates to the health and
safety of its patients.
◉ What must John demonstrate to win his FERPA hearing? Answer:
The School failed to respond to his request for access to his
educational records within 45 days.
◉ What does the California Consumer Privacy Act require if a
consumer does not allow the sale of their personal information?
Answer: Administer the same level of quality in goods and services
to the consumer.
◉ Which is NOT a branch of the U.S. government? Answer:
Administrative.
◉ What mechanism was invalidated by the 'Schrems II' decision?
Answer: EU-U.S. Privacy Shield.
◉ What is the purpose of a protective order from the court
regarding personal information? Answer: To prevent the disclosure
of personal information revealed during discovery which is
irrelevant to the case.
COLLECTION DATA GOVERNANCE AND
COMPLIANCE MODULE SOLVED ITEMS AND
RESPONSE KEY
◉ What is an important step in data flow mapping for regulatory
compliance? Answer: Identify custodians who are responsible for
the data.
◉ Why is the medical information provided to Medical Quizzes not
protected by HIPAA? Answer: Because the app is not provided by a
covered entity.
◉ Is a U.S.-based website collecting IP addresses considered
personal data under U.S. law? Answer: It depends on whether the
website can link the IP address to other identifying information
about the visitor.
◉ Which state's biometric law imposes penalties for violations?
Answer: The Illinois Biometric Information Privacy Act (BIPA).
◉ What is a layered privacy notice? Answer: A short privacy notice
with key points at the top.
,◉ Which telecommunications carriers are NOT subject to the U.S.
Communications Assistance to Law Enforcement Act of 1994
(CALEA)? Answer: Search engine platforms.
◉ What is broadband internet? Answer: A high-speed internet
connection.
◉ What are search engine platforms? Answer: Websites that allow
users to search for information on the internet.
◉ What is voice-over-internet-protocol? Answer: A technology that
allows voice communication over the internet.
◉ What should the privacy officer consider first regarding a new
state privacy law? Answer: Who enforces the law?
◉ On what basis should data be classified for accountability?
Answer: Sensitivity.
◉ What must the School provide John regarding his grade appeal?
Answer: Copies of the communications between the nurse and
school officials.
, ◉ Can the School provide information about John to the Hospital
without his consent? Answer: Yes, if it relates to the health and
safety of its patients.
◉ What must John demonstrate to win his FERPA hearing? Answer:
The School failed to respond to his request for access to his
educational records within 45 days.
◉ What does the California Consumer Privacy Act require if a
consumer does not allow the sale of their personal information?
Answer: Administer the same level of quality in goods and services
to the consumer.
◉ Which is NOT a branch of the U.S. government? Answer:
Administrative.
◉ What mechanism was invalidated by the 'Schrems II' decision?
Answer: EU-U.S. Privacy Shield.
◉ What is the purpose of a protective order from the court
regarding personal information? Answer: To prevent the disclosure
of personal information revealed during discovery which is
irrelevant to the case.
