Complete Guide to Get Your CIPP/US
Audience
This article is for anyone interested in learning more about the Certified Information Privacy Professional US (CIPP/US) certification.
This guide assumes no knowledge about the CIPP/US, the certification process, the maintenance requirements, or the knowledge required to pass the exam.
This post provides a holistic overview and study guide to get your CIPP/US.
Disclaimer
There is a considerable amount of content here—take your time digesting it.
I encourage you to skip around to the relevant sections. Different parts will be more or less relevant based on where you're at in your certification journey.
Bookmark this page and use it as a resource throughout your studies.
What is the CIPP/US?
The CIPP/US is the most prolific privacy certification available today.
The International Association of Privacy Professionals (IAPP), a not-for-profit that helps define, promote, and improve the privacy profession globally, offers the CIPP/US as a certification for privacy practitioners.
There are currently four active CIPP certifications, including for the United States (CIPP/US), Asia (CIPP/A), Canada (CIPP/C), and Europe (CIPP/E) and an upcoming, unreleased certification for China (CIPP/CN).
Getting any CIPP demonstrates a foundational understanding of the privacy laws, regulations, and requirements in a jurisdiction. For the CIPP/US, you'll learn about industry-specific regulations, including healthcare, finance, education, telecommunications, as well as the recent surge in state comprehensive laws.
Check out this dedicated post for more benefits of IAPP certifications.
What Will You Learn?
Most people are interested in getting the CIPP/US to learn—that's the goal, right?
Each IAPP certification has a Body of Knowledge that provides an exhaustive list of covered topics. However, at a high-level you can expect to learn about:
- Introduction to the US Privacy Environment
- Limits on Private-Sector Collection and Use of Data
- Government and Court Access to Private-Sector Information
- Workplace Privacy
- State Privacy Laws
Module 1 and Module 2 make up most of the testable content for the CIPP/US.
However, as more states have introduced state comprehensive privacy laws, Module 5 has received more and more attention (and test questions!). Module 3 and Module 4 are still important, but responsible for fewer test questions.
Check out Mapping the Official Textbook for an in-depth look at each module.
How Long Should You Study For?
You should study for a minimum of 30 hours. For reference, I spent ~40-50 hours.
You don't have to invest this level of time and energy. However, you certainly shouldn't underestimate the CIPP/US certification exam—retakes are expensive.
Even if you're a seasoned privacy practitioner, I recommend approaching this certification exam as if you knew nothing. Check your ego at the door and spend time learning and re-learning topics you thought you knew.
In my experience, 30-40 hours seems about right for most people. If you want to do particularly well, and not just pass, invest some additional time beyond this.
Check out this dedicated post on how long to study for IAPP certifications!
Study Tools
Studying for any certification can be daunting, but the CIPP/US is a beast.
Put plainly, the CIPP/US covers a lot of material. It's difficult to keep track of the countless sectoral and state comprehensive privacy laws, their differences, etc.
Choosing the right (or wrong) study tools can substantially impact your success.
This section shares my essential official and unofficial study tools.
Official Study Tools
Which official study tools are "must haves" and which should you avoid?
I passed all 4 of my IAPP certifications using only official IAPP study tools. However, these resources are not always equal in terms of cost and quality.
The official IAPP resources you may consider include:
- Official Textbook (Paid)
- Body of Knowledge (Free)
- Exam Blueprint (Free)
- Glossary of CIPP/US Terms (Free)
- Practice Exam (Paid)
- Online and In-Person Training (Paid)
There are a lot of options here—let's break it down.
Official Textbook
You can pass almost any IAPP certification using only the official textbook.
For the CIPP/US, the official textbook is U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals by Peter Swire and DeBrae Kennedy-Mayo.
The official textbook covers most of the information needed to pass the exam.
Why not all? Well, privacy is a rapidly changing field, and it's hard for traditional textbooks to keep up with. Always refer to the Body of Knowledge and Exam Blueprint to ensure you've reviewed all testable material.
The textbook costs $65 (IAPP Members) or $75 (Non-Members) as an e-book or $95 (IAPP Members) or $85 (Non-Members) for a physical copy. If you're getting any IAPP certifications, consider the benefits and costs of IAPP membership.
For me, the official textbook is a must-buy.
Body of Knowledge & Exam Blueprint
If you aren't using the next two official study tools, you're wasting your time.
The CIPP/US Body of Knowledge provides a detailed breakdown of the testable topics. It also helps you identify topics that the official textbook (or other resources) may not cover. Meanwhile, the CIPP/US Exam Blueprint details how many exam questions to expect on each topic—topics aren't tested equally.
Would you rather study a topic responsible for 2 questions or 22 questions?
I recommend combining the official textbook, the Body of Knowledge, and the Exam Blueprint into a single resource, but you don't have to do this yourself.
We combine these resources for you in Mapping the Official Textbook.
Glossary of CIPP/US Terms
The next study tool isn't particularly amazing, but it's certainly convenient.
I'll keep it short and sweet—use the CIPP/US Glossary.
I wouldn't rely on the exact definitions provided in the glossary (write your own). However, this is a great starting point to build flash cards or do some last-minute checks on key terms.
I reviewed these right before taking the certification exams. Solid resource.
Practice Exam
You probably want a way to test your knowledge before taking the exam, right?
If so, consider buying the CIPP/US Practice Exam.
The CIPP/US practice exam contains 90 questions (the same as the real exam). It provides a realistic look at the type of questions you should expect, the overall format of the exam, and costs $45 (IAPP Members) or $55 (Non-Members).
I'd recommend buying this official practice exam or a third-party equivalent.
Online and In-Person Training
The last official study tool is online and in-person training.
Usually, I don't recommend this option. Why? It's expensive and ineffective. Based on anecdotes, this training isn't enough to pass the certification exam on its own.
The cost of this training is substantial ($1,195—$2,100). Remember, you can get most IAPP certifications using only free resources and the official textbook.
The IAPP partners with individuals and companies to resale this training. These packages often include a copy of the official textbook, the IAPP sample exam questions, and sometimes a year of IAPP membership. It could be a good deal.
If money is no object, or your employer is paying, you may consider this option.
I would probably skip this and only recommend it in specific circumstances.
Unofficial Study Tools
Need some additional resources? Well, there are some good unofficial ones.
You may find textbook outlines, example exam questions, online training, flashcards, and more—I would encourage you to be frugal and diligent here.
I used to not recommend any third-party resources here.
However, I've heard good things about Mike Chapple's LinkedIn Learning Course (free with trial) and Privacy Bootcamp (paid online training).
For everything else, I recommend your friendly neighborhood search engine.
Mapping the Official Textbook
The following 5 sections combine three critical resources to get your CIPP/US.
We take the topics and number of exam questions from the Body of Knowledge and Exam Blueprint and map them to the chapters of the official textbook.
This helps you identify, prioritize, and review highly testable topics.
Sound useful? Read on!
Introduction to the US Privacy Environment
Before you get into Twitter arguments about HIPAA, you need some background.
Module 1: Introduction to the US Privacy Environment teaches you about the US legal system, sources of law, regulatory authorities, state vs. federal enforcement, and more. You will learn about developing a privacy program, effectively managing user preferences, online privacy, privacy notices, and international data transfers.
A minimum of 27 questions (30%) and a maximum of 35 questions (~40%) come from Module 1. This makes up a substantial amount of the 90 exam questions.
| Topics | Min Questions | Max Questions | Chapter(s) |
|---|---|---|---|
| Structure of US Law | 4 | 6 | 2, 5 |
| Enforcement of US Privacy and Security Laws | 5 | 7 | 2, 5 |
| Information Management from a US Perspective | 18 | 22 | 1, 3, 4, 5, 14 |
Limits on Private-Sector Collection and Use of Data
Once you have some overall context, we shift our attention to sector-specific laws.
Module 2: Limits on Private-Sector Collection and Use of Data covers laws relating to healthcare, finance, education, telecommunications, and marketing. It also provides a crucial introduction to the Federal Trade Commission (FTC) and their role in regulating the US market and safeguarding consumers.
For each of these sector-specific laws, you'll need to know:
- Who is covered by the law?
- What types of information are covered?
- What is required or prohibited?
- Who enforces the law?
- What happens if you don't comply?
- Why does the law exist?
- Does this law interact with other laws, e.g., HIPAA and FERPA?
- Does this law preempt (or preempted by) other laws?
A minimum of 15 questions (~17%) and a maximum of 25 questions (~28%) come from Module 2. This module is the second largest, second only to Module 1.
| Topics | Min Questions | Max Questions | Chapter(s) |
|---|---|---|---|
| Cross-Sector FTC Privacy Protection | 5 | 7 | 4, 5 |
| Healthcare | 4 | 6 | 8 |
| Financial | 4 | 6 | 9 |
| Education | 1 | 3 | 10 |
| Telecommunications and Marketing | 1 | 3 | 11 |
Government and Court Access to Private-Sector Information
Next up, laws that require, permit, or restrict government access to data.
In Module 3: Government and Court Access to Private-Sector Information, you learn about the US government's ability to require wiretaps or pen registers, access stored records and emails, issue national security letters, and more.
You may have noticed most of the exam questions are accounted for. Up to 60 questions may come solely from Module 1 and Module 2.
Module 3 is only responsible for between 3 and 7 total questions. However, it's still important to study these topics and not underestimate their overall importance.
| Topics | Min Questions | Max Questions | Chapter(s) |
|---|---|---|---|
| Law Enforcement and Privacy | 1 | 3 | 9, 13 |
| National Security and Privacy | 1 | 2 | 13 |
| Civil Litigation and Privacy | 1 | 2 | 13 |
Workplace Privacy
Fourth, but not least, Module 4 focuses on protections afforded to employees.
Module 4: Workplace Privacy teaches you about various regulatory bodies responsible for workplace privacy and their specific responsibilities. Several laws protect employee privacy before, during, and after employment from discrimination, monitoring, and more—probably important topics for you 😄
Slightly bigger than Module 4, Module 5 accounts for between 5 and 9 questions.
| Topics | Min Questions | Max Questions | Chapter(s) |
|---|---|---|---|
| Overview of Workplace Privacy | 2 | 4 | 8, 12 |
| Privacy Before, During, and After Employment | 3 | 5 | 12 |
State Privacy Laws
Finally, Module 5: State Privacy Laws has absolutely exploded in recent years.
Module 1 and Module 2 are the heavy hitters in terms of the amount of exam questions. However, I think Module 5 is likely the hardest module of them all.
Based on anecdotes, Module 5 has been responsible for countless failing exams.
You will learn about different definitions of personal information, what constitutes a data breach, when companies must notify consumers, and data subjects' rights. While comprehensive state privacy laws make up the bulk of this section, data breach notification laws bring up a close second.
Before September 2021, this module had very few questions (5, 7). However, it now covers between 9 and 15 and is the third largest module of the CIPP/US.
| Topics | Min Questions | Max Questions | Chapter(s) |
|---|---|---|---|
| Federal vs. State Authority | 1 | 3 | 2, 7 |
| Data Privacy and Security Laws | 6 | 8 | 6, 7 |
| Data Breach Notification Laws | 2 | 4 | 7 |
Exam Details
Now that you know what the CIPP/US covers, let's talk about the exam itself.
The CIPP/US follows a similar format to other certification exams.
General Information
The CIPP/US exam is a 2.5-hour exam with 90 multiple-choice questions.
However, only 75 of these questions are scored and the remaining 15 do not contribute to your overall score.
Each question has one correct answer and three distracters. This differs from other certifications, e.g., the CISSP, where you must select the "best" answer. Some questions are scenario-based, where you must apply your knowledge to a hypothetical situation.
There is no publicly available information related to the exact score required to pass the CIPP/US exam. However, "passing scores range between about 65 and 80 percent correct."
Registering for the Exam
To register, you must purchase an exam voucher from the IAPP.
For first-time takers, this costs $550. However, if you maintain another IAPP certification, or if you are re-attempting the CIPP/US, the cost reduces to $375.
While not strictly a requirement to register, to maintain your CIPP/US in good standing, you must pay a Certification Maintenance Fee ($250) or become an IAPP Member ($50-$295). More on that trade-off and your options here.
If you haven't, I recommend reviewing all the costs of IAPP certification.
Studying for the Exam
Now that you know way more about the CIPP/US, let's talk about your study plan.
Before jumping in, I'd encourage you to take your time studying for the CIPP/US. In my experience, it's the hardest IAPP certification and covers a substantial breadth and depth of material—give yourself some grace when studying.
My recommended path to success for the CIPP/US is:
- Take the practice exam.
- Read the book.
- Create an outline.
- Study the glossary terms.
- Review knowledge gaps.
Take the Practice Exam
First, review (or take) the practice exam. Why? A few reasons.
The CIPP/US covers too many topics. You need to know what and how to study.
Mapping the Official Textbook helps you know what to study, i.e., what topics are most testable, where to find them in the textbook, etc. However, reviewing the practice exam helps you understand what's important and how to study.
The actual content of the practice exam isn't so important (but still useful).
Instead, its greatest strength is familiarizing yourself with the type of question and level of detail to expect on topics—this is more valuable.
Next step? Read the Book.
Read the Book
Well, this seems obvious. You actually have to read the book—it's a page turner.
If you rely on one resource to get your CIPP/US, make it the official textbook. To prioritize your studying, I recommend the Mapping the Official Textbook.
Focus your study time on where it matters most.
You should plan to read every chapter at least once, and probably multiple times. For your first pass, I wouldn't worry about taking too many notes, creating flash cards, etc. Just get a general idea of the topics covered—worry about the rest later.
The CIPP/US certification exam largely relies on scenario-based questions. As you're reading, think about how you can apply these topics to your day-to-day life. When you visit your doctor, does HIPAA apply? What about FERPA? Both?
Once you've read the book once, you can start creating an outline.
Create an Outline
There is a lot of material to keep straight—an outline can be a great tool.
I use the term "outline" fairly loosely. This can be a text document, a spreadsheet, flashcards, a mind map, or whatever works best for you. However, you must have a mechanism for tracking important topics and their core points.
I would base your outline on the Body of Knowledge. Why reinvent the wheel?
You may find some great outlines online. But the best outline is the one you create.
Study the Glossary Terms
I recommend reviewing the IAPP Glossary of CIPP/US Terms.
As mentioned before, I don't think this is an amazing resource, but it is useful.
A word of caution. Although the IAPP provides this glossary, it does not mean it's complete, accurate, or up-to-date—the definitions may be imperfect or imprecise.
Double-check terms and definitions and incorporate them into your outline.
I encourage you to use this glossary as a guide vs. word of law.
Review Knowledge Gaps
This may seem obvious, but I recommend checking for potential knowledge gaps.
If it's not clear by now, the CIPP/US covers a lot of material. So it's easy to forget a topic or two here, an important detail over there, etc. How do you avoid this?
Take the practice exam or review the Mapping of the Official Textbook.
Are you confident about the most important topics? Did you forget any?
If you're unsure of a particular law, e.g., CCPA or GDPR, spend a bit more time understanding the nuances and details—you'll thank yourself later. I certainly recommend spending additional time on Module 5: State Privacy Laws as well.
You Passed, Now What?
Your first step should be to celebrate—congratulations! 🥳
After you add your shiny new certification to LinkedIn, what's next?
The fun doesn't stop here. Read on!
Maintaining Your CIPP/US Certification
You must submit 20 CPEs every 2 years to maintain your CIPP/US.
These Continuing Privacy Education (CPE) credits aren't hard, but it's good to get these knocked out early vs. saving them for the last minute. But what are CPEs?
CPEs are IAPP's mechanism to ensure certification holders remain up-to-date with developments in privacy. They're often used as an alternative to re-taking an exam.
CPEs can come from any material that relate to the certification. For a complete guide to CPEs, refer to IAPP's CPE Policy, but they include:
- Books & Whitepapers
- Events
- News
- Tools & Resources
- Training
- Videos
- Web Conferences
The IAPP provides an invaluable resource for finding CPEs—CPE Central.
CPE Central (requires a login), provides access to a curated list of resources guaranteed to satisfy CPE requirements. You can filter based on category, free vs. paid, number of credits, applicable certification, e.g., CIPP/US, etc.
Besides CPEs, you must also pay a Certification Maintenance Fee ($250) every two years or become an IAPP Member ($50-$295) to maintain your CIPP/US.
Check out our detailed post on how to maintain your IAPP certification.
Wrapping Up
I hope this guide was accessible, useful, and practical.
If you have any feedback or would like to share your successes (or failures) with me, please let me know. Cheers!
