IAPP CIPP/US (U.S. private-sector privacy) exam prep
CIPP/US - U.S. Private-Sector Privacy
Free, structured study notes built around active recall and spaced retrieval - 307 topics across the full CIPP/US body of knowledge. Read it free; unlock the 722-question practice bank and the official 90-question IAPP CIPP/US practice exam when you're ready to test yourself.
Core Study Guide
Chapter 1: Introduction to Privacy19
- Defining Privacy
- The Four Classes of Privacy
- Historical and Social Origins of Privacy
- Fair Information Practices (FIPs) Overview
- U.S. HEW Fair Information Practices (1973)
- OECD Guidelines (1980)
- Council of Europe Convention 108 (1981)
- APEC Privacy Framework (2004)
- Madrid Resolution (2009)
- Information Technology and the Rise of Data Protection Law
- Personal Information and Sensitive Personal Information
- Nonpersonal, Deidentified, and Pseudonymized Information
- The Line Between Personal and Nonpersonal Information
- Sources of Personal Information
- Processing and Data Roles - Subject, Controller, Processor
- Sources of Privacy Protection
- Comprehensive Model of Data Protection
- Sectoral Model (United States)
- Co-Regulatory, Self-Regulatory, and Technology Models
Chapter 2: U.S. Legal Framework15
- The Three Branches of U.S. Government
- Sources of Law in the United States
- Constitutions as a Source of Privacy Law
- Legislation and Federal Preemption
- Case Law, Common Law, and Stare Decisis
- Contract Law and Privacy Notices
- Tort Law and Privacy Torts
- Regulations, Rules, and Agency Guidance
- Consent Decrees
- Key Definitions: Person, Jurisdiction, Authority, Preemption, Private Right of Action
- Notice, Choice, and Access (Opt-In vs. Opt-Out)
- Federal and State Regulatory Authorities for Private-Sector Privacy
- Self-Regulation in Privacy
- Six Keys to Understanding Any Law
- Applying the Framework: California SB 1386 Breach Notification
Chapter 3: Introduction to Technological Aspects of Privacy28
- Basics of the Internet: TCP/IP and Packet Switching
- Web Infrastructure: HTTP, HTML, HTTPS and XML
- URLs, URIs, URNs and Hyperlinks
- Key Web Infrastructure: Servers, Proxies, VPNs, ISPs and IP Addresses
- Client-Server Architecture: Front End and Back End
- Cloud Computing: SaaS, PaaS and IaaS
- Edge Computing and Latency
- How Emails and Texts Work: SMTP, IMAP, POP, SMS and OTT
- Deep Packet Inspection
- Wireless Eavesdropping and Defenses
- Internet Monitoring by Employers, Schools and Parents
- Spyware and Phishing Variants
- HTTP Cookies: Session vs Persistent, First vs Third Party
- First-Party Data Collection and Data Brokers
- Third-Party Data Collection and the Decline of Third-Party Cookies
- Tracking Email Recipients and Cross-Device Tracking
- Location Tracking: Technologies and Carpenter
- Surveillance by Audio, Video and Other Sensors
- Deidentification: Anonymous vs Pseudonymous and Identifiers
- Approaches to Deidentification: Suppression, Generalization, Noise Addition
- Reidentification Risk and Differential Privacy
- Deidentification Standards: HIPAA Methods and FTC Guidance
- Encryption: Symmetric, Asymmetric, Certificates and PKI
- Hashing, Salt and Digital Signatures
- Cybersecurity Foundations: The CIA Triad
- The NIST Cybersecurity Framework
- The Adversarial Mindset: STRIDE, Zero Trust and Least Privilege
- Privacy by Design and Limits of Technical Measures
Chapter 4: Information Management and Privacy Risk Management22
- The Business Case for Privacy and the Cost of Mishandling Data
- Information Management and the Privacy Professional's Role
- Privacy Team Roles - CPO, DPO, and Others
- The Data Life Cycle
- Data Inventory and Data Classification
- Data Flow Mapping - Top-Down and Bottom-Up
- Data Accountability - Controllers, Processors, and Encryption
- The Privacy Program and Four Business Risks
- Privacy Program Framework and Metrics
- Privacy Operational Life Cycle - Assess, Protect, Sustain, Respond
- Privacy Policy vs Privacy Notice
- Drafting, Updating, and Versioning the Privacy Policy
- Delivering Privacy Notices - Layered, Just-in-Time, and Mobile
- Opt-In, Opt-Out, and No Option
- Managing User Preferences and Dark Patterns
- Responding to User Requests and Consumer Rights
- Privacy Risk Management and Privacy Harms
- Privacy Impact Assessments (PIAs) and DPIAs
- Vendor and Third-Party Risk Assessments
- Information Security - CIA Triad and Control Types
- Data Breach Readiness Assessments
- Global Perspective and Cross-Border Data Transfer Mechanisms
Chapter 5: Federal and State Regulators and Enforcement of Privacy Law18
- The Federal and State Regulatory Landscape
- Types of Litigation and Enforcement
- Federal Privacy Enforcement Outside the FTC
- Other Federal Privacy Actors and the DOJ's Criminal Role
- The FTC, Section 5, and Jurisdictional Limits
- Court Confirmation of FTC Authority: Wyndham and LabMD
- FTC Enforcement Tools and the AMG Decision
- FTC Rulemaking Under Magnuson-Moss
- FTC Enforcement Process and Consent Decrees
- Deceptive Trade Practices and Broken Privacy Promises
- Unfair Trade Practices
- Additional FTC Authority: COPPA, HITECH, FCRA, CAN-SPAM
- The Future of FTC Enforcement
- State Attorneys General and UDAP Statutes
- State Comprehensive Laws and Federal Sectoral Exemptions
- State Breach Notification, SSN Protections, and Identity Theft Laws
- Additional State Protections: Torts, BIPA, and the AADC Act
- Self-Regulation and Enforcement
Chapter 6: State Comprehensive Privacy Laws21
- The U.S. Has No Federal Comprehensive Privacy Law
- Federal Preemption and Private Right of Action Debates
- California as First Mover - CCPA and CPRA
- The Five State Laws in Effect in 2023
- Entity-Level vs Data-Based Exemptions
- Defining Business - Applicability Thresholds
- Which Entities Are Excluded from Business
- Defining Consumer - Who Is Protected
- Personal Information and Its Exclusions
- Sensitive Personal Information
- Sale and California's Unique Sharing Regulation
- Consumer Rights Overview and Response Timelines
- Access, Correction, and Deletion Rights
- Opt-Out Rights - Sales, Targeted Advertising, Automated Decisions
- Rights Concerning Sensitive Data and Nondiscrimination
- Business Obligation - Notice and Transparency
- Opt-In Default for Children's Data
- Purpose Limits, Risk Assessments, and Security
- Enforcement - Penalties and Enforcers
- Cure Periods and the Private Right of Action
- Universal Opt-Out Mechanisms and the Global Privacy Control
Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws25
- State Breach, Security, and Destruction Laws: The Landscape
- The Absence of a Federal Breach Law
- Common Structure of State Breach Laws
- Breach Laws: Defining Personal Information
- Breach Laws: Covered Entities
- Breach Laws: Security Breach and Risk-of-Harm
- Notification: Whom to Notify
- Notification: Timing to Affected Parties
- Notification: Content of the Letter
- Notification: Free Credit Monitoring
- Notification: Method and Substitute Notice
- Notification: Attorney General and State Agency Notice
- Notification: Consumer Reporting Agencies
- Exceptions to Notification
- When Notification May Be Delayed
- Enforcement: Penalties and Private Rights of Action
- California Statutory Damages (CCPA/CPRA)
- State Data Security Laws
- State Data Destruction Laws
- US Approach in Context
- Washington's My Health My Data Act and Consumer Health Data Laws
- Illinois Genetic Information Privacy Act (GIPA)
- Data Broker Registries and the California Delete Act
- State Biometric and Facial Recognition Laws
- State AI Laws, Automated Decisions, and the NAIC Model Bulletin
Chapter 8: Medical Privacy23
- Why Medical Privacy Gets Special Protection
- Health Information Is Protected Differently by Setting
- HIPAA Origins and Purpose
- PHI and ePHI Defined
- Covered Entities Under HIPAA
- Business Associates and BAAs
- The HIPAA Privacy Rule and the FIPPs
- Limits and Exceptions to the Privacy Rule
- The HIPAA Security Rule
- Telemedicine and the Pandemic Rule Changes
- HIPAA Enforcement and Penalties
- HIPAA Preemption and State Laws
- HITECH and Breach Notification
- HITECH: Penalties, Limited Data, and EHRs
- Confidentiality of Substance Use Disorder Patient Records Rule
- Genetic Information Nondiscrimination Act (GINA)
- GINA Preemption and State Genetic Laws
- 21st Century Cures Act and Information Blocking
- Cures Act: API Portability and Other Privacy Provisions
- Medical Technology: FTC Act, FDCA, and State Laws
- Online Tracking Technologies, HIPAA, and the Warby Parker Penalty
- The FTC Health Breach Notification Rule and the 2024 Update
- The 42 CFR Part 2 Final Rule (2024) and Reproductive Health
Chapter 9: Financial Privacy29
- Financial Privacy Landscape and Regulators
- FCRA Purpose, History and Preemption
- CRAs and Consumer Reports Defined
- Users and Furnishers Under the FCRA
- CRA Core Requirements: Access, Accuracy, Obsolescence
- Permissible Purpose and Certification
- Adverse Action Notices
- Furnisher Duties and the Furnisher Rule
- Risk-Based Pricing and Credit Score Disclosures
- Consumer Reports for Employment
- Misconduct Investigations and Investigative Consumer Reports
- Medical Information and Prescreened Lists Under FCRA
- FCRA Enforcement and Penalties
- FACTA Amendments and Consumer Protections
- The Disposal Rule
- The Red Flags Rule
- GLBA Overview and Privacy Provisions
- GLBA Scope, NPI and Enforcement
- The GLBA Privacy Rule
- The GLBA Safeguards Rule
- State Financial Privacy: California (CFIPA) and New York (NYDFS)
- Dodd-Frank and the CFPB's Authority
- Regulation E and the Electronic Fund Transfer Act
- Anti-Money-Laundering: The Bank Secrecy Act
- Suspicious Activity Reports and BSA Enforcement
- USA PATRIOT Act, KYC, FATCA and the AML Act of 2020
- Future of Financial Regulation and Cryptocurrency Privacy
- The FAST Act GLBA Annual-Notice Exception and the TaxSlayer Case
- BSA Enforcement (USAA) and Privacy in Mergers and Acquisitions
Chapter 10: Education Privacy20
- FERPA Overview and Scope
- FERPA Definition of Student
- Education Record and Its Exceptions
- Personally Identifiable Information under FERPA
- Directory Information and Opt-Out
- Holder of FERPA Rights
- When Disclosure of Education Records Is Permitted
- Valid Consent and Identity Verification
- Statutory Exceptions to FERPA Consent
- Rights to Access, Review, and Correction
- FERPA Enforcement, No Private Right, and Preemption
- PPRA and the No Child Left Behind Amendments
- Individuals with Disabilities Education Act
- FERPA and the HIPAA Privacy Rule
- Education Technology and FERPA
- Edtech under COPPA and Self-Regulation
- State Student Privacy Laws and SOPIPA
- Cybersecurity Requirements in Education
- The COPPA Final Rule (2025)
- FTC v. Epic Games (Fortnite)
Chapter 11: Telecommunications and Marketing25
- Telemarketing Regulatory Framework: TCPA, TSR, FCC and FTC
- TSR Rules on How Calls May Be Made
- TSR Required Disclosures at the Start of a Call
- TSR Misrepresentations, Material Omissions and Payment Authorization
- Transmission of Caller ID Information
- Call Abandonment, Predictive Dialers and the Abandonment Safe Harbor
- Prohibition on Unauthorized Billing and Pre-Acquired Account Information
- TCPA Updates: Robocalls, Autodialers, Robotexts and Facebook v. Duguid
- TSR Recordkeeping Requirements
- TSR Enforcement, Penalties and the Private Right of Action
- The National Do Not Call Registry
- Exceptions to the DNC Rules: EBR, Consent and DNC Safe Harbor
- Robocall Enforcement Actions and State Telemarketing Laws
- Fax Marketing: TCPA and the Junk Fax Prevention Act
- The CAN-SPAM Act of 2003
- CAN-SPAM Wireless Rules: MSCMs, Express Prior Authorization and the Wireless Domain Registry
- The Telecommunications Act of 1996 and CPNI
- CPNI Opt-in/Opt-out Rules, Pretexting and Covered Entities
- The Cable Communications Policy Act of 1984
- The Video Privacy Protection Act of 1988
- State Laws on Digital Advertising: CalOPPA, Age-Appropriate Design, and Comprehensive Laws
- Self-Regulation for Digital Advertising: DAA and NAI
- Digital Advertising Ethics: Behavioral Advertising, Dark Patterns and Children
- Section 230 of the Communications Decency Act and the TAKE IT DOWN Act
- FCC 2023 Telecom Data Breach Notification Rules
Chapter 12: Workplace Privacy25
- Workplace Privacy: The U.S. Legal Landscape
- Constitutional Law and the State-Action Limit
- State Contract, Tort, and Statutory Protections
- Federal Laws Affecting Employment Privacy
- Federal Agencies Protecting Employee Privacy
- The Employment Life Cycle Framework
- Reasons for Background Screening
- Antidiscrimination Laws as Limits on Screening
- ADA Restrictions on Medical Screening
- FCRA Restrictions on Background Checks
- FACTA Preemption and Stronger State Credit Laws
- Fair Chance Act and Ban-the-Box Laws
- Screening Technologies: Social Media and AI
- Polygraphs and the EPPA
- Substance Use Testing
- Lifestyle Discrimination
- Workplace Monitoring: Baseline and Policies
- Legal Obligations and Incentives to Monitor
- Intercepting Communications: Wiretap Act and ECPA
- Stored Communications Act and City of Ontario v. Quon
- Biometric, Video, and Mail Monitoring; Union Activity
- LBS, DLP, BYOD, and Teleworking Policies
- Investigating Employee Misconduct: Vail Letter and FACTA Fix
- After Employment: Access Termination and HR Records
- Automated Employment Decision Tools and the Kronos Biometric Case
Chapter 13: Privacy Issues in Civil Litigation and Government Investigations20
- How Disclosures Are Required, Permitted, or Forbidden
- Disclosures Required by Law
- Disclosures Permitted by Law
- Disclosures Forbidden by Law and Evidentiary Privileges
- Public Court Records, Protective Orders, and Required Redaction
- Electronic Discovery and ESI
- Discovery Under HIPAA and GLBA
- Cross-Border Discovery and the Hague Convention
- Fourth Amendment Limits on Law Enforcement Searches
- Emerging Fourth Amendment Issues - Abortion Data and Geofence Warrants
- Statutes That Go Beyond Fourth Amendment Requirements
- Wiretap Act, ECPA, and Stored Communications Act
- Preservation Orders and Pen Register / Trap-and-Trace
- CALEA and the Cybersecurity Information Sharing Act
- Right to Financial Privacy Act and Privacy Protection Act
- Evidence Stored Abroad - CLOUD Act and Budapest Convention
- National Security Surveillance - Constitutional Tension and Post-Snowden Reform
- FISA, Section 702, Section 215, and FISC
- National Security Letters
- The Cybersecurity Information Sharing Act and Its 2025 Sunset
Chapter 14: The GDPR and International Privacy Issues17
- GDPR Overview, Scope, and Sanctions
- Personal Data and Sensitive Personal Data
- Controller, Processor, and Data Subject
- Consent Under the GDPR
- Data Protection Authorities and Data Protection Officers
- The Seven General Principles
- Data Subject Rights: Overview and Handling Requests
- Rights to Be Informed, Access, and Rectification
- Rights to Erasure and Restriction of Processing
- Rights to Portability, to Object, and Against Automated Decision-Making
- Breach Notification and Response
- Enforcement: Complaints and Liability
- Levels of Fines and Criminal Sanctions
- International Transfers and Adequate Countries
- Appropriate Safeguards and Derogations
- EU-U.S. Transfers: Schrems I, Schrems II, and the Data Privacy Framework
- Recent Developments in Global Data Flows