Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free IAPP CIPP/CN Practice Questions

Pass your IAPP Certified Information Privacy Professional / China (CIPP/CN) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
IAPP does not publicly report CIPP/CN pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Under CSL and PIPL, what is a key distinction between 'personal information' and 'sensitive personal information'?

A
B
C
D
to track
Same family resources

Explore More IAPP Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

AIGP

Practice Questions
1 blog

CIPP/E

Practice Questions
1 blog

CIPP/US

Practice Questions
1 blog

CIPT

Practice Questions
1 blog

CIPM

Practice Questions

IAPP CIPP/Asia

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleAIGP Exam Guide 2026: FREE IAPP AI Governance Prep28 min read
2026 Statistics

Key Facts: IAPP CIPP/CN Exam

90

Exam Questions

Multiple-choice format

300/500

Passing Score

Scaled scoring

2.5 hr

Time Limit

Pearson VUE delivery

$550

Exam Fee

Per attempt (USD)

2 yrs

Maintenance Cycle

$250 CMF + 20 CPE

3

Domains Tested

Intro / PIPL / Sectoral

The IAPP CIPP/CN is an expert-level Chinese data privacy credential with a 90-question, 2.5-hour exam, a 300/500 scaled passing score, and a $550 USD fee delivered through Pearson VUE. The exam validates mastery of China's three-pillar legal framework — the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Cybersecurity Law (CSL) — together with CAC cross-border transfer routes (security assessment, standard contract, certification), sensitive PI handling, automated decision-making rules, PIPIA, and sector regulations covering finance, healthcare, telecom, and automotive data. Maintenance requires a $250 Certification Maintenance Fee plus 20 CPE credits every two years. The credential is highly valued for in-house counsel, DPOs, and consultants advising multinationals on PIPL extraterritoriality and outbound data flows.

Sample IAPP CIPP/CN Practice Questions

Try these sample questions to test your IAPP CIPP/CN exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following is the principal national-level law that establishes a comprehensive personal information protection regime in mainland China?
A.Cybersecurity Law (CSL)
B.Data Security Law (DSL)
C.Personal Information Protection Law (PIPL)
D.E-Commerce Law
Explanation: The Personal Information Protection Law (PIPL), effective November 1, 2021, is China's primary statute dedicated to personal information protection. It defines lawful bases for processing, individual rights, handler obligations, cross-border transfer rules, and penalties.
2Which agency is the lead regulator that coordinates national personal information protection work and supervises cross-border data transfers in China?
A.State Administration for Market Regulation (SAMR)
B.Ministry of Industry and Information Technology (MIIT)
C.Cyberspace Administration of China (CAC)
D.Ministry of Public Security (MPS)
Explanation: The Cyberspace Administration of China (CAC) is the lead national regulator for personal information protection, network security, and cross-border data transfers, including the security assessment, standard contract, and certification routes.
3Under PIPL Article 4, 'personal information' is defined as which of the following?
A.Any information about Chinese citizens, regardless of identifiability
B.All information of identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information
C.Only sensitive personal information such as biometrics and financial data
D.Information that has been pseudonymized but not yet anonymized
Explanation: PIPL Article 4 defines personal information as various information related to identified or identifiable natural persons recorded by electronic or other means, but excludes anonymized information. Anonymized data is information that cannot be used to identify a specific natural person and cannot be restored.
4PIPL applies extraterritorially under Article 3 when a foreign handler processes the personal information of natural persons inside China. Which scenario does NOT trigger PIPL extraterritorial application?
A.Providing products or services to natural persons inside China
B.Analyzing and evaluating the conduct of natural persons inside China
C.Processing only non-Chinese employees' HR data outside China for internal company use, with no link to China
D.Other circumstances stipulated by laws or administrative regulations
Explanation: PIPL Article 3 extends extraterritorially when a foreign handler (i) provides products or services to individuals in China, (ii) analyzes or evaluates the conduct of individuals in China, or (iii) under other circumstances set by law. Processing of unrelated foreign employees' data outside China without nexus to Chinese individuals does not trigger PIPL.
5Which of the following is NOT a recognized lawful basis for processing personal information under PIPL Article 13?
A.Necessary to perform a contract to which the individual is a party, or for HR management under labor rules
B.Necessary to perform statutory duties or legal obligations
C.Legitimate interests of the personal information handler
D.Necessary to respond to public health emergencies or to protect natural persons' life, health, or property in emergencies
Explanation: PIPL Article 13 lists specific lawful bases (consent, contract/HR, statutory duty, public health/emergency, news/public interest, processing of disclosed information within reason, and other circumstances by law) but it does NOT include GDPR-style 'legitimate interests' as a stand-alone basis.
6Under PIPL Article 28, which of the following items is explicitly listed as 'sensitive personal information'?
A.Email addresses used for marketing
B.Location tracking information
C.IP addresses collected from website logs
D.Customer purchase history of consumer goods
Explanation: PIPL Article 28 names sensitive personal information categories: biometric identifiers, religious belief, specific identity, medical and health data, financial accounts, location tracking (whereabouts), and the personal information of minors under 14.
7PIPL Article 31 provides additional protection for the personal information of minors. Which age threshold triggers special handling rules and the requirement of guardian consent?
A.Under 18
B.Under 16
C.Under 14
D.Under 12
Explanation: PIPL classifies the personal information of minors under the age of 14 as sensitive personal information (Article 28) and requires consent from a parent or other guardian, plus a dedicated processing rule (Article 31).
8PIPL Article 38 establishes routes for outbound cross-border transfer of personal information. Which is NOT a permitted route under Article 38?
A.Passing the CAC-organized security assessment
B.Obtaining personal information protection certification from a specialized institution
C.Concluding the standard contract for outbound personal information transfer with the overseas recipient per CAC rules
D.Self-declaration by the handler that the overseas recipient provides equivalent protection
Explanation: PIPL Article 38 recognizes three primary routes for outbound transfer: (1) CAC security assessment, (2) personal information protection certification from a CAC-designated institution, and (3) signing the CAC standard contract. It also allows other routes set by law or treaty. Pure self-declaration of equivalent protection is not a route.
9The Measures for Security Assessment for Outbound Data Transfers (effective September 2022, with relaxation provisions in 2024) require a CAC security assessment when which threshold is met?
A.Any outbound transfer of any personal information
B.Transfer of important data, transfers by CIIOs, or transfer of PI of more than the regulatory thresholds (e.g., sensitive PI over 10,000 individuals or ordinary PI over 1 million individuals cumulatively since January 1 of the preceding year)
C.Transfers exceeding 100 individuals' personal information
D.Transfers only when the recipient country lacks adequacy
Explanation: Under the 2024 Provisions on Promoting and Regulating Cross-Border Data Flows, security assessment is required for: any outbound transfer of important data; transfers by CIIOs of any personal information; non-CIIO transfer of sensitive PI of more than 10,000 individuals; or transfers of non-sensitive PI of more than 1 million individuals (cumulatively since January 1 of the prior year).
10A non-CIIO Chinese subsidiary plans to send the non-sensitive personal information of approximately 250,000 individuals to its overseas parent within a calendar year. Which cross-border transfer route is most appropriate?
A.Mandatory CAC security assessment
B.Either standard contract filing with the provincial CAC or PI protection certification
C.No transfer route required at all
D.Apply for an ad hoc CAC waiver
Explanation: For non-CIIO transfer of non-sensitive PI of more than 100,000 but less than 1,000,000 individuals (cumulatively since January 1 of the prior year), the standard contract or certification route applies. Volumes of 1 million or more, or sensitive PI of 10,000+, push the transfer into the security assessment route.

About the IAPP CIPP/CN Exam

The IAPP Certified Information Privacy Professional / China (CIPP/CN) certification validates expert-level knowledge of Chinese personal information protection law and compliance practice. The exam covers the legal landscape (Civil Code, CSL, DSL), regulators (CAC, MIIT, MPS, SAMR, PBoC, MOST), terminology (PI handlers, entrusted parties), the Personal Information Protection Law (PIPL) including extraterritorial scope, lawful bases, sensitive PI, separate consent, automated decision-making, cross-border transfer routes (CAC security assessment, standard contract, certification), individual rights, handler obligations, PIPIA, breach notification, penalties, and civil liability, and sectoral regulations across finance, healthcare and human genetic resources, telecom and internet, automotive and connected vehicles, CIIO obligations, important data, and compliance program design. It is designed for privacy lawyers, compliance officers, DPOs, and consultants advising on China data protection.

Assessment

90 multiple-choice questions covering Chinese privacy law and practice across three domains: Introduction to Personal Information Protection in China, the Personal Information Protection Law (PIPL), and Sectoral Regulations and Compliance

Time Limit

2.5 hours

Passing Score

300/500 scaled

Exam Fee

$550 USD (IAPP / Pearson VUE)

IAPP CIPP/CN Exam Content Outline

~33%

Introduction to Personal Information Protection in China

Chinese legal landscape, terminology (PI handlers, entrusted parties), Civil Code PI rights, CSL overview, DSL data classification (general/important/core), regulators (CAC, MIIT, MPS, SAMR, PBoC, MOST), MLPS, GB/T 35273 and GB/T 46068, enforcement (Didi, ByteDance), legal hierarchy

~33%

The Personal Information Protection Law (PIPL)

Scope and extraterritoriality (Art. 3), definitions (Art. 4), processing principles (Art. 5-9), lawful bases (Art. 13), notice/consent (Art. 14-18), sensitive PI (Art. 28-32), separate consent, joint handlers (Art. 20), entrusted parties (Art. 21), automated decision-making (Art. 24), cross-border transfer (Art. 38-43), individual rights (Art. 44-50), handler obligations (Art. 51-58), PIPO/Article 53 representative, PIPIA (Art. 55-56), breach notification (Art. 57), penalties (Art. 66), civil liability (Art. 69)

~33%

Sectoral Regulations and Compliance

Finance (PBoC JR/T 0171), healthcare and HGR (MOST), telecom and internet (MIIT app rules), automotive (Automotive Data Security Provisions, in-vehicle defaults, important automotive data), CIIO obligations and CII Security Protection Regulations, Cybersecurity Review Measures (1M-user IPO threshold), Network Data Security Management Regulations, important data identification, compliance program design (data mapping, lawful basis, localization, transfer route choice, notice/consent, PIPO, audits)

How to Pass the IAPP CIPP/CN Exam

What You Need to Know

  • Passing score: 300/500 scaled
  • Assessment: 90 multiple-choice questions covering Chinese privacy law and practice across three domains: Introduction to Personal Information Protection in China, the Personal Information Protection Law (PIPL), and Sectoral Regulations and Compliance
  • Time limit: 2.5 hours
  • Exam fee: $550 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

IAPP CIPP/CN Study Tips from Top Performers

1Memorize the three cross-border transfer thresholds: CAC security assessment for any CIIO transfer, important data, sensitive PI of 10,000+ individuals, or ordinary PI of 1M+ individuals; standard contract or certification for non-sensitive PI of 100K-1M; and exemption-eligible flows below 100K non-sensitive PI
2Master the difference between 'consent' (Art. 14) and 'separate consent' (单独同意) — separate consent is required for sensitive PI (Art. 29), data sharing (Art. 23), public disclosure (Art. 25), cross-border transfer (Art. 39), and using PI from public CCTV for non-public-security purposes
3Learn the PIPL article numbers most-tested: Art. 3 (scope), 4 (definitions), 13 (lawful bases — note no 'legitimate interests'), 24 (automated decision-making), 28 (sensitive PI categories), 38 (transfer routes), 51 (handler duties), 55-56 (PIPIA), 66 (penalties), 69 (reversed burden of proof)
4Understand China's three-tier data classification: general / important / core data under DSL Article 21, and how it interacts with PIPL's PI / sensitive PI categories
5Know the regulators by acronym and mandate: CAC (lead), MIIT (telecom/apps), MPS (MLPS, cybercrime), SAMR (consumer/competition, certification co-issuer), PBoC (financial PI), MOST (HGR)
6Practice applying the Automotive Data Provisions' four 'defaults' (in-vehicle, anonymization, minimum precision, minimum duration) — this is a fact-pattern favorite in Domain III

Frequently Asked Questions

What is the IAPP CIPP/CN exam?

The IAPP Certified Information Privacy Professional / China (CIPP/CN) is an expert-level certification from the International Association of Privacy Professionals that validates knowledge of Chinese personal information protection law. The exam covers the Personal Information Protection Law (PIPL), Data Security Law (DSL), Cybersecurity Law (CSL), CAC cross-border transfer routes, sensitive PI rules, automated decision-making, PIPIA, and sectoral regulations for finance, healthcare, telecom, and automotive.

How many questions are on the CIPP/CN exam?

The CIPP/CN exam contains 90 multiple-choice questions delivered over a 2.5-hour session through Pearson VUE. You need to score at least 300 on a 500-point scaled scoring scale to pass. Questions are distributed across three domains: Introduction to Personal Information Protection in China, the PIPL, and Sectoral Regulations and Compliance.

How much does the CIPP/CN exam cost?

The CIPP/CN exam costs $550 USD per attempt and is administered through Pearson VUE testing centers or online proctoring. After certification, IAPP charges a $250 Certification Maintenance Fee (CMF) every two years, and you must earn 20 CPE credits in that cycle to maintain the credential.

What topics does the CIPP/CN exam cover?

The exam covers Chinese privacy law and practice across three domains: (1) the legal landscape and key regulators (CAC, MIIT, MPS, SAMR, PBoC, MOST), CSL/DSL overview, MLPS, and GB/T standards; (2) the PIPL including scope, lawful bases, sensitive PI, automated decision-making, cross-border transfer routes (security assessment, standard contract, certification), individual rights, handler obligations, PIPIA, and penalties; and (3) sectoral regulations covering finance, healthcare and HGR, telecom and internet, automotive data, CIIO duties, important data, and compliance program design.

How is the CIPP/CN different from CIPP/E or CIPP/US?

Each CIPP concentration focuses on a different jurisdiction. CIPP/E covers the EU GDPR, CIPP/US covers federal and state US privacy law, and CIPP/CN covers Chinese privacy law including PIPL, DSL, and CSL. Holding multiple concentrations is common for global privacy professionals. CIPP/CN is the only IAPP credential focused on China and includes unique topics such as CAC security assessments, the standard contract route, and HGR rules.

How should I prepare for the CIPP/CN exam?

Prepare by studying the official CIPP/CN Body of Knowledge and Exam Blueprint, IAPP's CIPP/CN textbook, and the texts of PIPL, DSL, and CSL. Practice with a question bank that mirrors the three-domain weighting, focus on PIPL articles cited in IAPP's outline, master cross-border transfer thresholds (1M ordinary PI, 10K sensitive PI, important data, CIIO), and review enforcement cases (Didi, app inspections). Most candidates need 60-100 hours over 6-10 weeks.

How long is the CIPP/CN certification valid?

The CIPP/CN certification follows IAPP's standard maintenance cycle: 2 years between renewal periods. Holders must pay a $250 Certification Maintenance Fee (CMF) and earn 20 CPE credits during each two-year cycle. CPEs can be earned through IAPP webinars, conferences, publications, and other approved professional activities.