Free IAPP CIPP-US Exam Actual Questions & Explanations

Last updated on: Jul 1, 2026
Author: Aubrey Perez (Senior Privacy Compliance Educator, IAPP)

The CIPP-US exam, offered by IAPP (International Association of Privacy Professionals), validates your expertise in U.S. privacy law and regulations. This certification demonstrates that you understand the legal landscape governing data collection, use, and protection across federal and state jurisdictions. Whether you work in compliance, legal, technology, or business operations, the Certified Information Privacy Professional/United States credential signals competency to employers and peers. This page guides you through the exam syllabus, question formats, and a focused preparation strategy to help you pass with confidence.

CIPP-US Exam Syllabus & Core Topics

Use this topic map to guide your study for IAPP CIPP-US (Certified Information Privacy Professional/United States) within the Certified Information Privacy Professional path.

  • Introduction to the U.S. Privacy Environment: Understand the foundational principles, historical context, and key stakeholders that shape U.S. privacy regulation. You must recognize how constitutional, common law, and statutory frameworks interact.
  • Limits on Private-Sector Collection and Use of Data: Learn the rules governing how organizations can gather, store, and process personal information. Analyze consent requirements, purpose limitations, and data minimization principles in practice.
  • Federal Privacy Laws: Master the major statutes including GLBA, HIPAA, FCRA, CAN-SPAM, and others. Identify which laws apply to your industry and what compliance obligations they impose.
  • Government and Court Access to Private-Sector Information: Examine subpoenas, warrants, national security letters, and regulatory investigations. Determine when and how to respond to government requests while protecting individual rights.
  • Workplace Privacy: Evaluate employee monitoring, background checks, and workplace surveillance policies. Balance employer interests with employee privacy expectations and legal constraints.
  • State Privacy Laws: Understand the growing patchwork of state regulations including CCPA, VCCPA, and emerging comprehensive privacy laws. Apply multi-state compliance strategies to real-world scenarios.
  • The U.S. Privacy Environment: Synthesize all topics to assess how regulatory, technological, and business trends reshape privacy obligations. Develop strategies that adapt to evolving legal requirements.

Question Formats & What They Test

The CIPP-US exam measures both foundational knowledge and the ability to apply privacy principles to realistic business situations. Questions progress in difficulty and require you to think critically about compliance decisions.

  • Multiple Choice: Test your recall of definitions, key legal requirements, and terminology. For example, identify which law governs health information or recognize the scope of CCPA exemptions.
  • Scenario-Based Items: Present real-world cases where you analyze facts and select the best privacy or compliance approach. Example: determine whether a data sharing agreement complies with federal law or identify the correct response to a government data request.
  • Application Questions: Require you to connect multiple topics, such as evaluating how state privacy laws interact with federal requirements or designing a compliant data retention policy.

Questions become progressively harder as you advance, rewarding both breadth of knowledge and depth of practical reasoning.

Preparation Guidance

An effective study routine maps the seven core topics to a realistic timeline, allowing you to build knowledge progressively and test yourself frequently. Dedicate time each week to a different topic, then integrate concepts across the broader privacy landscape.

  • Break the syllabus into weekly study blocks: assign Introduction to the U.S. Privacy Environment and The U.S. Privacy Environment to foundational weeks; dedicate separate weeks to Federal Privacy Laws, State Privacy Laws, and Limits on Private-Sector Collection and Use of Data; allocate final weeks to Government and Court Access to Private-Sector Information and Workplace Privacy.
  • Complete practice question sets after each topic; review explanations carefully to identify knowledge gaps and reinforce correct reasoning.
  • Connect concepts across workflows: understand how federal law sets a baseline, state laws add restrictions, and workplace policies must satisfy both.
  • Run a timed practice test one week before your exam date to build pacing confidence and identify any remaining weak areas.
  • In your final review, focus on high-weight topics (federal and state privacy laws) and common compliance pitfalls.

Explore other IAPP certifications: view all IAPP exams.

Get the PDF & Practice Test

Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to CIPP-US and cover practical scenarios with clear explanations.

  • Q&A PDF with explanations: topic-mapped questions that clarify why correct options are right and others aren't.
  • Practice Test: realistic items, timed and untimed modes, progress tracking, and detailed review.
  • Focused coverage: aligned to Introduction to the U.S. Privacy Environment, Limits on Private-Sector Collection and Use of Data, Federal Privacy Laws, Government and Court Access to Private-Sector Information, Workplace Privacy, State Privacy Laws, and The U.S. Privacy Environment so you study what matters most.
  • Regular reviews: content refreshes that reflect syllabus and product changes.

Visit the exam page to download the PDF, Online Practice Test, or get a bundle discount for both formats: Certified Information Privacy Professional/United States.

Frequently Asked Questions

What topics carry the most weight on the CIPP-US exam?

Federal Privacy Laws and State Privacy Laws typically represent the largest portion of the exam, reflecting their importance in daily compliance work. Government and Court Access to Private-Sector Information and Limits on Private-Sector Collection and Use of Data also carry significant weight. Balance your study time accordingly, spending more hours on these high-impact areas while ensuring you have solid foundational knowledge across all topics.

How do the different privacy law topics connect in real compliance projects?

In practice, you start with federal baseline requirements (GLBA, HIPAA, FCRA), then layer on state-specific rules (CCPA, VCCPA), and finally apply industry-specific policies to Workplace Privacy and data handling. Government requests often trigger all three: you must know federal disclosure rules, state privacy law exemptions, and your own retention policies. Understanding these connections helps you answer scenario-based questions and handle actual compliance scenarios.

How much hands-on experience helps, and what should I prioritize?

Direct experience with privacy policies, data handling procedures, or compliance audits strengthens your ability to apply exam concepts. If you lack hands-on experience, prioritize studying real-world case studies and scenario questions that show how laws apply to common business situations. Reading actual privacy policies and compliance frameworks (available online) also builds practical intuition without requiring a job change.

What are common mistakes that cost exam points?

Candidates often confuse federal law scope with state law scope, miss exemptions and exceptions in statutes, or fail to distinguish between private-sector and government obligations. Another frequent error is misidentifying which law applies to a given fact pattern. Avoid these by carefully reading scenario details, noting keywords like "employee" or "health information," and reviewing exemption lists during practice.

What is the best pacing and review strategy in the final week?

In your final week, take one full-length timed practice test to simulate exam conditions and identify any remaining gaps. Spend the next three days reviewing only your weak topics and re-reading explanations for questions you missed. In the last two days, do a light review of high-weight topics (Federal and State Privacy Laws) without introducing new material. Get adequate sleep the night before the exam; fatigue hurts reasoning more than last-minute cramming helps.

Question No. 1

Which of the following best describes what a ''private right of action'' is?

Show Answer Hide Answer
Correct Answer: D

A private right of action is a legal provision that grants individuals the ability to bring a lawsuit against a party that has wronged them and to seek redress for the harm that they have suffered. A private right of action is a fundamental component of the U.S. judicial system and an essential element of enforcing privacy rights. Privacy advocates argue that a private right of action is necessary to hold perpetrators of privacy violations accountable and to address the limitations of the FTC's enforcement authority. However, businesses are concerned that a private right of action would lead to a proliferation of frivolous lawsuits that would burden responsible data processors and impede innovation.Reference:


Question No. 2

A California resident has created an account on your company's online food delivery platform and placed several orders in the past month Later she submits a data subject request to access her personal information under the California Privacy Rights Act.

Based on the CPR

Show Answer Hide Answer
Correct Answer: A, A

Under the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), California residents have the right to request access to their personal information collected by a business. However, the CPRA provides an exception for inferences made about an individual for internal purposes, meaning businesses are not obligated to disclose inferences generated solely for internal use.

Key Points Under the CPRA:

Access to Personal Information:

Businesses must provide consumers with access to personal information they have collected, which includes data submitted by the consumer and other information directly associated with the consumer.

Exception for Inferences:

Inferences made about a consumer, particularly when used for internal purposes (e.g., improving services, analytics, or predicting preferences), are not explicitly required to be disclosed under the CPRA unless they are part of the consumer's profile or used for decision-making purposes that affect the consumer.

Examples of Data to Be Provided:

Information provided by the consumer (e.g., email address, account information).

Automatically collected information (e.g., timestamps, purchase history).

Identifiers (e.g., loyalty account numbers).

Explanation of Options:

A . Inferences made about the individual for the company's internal purposes: This is correct. Inferences generated for internal use are not considered part of the data set that must be disclosed in response to a CPRA data access request.

B . The loyalty account number assigned through the individual's use of the services: Loyalty account numbers are directly associated with the consumer and must be provided in response to an access request under the CPRA.

C. The time stamp for the creation of the individual's account in the platform's database: This information is part of the consumer's account data and must be disclosed under the CPRA.

D . The email address submitted by the individual as part of the account registration process: This is personal information directly provided by the consumer and must be disclosed under the CPRA.

Reference from CIPP/US Materials:

CPRA (Civil Code 1798.140): Defines personal information and exceptions for internal use, including inferences.

IAPP CIPP/US Certification Textbook: Discusses consumer rights under the CPRA, including access rights and the treatment of inferences.


Question No. 3

Which of the following privacy rights is NOT available under the Colorado Privacy Act?

Show Answer Hide Answer
Question No. 4

The Family Educational Rights and Privacy Act (FERPA) requires schools to do all of the following EXCEPT?

Show Answer Hide Answer
Correct Answer: D

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records and gives parents or eligible students the right to access, amend, and control the disclosure of their records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the U.S.Department of Education12

FERPA requires schools to do all of the following:

Verify the identity of students who make requests for access to their records.Schools must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom they disclose education records12

Provide students with access to their records within a specified amount of time. Schools must provide parents or eligible students with an opportunity to inspect and review the student's education records within 45 days of receiving a request.Schools are not required to provide copies of records unless it is impossible for parents or eligible students to review the records at the school12

Respond to all reasonable student requests regarding explanation of their records. Schools must provide parents or eligible students with an opportunity to request the amendment of the student's education records that they believe are inaccurate, misleading, or otherwise in violation of the student's privacy rights. Schools must consider the request and decide whether to amend the records within a reasonable time.If the school decides not to amend the records, it must inform the parent or eligible student of their right to a hearing on the matter12

FERPA does not require schools to do the following:

Obtain student authorization before releasing directory information in their records. Directory information is information contained in a student's education record that would not generally be considered harmful or an invasion of privacy if disclosed. Examples of directory information include the student's name, address, phone number, e-mail address, date and place of birth, major field of study, participation in sports and activities, dates of attendance, degrees and awards received, and most recent school attended. Schools may disclose directory information without consent unless the parent or eligible student has opted out of such disclosure.Schools must notify parents and eligible students of the types of information they designate as directory information and of their right to opt out of directory information disclosure12

Therefore, the correct answer is D. Obtain student authorization before releasing directory information in their records.


Family Educational Rights and Privacy Act (FERPA)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: Federal Privacy Laws, Section 4.3: The Family Educational Rights and Privacy Act (FERPA)

Question No. 5

Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?

Show Answer Hide Answer
Correct Answer: A

Most state laws require that a person or business that conducts business in the state and owns or licenses personal information of residents of that state must notify those residents of any breach of the security of the system involving their personal information. This means that the entity does not have to be physically located in the state, have employees in the state, or be registered in the state to be subject to the breach notification requirements, as long as it conducts business in the state and holds personal information of state residents. Conducting business in the state can be interpreted broadly to include any transaction or activity that involves the state or its residents, such as selling goods or services, collecting payments, or maintaining a website accessible by state residents. The other options (B, C, and D) are not commonly required by most state laws, although some states may have additional or specific requirements for certain types of entities, such as information brokers, health care providers, or financial institutions.Reference:

Security Breach Notification Chart | Perkins Coie

Security Breach Notification Laws - National Conference of State Legislatures

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4: State Privacy Laws and Regulations, Section 4.2: State Security Breach Notification Laws.