Free CIPT Practice Questions
10 free, exam-style Certified Information Privacy Technologist (CIPT) (CIPT) practice questions with answers and
explanations. No signup required. Work through them below, then take the
full free CIPT practice test to study every exam domain.
Question 1
A fintech startup processes EU customer financial data using servers in Singapore. The startup has no DPO, no data processing agreements with its cloud provider, and its privacy notice is a single sentence stating 'We respect your privacy.' Which of the following is the MOST critical compliance gap?
- The privacy notice is too short
- The lack of a data processing agreement with the cloud provider, as GDPR Article 28 requires written contracts specifying the terms of processing
- The servers are in Singapore
- The company does not have a DPO
Show answer & explanation
Correct answer: B - The lack of a data processing agreement with the cloud provider, as GDPR Article 28 requires written contracts specifying the terms of processing
Question 2
A cookie consent interface shows 'Accept All' requiring one click, while 'Reject All' requires navigating through three separate pages of toggle switches. A regulator would MOST likely find this:
- Compliant because a reject option exists
- Non-compliant because rejecting must be as easy as accepting under GDPR consent requirements
- Compliant if the toggle switches are clearly labeled
- Non-compliant only if the website is based in the EU
Show answer & explanation
Correct answer: B - Non-compliant because rejecting must be as easy as accepting under GDPR consent requirements
Question 3
A predictive policing algorithm focuses resources on neighborhoods that have historically had more arrests. Increased police presence leads to more arrests in those areas, which further trains the algorithm to target those neighborhoods. This illustrates:
- Training data bias
- Proxy discrimination
- A feedback loop where biased outputs become biased inputs for future model training
- Algorithmic transparency
Show answer & explanation
Correct answer: C - A feedback loop where biased outputs become biased inputs for future model training
Question 4
An AI chatbot trained on customer support tickets begins reproducing actual customer names, email addresses, and order details in its responses. This is an example of:
- Effective personalization
- Training data memorization - the model has memorized personal data from training examples
- Normal chatbot behavior
- An attribute inference attack
Show answer & explanation
Correct answer: B - Training data memorization - the model has memorized personal data from training examples
Question 5
In a k-anonymous dataset with k=3, all three individuals in one equivalence class have 'diabetes' as their medical condition. An attacker viewing this group can determine:
- Nothing about any individual
- That every person in the group has diabetes, despite not knowing their exact identity
- Only the ages of the individuals
- The names of all three individuals
Show answer & explanation
Correct answer: B - That every person in the group has diabetes, despite not knowing their exact identity
Question 6
A cloud provider needs to run analytics on a hospital's encrypted patient data without ever seeing the plaintext. Which technology enables this?
- Symmetric encryption
- Asymmetric encryption
- Homomorphic encryption
- Format-Preserving Encryption
Show answer & explanation
Correct answer: C - Homomorphic encryption
Question 7
A data subject submits a deletion request, but the organization also has a legal obligation to retain certain financial records containing that individual's data. The organization should:
- Delete all data to comply with the data subject's request
- Retain only the data required by law and delete all other data related to the individual
- Ignore the deletion request because of the legal obligation
- Ask the supervisory authority to decide
Show answer & explanation
Correct answer: B - Retain only the data required by law and delete all other data related to the individual
Question 8
An IoT manufacturer releases a smart doorbell with no privacy notice, no way to view or delete recordings, encryption only during cloud upload but not local storage, and default video sharing with the manufacturer's partners. How many PbD principles are violated?
- Two
- Three
- Five - Principles 2 (default sharing), 3 (not embedded), 5 (incomplete encryption), 6 (no transparency), and 7 (no user control)
- All seven
Show answer & explanation
Correct answer: C - Five - Principles 2 (default sharing), 3 (not embedded), 5 (incomplete encryption), 6 (no transparency), and 7 (no user control)
Question 9
A company's marketing team wants to enable detailed user tracking by default to maximize ad revenue, while the privacy team argues for minimal tracking by default. Under PbD, which position is correct?
- Marketing is correct because revenue drives business sustainability
- Privacy is correct - Principle 2 requires maximum privacy as the default, and Principle 4 requires finding a positive-sum solution that achieves both goals
- Neither - the CEO should decide based on competitive analysis
- Both teams should compromise at a medium level of tracking
Show answer & explanation
Correct answer: B - Privacy is correct - Principle 2 requires maximum privacy as the default, and Principle 4 requires finding a positive-sum solution that achieves both goals
Question 10
A small company with 50 employees processes employee health data for occupational health purposes. Does the RoPA exemption apply?
- Yes, because the company has fewer than 250 employees
- No, because the company processes special category data (health data), which is an exception to the exemption
- Yes, because health data is not personal data
- No, because all companies must maintain a RoPA regardless of size
Show answer & explanation
Correct answer: B - No, because the company processes special category data (health data), which is an exception to the exemption