
[Apr-2025] CIPP-US Exam Dumps - Free Demo & 365 Day Updates
Free Sales Ending Soon - Use Real CIPP-US PDF Questions
NEW QUESTION # 105
Due to cookie deprecation, businesses will be required to simplify their tracking practices by doing what?
- A. Deleting their existing data sets of any third-party cookies
- B. Running analytics only in dedicated sandboxes
- C. Purging existing IDs that identify visitors by browser.
- D. Ensuring only registered users are tracked.
Answer: A
Explanation:
With the impending deprecation of third-party cookies, businesses must simplify their tracking practices and shift to more privacy-conscious technologies. Third-party cookies are being phased out by major web browsers, such as Google Chrome, to improve user privacy and reduce cross-site tracking.
One of the most critical actions businesses need to take is deleting existing data sets of third-party cookies, as they will soon become obsolete. This action ensures compliance with emerging privacy standards and helps organizations transition to alternative methods of tracking, such as first-party data collection or consent- based tracking mechanisms.
Explanation of Options:
* A. Ensuring only registered users are tracked:While focusing on registered users might simplify tracking, it does not address the broader privacy concerns surrounding third-party cookies.
* B. Running analytics only in dedicated sandboxes:Sandboxing analytics tools may enhance security, but it does not directly relate to the transition away from third-party cookies.
* C. Purging existing IDs that identify visitors by browser:Browser IDs are not inherently tied to third- party cookies. Purging them might be part of broader privacy compliance efforts but is not the primary issue with cookie deprecation.
* D. Deleting their existing data sets of any third-party cookies:This is correct. Deleting existing third- party cookie data is a necessary step to align with the move away from third-party cookies, ensuring businesses are prepared for the shift to new tracking technologies.
References from CIPP/US Materials:
* IAPP CIPP/US Certification Textbook: Discusses cookie deprecation and the shift towards first-party data and privacy-conscious tracking.
* California Consumer Privacy Act (CCPA): Regulates the use of cookies and other tracking technologies, emphasizing user consent and transparency.
NEW QUESTION # 106
One of the most significant elements of Senate Bill No. 260 relating to Internet privacy is the introduction of what term into Nevada law?
- A. Transfer Mechanism
- B. Artificial Intelligence.
- C. Data Brokers
- D. Data Ethics
Answer: C
Explanation:
One of the most significant changes introduced by Nevada Senate Bill 260 (SB 260) is the inclusion of the term "Data Brokers" into Nevada privacy law. The bill requires data brokers to register with the Nevada Secretary of State and comply with new privacy requirements, such as responding to consumer opt-out requests. This addition aligns Nevada's privacy framework more closely with laws like Vermont's data broker law.
Key Provisions of SB 260:
* Definition of Data Brokers:
* A data broker is defined as a company that collects, sells, or licenses consumer data and does not have a direct relationship with the consumer.
* Registration Requirements:
* Data brokers must register annually with the Nevada Secretary of State.
* Consumer Rights:
* Consumers are granted the right to opt out of the sale of their personal information, extending the scope of Nevada's existing privacy law.
Explanation of Options:
* A. Data Ethics:While data ethics is an important concept, it is not introduced as a specific term under SB 260.
* B. Data Brokers:This is correct. The inclusion of data brokers as a regulated entity is the primary addition introduced by SB 260.
* C. Artificial Intelligence:SB 260 does not address artificial intelligence directly.
* D. Transfer Mechanism:SB 260 focuses on regulating data brokers, not cross-border data transfer mechanisms.
References from CIPP/US Materials:
* Nevada Senate Bill 260 (SB 260): Introduces data broker registration and opt-out rights.
* IAPP CIPP/US Certification Textbook: Discusses state-specific privacy laws, including Nevada's privacy framework.
NEW QUESTION # 107
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
- A. Notifies the organization if it can no longer meet its requirements for proper data handling
- B. Enters a contract with the organization that states the third party will process data according to the consent agreement
- C. Uses the transferred data for limited purposes
- D. Provides the same level of privacy protection as the organization
Answer: B
Explanation:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and
; 3: Privacy Shield Framework.
NEW QUESTION # 108
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the GDPR, the complainant's request regarding her personal information is known as what?
- A. Right of Rectification
- B. Right of Removal
- C. Right of Access
- D. Right to Be Forgotten
Answer: D
Explanation:
Under the GDPR, the complainant's request regarding her personal information is known as the right to be forgotten, also known as the right to erasure. This right allows individuals to ask organizations to delete their personal data in certain circumstances, such as when the data is no longer necessary, the consent is withdrawn, or the processing is unlawful. The right to be forgotten is not absolute and may not apply if the processing is necessary for legal, public interest, or legitimate purposes. The right to be forgotten also requires organizations to inform any recipients of the data about the erasure request, unless it is impossible or involves disproportionate effort. References:
* Everything you need to know about the "Right to be forgotten"
* Right to erasure | ICO
* Art. 17 GDPR - Right to erasure ('right to be forgotten') - General ...
* [IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 6, page 213.
NEW QUESTION # 109
Under state breach notification laws, which is NOT typically included in the definition of personal information?
- A. Social Security number
- B. First and last name
- C. State identification number
- D. Medical Information
Answer: D
NEW QUESTION # 110
Which venture would be subject to the requirements of Section 5 of the Federal Trade Commission Act?
- A. A national bank's no-fee checking promotion
- B. An online merchant's free shipping offer
- C. A local nonprofit charity's fundraiser
- D. A city bus system's frequent rider program
Answer: B
Explanation:
Section 5 of the Federal Trade Commission Act (FTC Act) prohibits "unfair or deceptive acts or practices in or affecting commerce."1 This prohibition applies to all persons engaged in commerce, including banks, but also exempts some entities, such as nonprofit organizations and common carriers, from FTC jurisdiction.2 Therefore, among the four options, only an online merchant's free shipping offer would be subject to the requirements of Section 5, as it involves a commercial activity thatcould potentially mislead or harm consumers. For example, if the online merchant fails to disclose the terms and conditions of the offer, or charges hidden fees, or delivers the products late or damaged, it could violate Section 5 by engaging in a deceptive practice.3 References: 1: Section 5 | Federal Trade Commission 2: Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, page 13: IAPP CIPP/US Certified Information Privacy Professional Study Guide, page 23.
NEW QUESTION # 111
Which of the following practices is NOT a key component of a data ethics framework?
- A. Preferability testing.
- B. Auditing.
- C. Data governance.
- D. Automated decision-making.
Answer: A
NEW QUESTION # 112
Which of the following is most likely to provide privacy protection to private-sector employees in the United States?
- A. The Federal Trade Commission Act (FTC Act)
- B. The U.S. Department of Health and Human Services (HHS)
- C. State law, contract law, and tort law
- D. Amendments one, four, and five of the U.S. Constitution
Answer: C
Explanation:
Explanation/Reference: https://corporate.findlaw.com/law-library/right-to-privacy-in-the-workplace-in-the-information- age.html
NEW QUESTION # 113
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Based on the problems with the company's privacy security that Roberta identifies, what is the most likely cause of the breach?
- A. Lost company property such as a computer or flash drive.
- B. Unintended disclosure of information shared with a third party.
- C. Mishandling of information caused by lack of access controls.
- D. Fraud involving credit card theft at point-of-service terminals.
Answer: C
NEW QUESTION # 114
Which of the following is NOT a principle found in the APEC Privacy Framework?
- A. Access and Correction.
- B. Privacy by Design.
- C. Integrity of Personal Information.
- D. Preventing Harm.
Answer: B
Explanation:
Explanation/Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiqtJX4tPHvAhUQG-
wKHUoGBgkQFjAHegQIBRAD&url=https%3A%2F%2Fwww.apec.org%2F-%2Fmedia%2FAPEC%
2FPublications%2F2016%2F11%2F2016-CTI-Report-to-Ministers%2FTOC%2FAppendix-17-Updates-to-the- APEC-Privacy-Framework.pdf&usg=AOvVaw1Yysi4Ym_1VaCw1VZiB70a
NEW QUESTION # 115
Which of the following most accurately describes the regulatory status ot pandemic contact-tracing apps in the United States?
- A. Contact tracing is covered exclusively under the Health Insurance Portability and Accountability Act (HIPAA).
- B. Contact tracing is subject to a patchwork of federal and state privacy laws
- C. Contact tracing is regulated by the U.S. Centers for Disease Control and Prevention (CDC).
- D. Contact tracing is not regulated in the United States.
Answer: B
Explanation:
In the United States, pandemic contact-tracing apps are regulated under a patchwork of federal and state privacy laws, rather than a single, comprehensive framework. Contact-tracing initiatives often involve the collection and processing of sensitive data, including location and health information, which may fall under different legal regimes depending on the jurisdiction and type of data.
Key Regulations Affecting Contact-Tracing Apps:
* State Privacy Laws:
* States such as California (via the California Consumer Privacy Act - CCPA) and others have privacy laws that may apply to contact-tracing apps, particularly when personal data is collected or shared.
* State-level health privacy laws may also govern how health-related data is collected and used.
* HIPAA:
* HIPAA (Health Insurance Portability and Accountability Act) applies only if the app is used by or on behalf of a covered entity (e.g., healthcare providers or health plans). If the app is operated by a private company without a connection to a HIPAA-covered entity, HIPAA likely does not apply.
* Federal Guidance:
* The Federal Trade Commission (FTC) enforces general privacy protections under Section 5 of the FTC Act, which prohibits unfair or deceptive practices.
* The FTC has also issued guidance on privacy considerations for health-related apps.
* Other Federal and Sector-Specific Laws:
* If the app collects health-related data, it could also trigger obligations under laws like the Americans with Disabilities Act (ADA) or sector-specific rules.
Explanation of Options:
* A. Contact tracing is covered exclusively under the Health Insurance Portability and Accountability Act (HIPAA):This is incorrect. HIPAA applies only to covered entities and their business associates, not broadly to all contact-tracing apps or initiatives.
* B. Contact tracing is regulated by the U.S. Centers for Disease Control and Prevention (CDC):
This is incorrect. While the CDC provides guidance and recommendations for public health, it does not have regulatory authority over contact-tracing apps.
* C. Contact tracing is subject to a patchwork of federal and state privacy laws:This is correct.
Contact-tracing apps in the U.S. are governed by various federal, state, and sector-specific laws, creating a patchwork regulatory framework.
* D. Contact tracing is not regulated in the United States:This is incorrect. While there is no single regulatory framework for contact tracing, the practice is subject to multiple federal and state laws.
References from CIPP/US Materials:
* IAPP CIPP/US Certification Textbook: Discusses the application of HIPAA, state privacy laws, and federal regulations to health-related technologies, including contact-tracing apps.
* FTC Guidance on Health Apps: Details privacy considerations for app developers handling health- related data.
NEW QUESTION # 116
California's SB 1386 was the first law of its type in the United States to do what?
- A. Require commercial entities to disclose a security data breach concerning personal information about the state's residents
- B. Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices
- C. Require notification of non-California residents of a breach that occurred in California
- D. Require encryption of sensitive information stored on servers that are Internet connected
Answer: A
NEW QUESTION # 117
What are banks required to do under the Gramm-Leach-Bliley Act (GLBA)?
- A. Process requests for changes to user preferences within a designated time frame
- B. Provide consumers with the opportunity to opt out of receiving telemarketing phone calls
- C. Conduct annual consumer surveys regarding satisfaction with user preferences
- D. Offer an Opt-Out before transferring PI to an unaffiliated third party for the latter's own use
Answer: D
Explanation:
Explanation/Reference: https://www.investopedia.com/terms/g/glba.asp
NEW QUESTION # 118
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?
- A. Training on the terms of the contractual agreement with HealthCo
- B. Training on CloudHealth's HR policy regarding the role of employees involved data breaches
- C. Training on techniques for identifying phishing attempts
- D. Training on the difference between confidential and non-public information
Answer: C
NEW QUESTION # 119
Which of the following is most likely to provide privacy protection to private-sector employees in the United States?
- A. The Federal Trade Commission Act (FTC Act)
- B. The U.S. Department of Health and Human Services (HHS)
- C. State law, contract law, and tort law
- D. Amendments one, four, and five of the U.S. Constitution
Answer: C
Explanation:
Unlike many other countries, the United States does not have a comprehensive federal law that regulates the privacy of private-sector employees. Instead, the privacy protection of employees depends largely on state law, contract law, and tort law. State law may provide specific rights and remedies for employees regarding issues such as drug testing, background checks, electronic monitoring, social media access, and genetic information.
Contract law may create obligations and expectations for employers and employees based on written or implied agreements, such as employment contracts, employee handbooks, or collective bargaining agreements.
Tort law may allow employees to sue their employers for invasion of privacy, such as intrusion upon seclusion, public disclosure of private facts, false light, or appropriation of name or likeness. The other options are less likely to provide privacy protection to private-sector employees in the United States. The FTC Act primarily regulates the privacy practices of businesses that collect and use consumer data, not employee data.
The U.S. Constitution only protects individuals from unreasonable searches and seizures by the government, not by private employers. The HHS only enforces the HIPAA Privacy Rule, which applies to covered entities and business associates that handle protected health information, not to all private-sector employers. References:
* IAPP CIPP/US Study Guide, Chapter 6: Workplace Privacy
* Privacy Rights of Employees Using Workplace Computers in the United States
* Employee Privacy Laws
NEW QUESTION # 120
Global Manufacturing Co's Human Resources department recently purchased a new software tool. This tool helps evaluate future candidates for executive roles by scanning emails to see what those candidates say and what is said about them. This provides the HR department with an automated "360 review" that lets them know how the candidate thinks and operates, what their peers and direct reports say about them, and how well they interact with each other.
What is the most important step for the Human Resources Department to take when implementing this new software?
- A. Confirming that employees have read and signed the employee handbook where they have been advised that they have no right to privacy as long as they are using the organization's systems, regardless of the protected group or laws enforced by EEOC.
- B. Ensuring that the software contains a privacy notice explaining that employees have no right to privacy as long as they are running this software on organization systems to scan email systems.
- C. Providing notice to employees that their emails will be scanned by the software and creating automated profiles.
- D. Making sure that the software does not unintentionally discriminate against protected groups.
Answer: D
NEW QUESTION # 121
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?
- A. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.
- B. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
- C. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.
- D. The encryption of all personal information of Massachusetts residents when stored on portable devices.
Answer: D
Explanation:
The Massachusetts Personal Information Security Regulation (201 CMR 17.00) requires that any person or entity that owns or licenses personal information of Massachusetts residents must implement and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect such information. One of the technical requirements of the regulation is to encrypt all personal information of Massachusetts residents that is stored on laptops or other portable devices, regardless of where the equipment is located12. The regulation defines personal information as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person: (a) Social Security number; (b) driver's license number or state-issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account1. The regulation also requires encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly1. References:
* Regulation 201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents
* Massachusetts Law Raises the Bar for Data Security
NEW QUESTION # 122
What was unique about the action that the Federal Trade Commission took against B.J.'s Wholesale Club in 2005?
- A. It was the first substantial U.S.-EU Safe Harbor enforcement.
- B. It made user consent mandatory after any revisions of policy.
- C. It made third-party audits a penalty for policy violations.
- D. It was based on matters of fairness rather than deception.
Answer: D
Explanation:
Per the FTC Press Release in 2005, "BJ's Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law."
NEW QUESTION # 123
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
Which principle of the Consumer Privacy Bill of Rights, if adopted, would best reform the company's privacy program?
- A. Consumers have a right to reasonable limits on the personal data that a company retains.
- B. Consumers have a right to easily accessible information about privacy and security practices.
- C. Consumers have a right to exercise control over how companies use their personal data.
- D. Consumers have a right to correct personal data in a manner that is appropriate to the sensitivity.
Answer: A
NEW QUESTION # 124
Which of the following is NOT one of three broad categories of products offered by data brokers, as identified by the U.S. Federal Trade Commission (FTC)?
- A. Risk mitigation (such as information that may reduce the risk of fraud).
- B. Research (such as information for understanding consumer trends).
- C. Marketing (such as appending data to customer information that a marketing company already has).
- D. Location of individuals (such as identifying an individual from partial information).
Answer: D
NEW QUESTION # 125
Which of the following practices is NOT a key component of a data ethics framework?
- A. Automated decision-making.
- B. Preferability testing.
- C. Auditing.
- D. Data governance.
Answer: A
Explanation:
A data ethics framework is a set of principles and guidelines that help organizations ensure that their data practices are ethical, responsible, and trustworthy. According to the IAPP CIPP/US Study Guide, some of the key components of a data ethics framework are1:
* Data governance: the policies, processes, and standards that govern how data is collected, used, stored, and shared within an organization.
* Preferability testing: the process of assessing the potential impacts and risks of data-driven solutions on stakeholders, such as customers, employees, and society.
* Auditing: the process of monitoring, reviewing, and verifying the compliance and performance of data practices against the established ethical standards and legal requirements. Automated decision-making, on the other hand, is not a key component of a data ethics framework, but rather a data practice that may raise ethical issues and challenges. Automated decision-making refers to the use of algorithms, artificial intelligence, or machine learning to make decisions or recommendations without human intervention2. While automated decision-making can offer benefits such as efficiency, accuracy, and consistency, it can also pose risks such as bias, discrimination, lack of transparency, and accountability3.
Therefore, automated decision-making should be subject to ethical evaluation and oversight, but it is not itself a part of a data ethics framework. References:
* [IAPP CIPP/US Study Guide], Chapter 10, Section 10.4, page 287
* [IAPP Glossary], Automated Decision-Making
* IAPP Resources, Ethical Data Use and Automated Decision-Making: A Practical Guide
NEW QUESTION # 126
What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?
- A. The ability to correct inaccurate credit information.
- B. The ability to receive reports from multiple credit reporting agencies.
- C. The ability to appeal negative credit-based decisions.
- D. The ability to investigate incidents of identity theft.
Answer: A
Explanation:
The Fair Credit Reporting Act (FCRA) was originally intended to provide consumers with the ability to correct inaccurate credit information that could affect their access to credit, employment, insurance, and other benefits. The FCRA gives consumers the right to access their credit reports from the three major credit reporting agencies (Equifax, Experian, and TransUnion) for free once every 12 months, and to dispute any errors or inaccuracies with the credit reporting agencies or the information furnishers (such as lenders, creditors, or debt collectors). The FCRA also requires the credit reporting agencies and the information furnishers to investigate and resolve the disputes within 30 days, and to delete or correct any information that is found to be inaccurate, incomplete, or outdated. The FCRA also provides consumers with the right to place fraud alerts or security freezes on their credit reports if they are victims or potential victims of identity theft, and to receive notifications from users of their credit reports (such as employers or insurers) if any adverse action is taken based on their credit information. References:
* Fair Credit Reporting Act - Wikipedia
* What is the Fair Credit Reporting Act (FCRA)? | Money
* The Fair Credit Reporting Act of 1970 - The Balance
* How the Fair Credit Reporting Act (FCRA) Protects Consumer Rights
NEW QUESTION # 127
......
CIPP-US Dumps - Pass Your Certification Exam: https://www.actual4test.com/CIPP-US_examcollection.html
Latest Real IAPP CIPP-US Exam Dumps Questions: https://drive.google.com/open?id=1-2rx57yT8-VbDbh8t9GWCsAIMaXZXKqj