CIPP/US Cheat Sheet 2026

The 30 highest-yield CIPP/US facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

90 questions
150 min time limit
70% to pass
  1. What is the most important element of effective professional communication? Clarity and accuracy of the message tailored to the audience
  2. The Electronic Communications Privacy Act (ECPA) primarily regulates which of the following? Interception of wire, oral, and electronic communications
  3. Which concept requires minimizing the collection of personal data? Data minimization
  4. The Driver's Privacy Protection Act (DPPA) restricts state DMVs from disclosing personal information contained in motor vehicle records except for: Permissible uses enumerated in the statute, such as government functions or litigation
  5. Which law requires businesses to implement reasonable security practices? CCPA
  6. What should an organization do first when implementing a privacy program? Conduct a privacy risk assessment
  7. What is the role of documentation in regulatory compliance? It provides verifiable evidence that standards are being met
  8. When facing an ethical dilemma, what is the recommended first step? Identify all stakeholders affected and review applicable codes of conduct
  9. What should be the first action when a new regulation is enacted that affects your practice? Review the regulation, assess its impact, and develop an implementation plan
  10. Which organization enforces data privacy laws in the United States? FTC
  11. What is the primary purpose of industry regulations in this field? To protect the public and ensure consistent professional standards
  12. Which principle requires that personal data collected online be limited to what is directly relevant and necessary for the specific stated purpose? Data minimization
  13. Which quality management tool is used to identify the most significant factors in a dataset? Pareto chart (80/20 rule)
  14. Under the FCRA, consumer reporting agencies must investigate disputed information within: 30 days (generally)
  15. What is the primary goal of quality assurance in professional practice? To ensure consistent delivery of products or services that meet established standards
  16. The HIPAA Privacy Rule's 'minimum necessary' standard requires covered entities to: Limit PHI uses and disclosures to the minimum necessary to accomplish the intended purpose
  17. How should negative or difficult information be communicated to stakeholders? Honestly and promptly, with proposed solutions or mitigation steps
  18. Under HIPAA, 'Protected Health Information' (PHI) is defined as individually identifiable health information that is: Held or transmitted by a covered entity or its business associate in any form or medium
  19. Under the ADA (Americans with Disabilities Act), when may an employer require a medical examination of a current employee? Only when it is job-related and consistent with business necessity
  20. What is the primary role of the FTC in privacy enforcement? Enforcing consumer protection and privacy laws
  21. Under the FCRA, how long before taking adverse employment action must an employer wait after providing the pre-adverse action notice? A reasonable period of time (generally interpreted as at least 5 business days)
  22. What is the purpose of a feedback mechanism in professional communication? To ensure messages are received, understood, and to identify areas for improvement
  23. Which foundational principle is most critical to professional practice in this field? Evidence-based decision making and continuous improvement
  24. FERPA primarily protects which type of information? Education records
  25. What should a communication plan include at minimum? Stakeholder list, message content, channels, frequency, and responsible parties
  26. What is the main objective of a data retention policy? To comply with data storage and deletion timelines
  27. What is a root cause analysis used for? To identify the underlying cause of a problem rather than just addressing symptoms
  28. What distinguishes quality assurance from quality control? QA is proactive and process-focused; QC is reactive and product-focused
  29. Which regulation is enforced by state-level privacy agencies like the California Privacy Protection Agency (CPPA)? CCPA/CPRA
  30. What constitutes a conflict of interest in professional practice? When personal interests could improperly influence professional judgment