CIPP/US Cheat Sheet 2026
The 30 highest-yield CIPP/US facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
90 questions
150 min time limit
70% to pass
- What is the most important element of effective professional communication? → Clarity and accuracy of the message tailored to the audience
- The Electronic Communications Privacy Act (ECPA) primarily regulates which of the following? → Interception of wire, oral, and electronic communications
- Which concept requires minimizing the collection of personal data? → Data minimization
- The Driver's Privacy Protection Act (DPPA) restricts state DMVs from disclosing personal information contained in motor vehicle records except for: → Permissible uses enumerated in the statute, such as government functions or litigation
- Which law requires businesses to implement reasonable security practices? → CCPA
- What should an organization do first when implementing a privacy program? → Conduct a privacy risk assessment
- What is the role of documentation in regulatory compliance? → It provides verifiable evidence that standards are being met
- When facing an ethical dilemma, what is the recommended first step? → Identify all stakeholders affected and review applicable codes of conduct
- What should be the first action when a new regulation is enacted that affects your practice? → Review the regulation, assess its impact, and develop an implementation plan
- Which organization enforces data privacy laws in the United States? → FTC
- What is the primary purpose of industry regulations in this field? → To protect the public and ensure consistent professional standards
- Which principle requires that personal data collected online be limited to what is directly relevant and necessary for the specific stated purpose? → Data minimization
- Which quality management tool is used to identify the most significant factors in a dataset? → Pareto chart (80/20 rule)
- Under the FCRA, consumer reporting agencies must investigate disputed information within: → 30 days (generally)
- What is the primary goal of quality assurance in professional practice? → To ensure consistent delivery of products or services that meet established standards
- The HIPAA Privacy Rule's 'minimum necessary' standard requires covered entities to: → Limit PHI uses and disclosures to the minimum necessary to accomplish the intended purpose
- How should negative or difficult information be communicated to stakeholders? → Honestly and promptly, with proposed solutions or mitigation steps
- Under HIPAA, 'Protected Health Information' (PHI) is defined as individually identifiable health information that is: → Held or transmitted by a covered entity or its business associate in any form or medium
- Under the ADA (Americans with Disabilities Act), when may an employer require a medical examination of a current employee? → Only when it is job-related and consistent with business necessity
- What is the primary role of the FTC in privacy enforcement? → Enforcing consumer protection and privacy laws
- Under the FCRA, how long before taking adverse employment action must an employer wait after providing the pre-adverse action notice? → A reasonable period of time (generally interpreted as at least 5 business days)
- What is the purpose of a feedback mechanism in professional communication? → To ensure messages are received, understood, and to identify areas for improvement
- Which foundational principle is most critical to professional practice in this field? → Evidence-based decision making and continuous improvement
- FERPA primarily protects which type of information? → Education records
- What should a communication plan include at minimum? → Stakeholder list, message content, channels, frequency, and responsible parties
- What is the main objective of a data retention policy? → To comply with data storage and deletion timelines
- What is a root cause analysis used for? → To identify the underlying cause of a problem rather than just addressing symptoms
- What distinguishes quality assurance from quality control? → QA is proactive and process-focused; QC is reactive and product-focused
- Which regulation is enforced by state-level privacy agencies like the California Privacy Protection Agency (CPPA)? → CCPA/CPRA
- What constitutes a conflict of interest in professional practice? → When personal interests could improperly influence professional judgment
Turn these facts into recall: