
最新 [2026年06月08日]CIPP-US試験正確解答Certified Information Privacy Professional/United States (CIPP/US)のPDF問題
あなたのキャリアーを稼いで飛躍せよIAPP 228問題
CIPP-US試験は、プライバシーとデータ保護に関連する広範なトピックをカバーする包括的なテストです。この試験は、プライバシーの基礎、米国におけるプライバシー規制、米国のプライバシー法規、およびプライバシープログラムのガバナンスの4つの主要なセクションに分かれています。この試験は、難易度が高く、合格するには多大な準備と勉強が必要です。しかし、CIPP-US認定を取得することにより、プライバシーとデータ保護の分野で競争力を持つことができ、新しいキャリアの機会を開拓することができます。
IAPP CIPP-US(認定情報プライバシープロフェッショナル/米国)認定試験は、プライバシーとデータ保護の分野の専門知識を実証するグローバルに認められた認定です。この認定は、米国で働く専門家向けに設計されており、データ保護を取り巻く法的および規制の枠組みを包括的に理解する必要があります。
質問 # 99
What is the main reason some supporters of the European approach to privacy are skeptical about self- regulation of privacy practices?
- A. A new business owner may not understand the regulations
- B. A large amount of money may have to be sent on improved technology and security
- C. Industries may not be strict enough in the creation and enforcement of rules
- D. Human rights may be disregarded for the sake of privacy
正解:C
解説:
The European approach to privacy is based on the recognition of privacy as a fundamental human right that requires strong legal protection and oversight. The EU has adopted comprehensive and binding privacy laws, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive, that apply to all sectors and activities involving personal data. The EU also has independent data protection authorities (DPAs) that monitor and enforce compliance with the privacy laws, and a European Data Protection Board (EDPB)that issues guidance and opinions on privacy matters. The EU also requires adequate levels of privacy protection for personal data transferred to third countries or international organizations.
In contrast, the U.S. approach to privacy is based on a sectoral and self-regulatory model that relies on a combination of federal and state laws, industry codes of conduct, consumer education, and market forces. The
U.S. does not have a single, comprehensive, and enforceable federal privacy law that covers all sectors and activities involving personal data. Instead, the U.S. has a patchwork of federal and state laws that address specific issues or sectors, such as health, financial, children's, and electronic communications privacy. The
U.S. also has various federal and state agencies that share jurisdiction over privacy matters, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS). The U.S. also relies on self-regulation by industries that develop and adhere to voluntary codes of conduct, standards, and best practices for privacy. The U.S. also allows personal data to be transferred to third countries or international organizations without requiring adequate levels of privacy protection, as long as the data subjects have given their consent or the transfer is covered by a mechanism such as the Privacy Shield or the Standard Contractual Clauses.
Some supporters of the European approach to privacy are skeptical about self-regulation of privacy practices because they believe that self-regulation is not effective, consistent, or accountable enough to protect the rights and interests of data subjects. They argue that self-regulation may not provide sufficient incentives or sanctions for industries to comply with privacy rules, or to adopt privacy-enhancing technologies and practices. They also contend that self-regulation may not reflect the views and expectations of data subjects, or address the emerging and complex privacy challenges posed by new technologies and business models. They also question the transparency and legitimacy of self-regulation, and the ability of data subjects to exercise their rights and seek redress for privacy violations. References:
* IAPP CIPP/US Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, pp. 9-10, 16-17
* IAPP website, CIPP/US Certification
* NICCS website, Certified Information Privacy Professional/United States (CIPP/US) Training
質問 # 100
In which situation is a company operating under the assumption of implied consent?
- A. An employer contacts the professional references provided on an applicant's resume
- B. An online retailer subscribes new customers to an e-mail list by default
- C. A landlord uses the information on a completed rental application to run a credit report
- D. A retail clerk asks a customer to provide a zip code at the check-out counter
正解:A
質問 # 101
Which of the following types of information would an organization generally NOT be required to disclose to law enforcement?
- A. Personal health information under the HIPAA Privacy Rule
- B. Information about medication errors under the Food, Drug and Cosmetic Act
- C. Money laundering information under the Bank Secrecy Act of 1970
- D. Information about workspace injuries under OSHA requirements
正解:A
解説:
The HIPAA Privacy Rule generally prohibits covered entities and business associates from disclosing protected health information (PHI) to law enforcement without the individual's authorization, unless one of the exceptions in 45 CFR § 164.512 applies. These exceptions include disclosures required by law, disclosures for law enforcement purposes, disclosures about victims of abuse, neglect or domestic violence, disclosures for health oversight activities, disclosures for judicial and administrative proceedings, disclosures for research purposes, disclosures to avert a serious threat to health or safety, disclosures for specialized government functions, disclosures for workers' compensation, and disclosures to coroners and medical examiners. None of these exceptions apply to the type of information in option D, which is personal health information that is not related to any of the above purposes. Therefore, an organization would generally not be required to disclose such information to law enforcement under the HIPAA Privacy Rule. References: https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition/disclosures-third-partie
https://bing.com/search?q=information+disclosure+to+law+enforcement
https://hipaatrek.com/law-enforcement-hipaa-disclosing-phi/
質問 # 102
What is the main challenge financial institutions face when managing user preferences?
- A. Determining the legal requirements for sharing preferences with their affiliates
- B. Developing a mechanism for opting out that is easy for their consumers to navigate
- C. Ensuring that preferences are applied consistently across channels and platforms
- D. Ensuring they are in compliance with numerous complex state and federal privacy laws
正解:C
解説:
Financial institutions (FIs) collect and process a large amount of personal data from their customers, such as name, address, account number, transaction history, credit score, etc. Customers may have different preferences regarding how their data is used, shared, or protected by the FIs. For example, some customers may want to receive marketing offers from the FIs or their affiliates, while others may opt out of such communications. Some customers may prefer to access their accounts online, while others may use mobile apps, phone calls, or physical branches. Some customers may want to enable biometric authentication, while others may rely on passwords or PINs.
Managing these diverse and dynamic user preferences is a challenge for FIs, as they need to ensure that they respect and honor the choices of their customers across all the channels and platforms they use. This requires FIs to have arobust and integrated system that can capture, store, update, and apply user preferences consistently and accurately. Failing to do so may result in customer dissatisfaction, loss of trust, regulatory fines, or legal disputes.12 References: 1: The Top Three Digital Challenges Faced By Financial Institutions And How To Overcome Them3, paragraph 42: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 127.
質問 # 103
What was the original purpose of the Foreign Intelligence Surveillance Act?
- A. To further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution.
- B. To further clarify a reasonable expectation of privacy stemming from the Katz v. United States decision.
- C. To further clarify when a warrant is not required for a wiretap performed internally by the telephone company outside the suspect's home, stemming from the Olmstead v. United States decision.
- D. To further define what information can reasonably be under surveillance in public places under the USA PATRIOT Act, such as Internet access in public libraries.
正解:A
解説:
The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon. It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power. The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation. FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of U.S. persons.
質問 # 104
Which of the following privacy rights is NOT available under the Colorado Privacy Act?
- A. The right to limit the use of sensitive data.
- B. The right to access sensitive data.
- C. The right to delete sensitive data.
- D. The right to correct sensitive data.
正解:A
解説:
"The CPA grants Colorado Consumers new rights with respect to their personal data, including the right to access, delete, and correct their personal data as well as the right to opt out of the sale of their personal data or its use for targeted advertising or certain kinds of profiling."
https://coag.gov/resources/colorado-privacy-act/
Even without knowing for certain the answer, one can reason that it should be D. It would be administratively difficult for businesses to adhere to varying limitation requests for each consumer... Therefore such a right would not make sense from a public policy perspective.
質問 # 105
SCENARIO
Please use the following to answer the next QUESTION :
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking QUESTIONS about my opinions."
"Let me see," Matt said, and began reading the list of QUESTIONS that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer QUESTIONS about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
How could the marketer have best changed its privacy management program to meet COPPA "Safe Harbor" requirements?
- A. By receiving FTC approval for the content of its emails
- B. By making a COPPA privacy notice available on website
- C. By participating in an approved self-regulatory program
- D. By regularly assessing the security risks to consumer privacy
正解:C
解説:
COPPA safe harbor programs comprise industry groups that self-regulate their member-operators and establish their own guidelines and requirements that must guarantee the same or greater protection for children as the standards set forth in the COPPA rule.
質問 # 106
In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?
- A. It does not apply because the owner is not a creditor
- B. It requires the owner to implement an identity theft warning system
- C. It mandates the use of updated technology for securing credit records
- D. It is not usually enforced in the case of a small financial institution
正解:C
質問 # 107
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?
- A. Investigative Consumer Reporting Agencies Act.
- B. Red Flag Rules.
- C. Consumer Bill of Rights.
- D. Unfair and Deceptive Acts and Practices laws.
正解:D
解説:
The marketer could be prosecuted for violating the Unfair and Deceptive Acts and Practices (UDAP) laws, which are enforced by the Federal Trade Commission (FTC) and state attorneys general. UDAP laws prohibit businesses from engaging in unfair or deceptive practices that harm consumers, such as false advertising, misleading claims, or hidden fees. In this scenario, the marketer could be accused of deceiving children into providing personal information and preferences under the guise of a survey and a contest, without obtaining verifiable parental consent or disclosing how the information will be used or shared. This could also violate the Children's Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection and use of personal information from children under 13 years of age.
質問 # 108
Once a breach has been definitively established, which task should be prioritized next?
- A. Determining what was responsible for the breach and neutralizing the threat.
- B. Providing notice to the affected parties so they can take precautionary measures.
- C. Implementing remedial measures and evaluating how to prevent future breaches.
- D. Involving law enforcement and state Attorneys General.
正解:B
解説:
According to the IAPP CIPP/US study guide, the first priority after a breach has been confirmed is to notify the affected individuals, regulators, and other stakeholders as required by law or contract. This is to allow them to take steps to protect themselves from potential harm, such as identity theft, fraud, or reputational damage. Providing timely and accurate notice also helps to mitigate legal liability, preserve customer trust, and comply with applicable laws and regulations. The other tasks are also important, but they are not the immediate priority after a breach has been established. References: IAPP CIPP/US study guide, Chapter 6, Section 6.4.2, page 211.
質問 # 109
What practice does the USA FREEDOM Act NOT authorize?
- A. Emergency exceptions that allows the government to target roamers
- B. An extension of the expiration for roving wiretaps
- C. An increase in the maximum penalty for material support to terrorism
- D. The bulk collection of telephone data and internet metadata
正解:D
解説:
"The USA FREEDOM Act ended bulk collection conducted under Section 215.154 Going forward, requests by government officials must be based upon specific selectors, such as a telephone number. Company officials are now permitted to release statistics about the number of such requests they receive in a given time period, and the government is required to report its numbers once a year.155 In 2018, government officials obtained 56 court orders for traditional business records and 14 court orders for call detail records.156"
質問 # 110
A software company wants to use web scraping to collect personal data from professional networking websites in order to train an artificial intelligence program to evaluate Job applications. The company has identified several actions for limiting their potential legal liability regarding affected data subjects and professional networking websites. Which of the following would be the least effective action for helping them do this?
- A. Adding a notice to the company website's terms of use disclosing the use of web scraping
- B. Decertifying the scraped data before selling it to any third parties.
- C. Following the terms of use posted on professional networking websites that are scraped.
- D. Limiting the amount of the personally identifiable information they collect
正解:A
解説:
Web scraping to collect personal data can pose significant legal and ethical risks, particularly when it involves professional networking sites or other platforms where terms of service (ToS) explicitly prohibit such activity.
To limit liability, the software company must take proactive measures to comply with applicable laws (such as privacy laws) and contractual obligations (e.g., terms of use on the scraped websites).
Adding a notice to the company website's terms of use would be the least effective action, as it does not address the legal and ethical issues associated with scraping data from third-party websites. Simply adding a notice about the company's use of scraping does not mitigate liability for violating the ToS of professional networking websites or violating privacy rights under laws like the GDPR or CCPA.
Explanation of Options:
* A. Following the terms of use posted on professional networking websites that are scraped:This is one of the most effective ways to limit legal liability. Violating ToS can result in lawsuits or legal penalties, so adhering to them is critical.
* B. Adding a notice to the company website's terms of use disclosing the use of web scraping:This is the least effective action. Including this notice on the company's own website does not address potential violations of third-party website ToS or the privacy rights of affected individuals.
* C. Limiting the amount of the personally identifiable information they collect:Minimizing the amount of data collected aligns with data protection principles, such as data minimization under the GDPR, and can reduce privacy risks.
* D. Deidentifying the scraped data before selling it to any third parties:Deidentifying or anonymizing data is a critical step for reducing legal liability and complying with privacy laws.
However, the company should also ensure that the deidentification is robust and irreversible.
References from CIPP/US Materials:
* GDPR Article 5: Establishes principles such as data minimization and accountability for data processing.
* IAPP CIPP/US Certification Textbook: Highlights the risks of web scraping and the importance of adhering to contractual obligations and privacy laws.
質問 # 111
According to FERPA, when can a school disclose records without a student's consent?
- A. If the disclosure would not reveal a student's student identification number
- B. If the disclosure is to practitioners who are involved in a student's health care
- C. If the disclosure is to provide transcripts to a school where a student intends to enroll
- D. If the disclosure is not to be conducted through email to the third party
正解:C
解説:
According to FERPA, a school may disclose personally identifiable information (PII) from an eligible student's education records without consent if the disclosure meets one of the exceptions in 34 CFR ?99.. One of these exceptions is for disclosures to other schools to which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes related to the student's enrollment or transfer (34 CFR ?99.31(a)(2)). This exception allows schools to disclose transcripts, recommendations, or other information that may facilitate the student's admission or enrollment at another school. However, the school must make a reasonable attempt to notify the student of the disclosure, unless the student initiated the disclosure, and must provide the student with a copy of the records that were disclosed upon request (34 CFR ?99.34(a)(1)).
質問 # 112
When designing contact tracing apps in relation to COVID-19 or any other diagnosed virus, all of the following privacy measures should be considered EXCEPT?
- A. Data retention.
- B. Opt-out choice.
- C. Use limitations.
- D. User confidentiality.
正解:B
解説:
Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person. However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.
Some of the privacy measures that should be considered when designing contact tracing apps are:
Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.
Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits. User confidentiality: Contact tracing apps should protect the confidentiality of users' personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.
Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose. Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app's coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.
質問 # 113
The Video Privacy Protection Act of 1988 restricted which of the following?
- A. Who advertisements for videos and video games may target
- B. When downloading of copyrighted audio visual materials is allowed
- C. Which purchase records of audio visual materials may be disclosed
- D. When a user's viewing of online video content can be monitored
正解:C
解説:
The VPPA was enacted to prevent the wrongful disclosure of personally identifiable information (PII) concerning any consumer of a video tape service provider. PII includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The VPPA prohibits such disclosure, except in certain limited circumstances, such as with the consumer's informed, written consent, or pursuant to a law enforcement warrant, subpoena, or court order. The VPPA also allows the disclosure of the names and addresses of consumers, but not the title, description, or subject matter of any video tapes or other audio visual material, for the exclusive use of marketing goods and services directly to the consumer, unless the consumer has opted out of such disclosure. The other options (B, C, and D) are not restricted by the VPPA. References:
* Video Privacy Protection Act - Wikipedia
* 18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records | U.S. Code | US Law | LII / Legal Information Institute
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 3: Federal Privacy Laws and Regulations, Section 3.5: Video Privacy Protection Act (VPPA)
質問 # 114
Under the Telemarketing Sales Rule, what characteristics of consent must be in place for an organization to acquire an exception to the Do-Not-Call rules for a particular consumer?
- A. The consent must be in writing, must contain the number to which calls can be made and must be signed
- B. The consent must be in writing, must have an end data and must state the times when calls can be made
- C. The consent must be in writing, must state the times when calls can be made to the consumer and must be signed
- D. The consent must be in writing, must contain the number to which calls can be made and must have an end date
正解:A
解説:
The Telemarketing Sales Rule (TSR) is a federal regulation that applies to telemarketing calls, which are defined as "a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call." The TSR requires telemarketers to make specific disclosures, prohibit misrepresentations, limit the times and number of calls, and set payment restrictions for the sale of certain goods and services. The TSR also gives consumers the right to opt out of receiving telemarketing calls by registering their phone numbers on the National Do Not Call Registry. The TSR applies to both for-profit and not-for-profit organizations, but there are some exemptions and partial exemptions for certain types of entities, calls, and transactions. For example, the TSR does not apply to nonprofit organizations calling on their own behalf, as they are not considered to be engaged in telemarketing. However, if a nonprofit organization hires a for-profit telemarketer or telefunder to solicit charitable contributions on its behalf, the for-profit entity must comply with the TSR, as it is engaged in telemarketing. Similarly, the TSR does not apply to for-profit organizations calling businesses when a binding contract exists between them, as they are not considered to be inducing the purchase of goods or services. However, if a for-profit organization calls businesses to sell additional services to established customers, the TSR applies, as it is considered to be inducing the purchase of goods or services.
Therefore, among the four options, only for-profit organizations and for-profit telefunders regarding charitable solicitations must comply with the TSR, as they are engaged in telemarketing and do not fall under any of the exemptions or partial exemptions.
質問 # 115
Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report,
"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"?
- A. International data transfers
- B. Large platform providers
- C. Do Not Track
- D. Promoting enforceable self-regulatory codes
正解:C
解説:
The Federal Trade Commission (FTC) issued its 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC's privacy enforcement and policy efforts, which were:
* Data brokers
* Large platform providers
* Mobile
* Promoting enforceable self-regulatory codes
* International data transfers
Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.
質問 # 116
Which is an exception to the general prohibitions on telephone monitoring that exist under the U.S. Wiretap Act?
- A. Call center exception
- B. Inter-company communications exception
- C. Internet calls exception
- D. Ordinary course of business exception
正解:D
質問 # 117
......
正真正銘のベスト資料はCIPP-USオンライン練習試験:https://jp.fast2test.com/CIPP-US-premium-file.html
練習できるCIPP-USにはFast2test画期的なあなたをCertified Information Privacy Professional/United States (CIPP/US)試験合格させます合格率:https://drive.google.com/open?id=1LCyTnKPzqdpRvcc4IcqG0vnA8DojI-16