CIPP/US cram sheet

Everything high-yield you need to memorise for the IAPP CIPP/US exam, on one page: the timeline, the dollar amounts and deadlines, opt-in vs opt-out, who enforces what, the sectoral laws, the Supreme Court cases and the classic traps - curated from the study notes so you can skim it the night before.

The timeline (know the order and the headline years)

Year	Law / event	Why it matters
1890	Warren and Brandeis, "The Right to Privacy"	Defined privacy as "the right to be let alone" - the U.S. starting point.
1970	Fair Credit Reporting Act (FCRA)	The first U.S. law regulating how consumer information is handled.
1974	Privacy Act; FERPA (Buckley Amendment)	Privacy Act covers federal agencies; FERPA covers federally funded schools.
1978	Right to Financial Privacy Act (RFPA); FISA	Government access to bank records; foreign-intelligence surveillance.
1984 / 1986	Cable Communications Policy Act; ECPA	ECPA = Wiretap Act + Stored Communications Act + pen-register provisions.
1988	Video Privacy Protection Act (VPPA)	The "Bork tape" law - now applied to streaming.
1991 / 1994	TCPA; DPPA and CALEA	TCPA = telemarketing/robocalls; CALEA = the "Digital Telephony" wiretap-capability law.
1996	HIPAA; Telecommunications Act (CPNI, Section 230 CDA)	HIPAA for health; Section 230 immunises platforms for user content.
1998 / 1999	COPPA (1998); GLBA (1999)	COPPA = under-13 online; GLBA = financial privacy + Safeguards.
2001 / 2003	USA PATRIOT Act; CAN-SPAM, FACTA, Do-Not-Call Registry	FACTA added the Red Flags and Disposal Rules; CAN-SPAM = commercial email.
2008 / 2009	GINA (2008); HITECH, FTC Red Flags + Health Breach Notification Rule (2009)	HITECH strengthened HIPAA and added breach notification.
2010 / 2015	Dodd-Frank (CFPB); USA FREEDOM, CISA, FAST Act (2015)	CFPB created; USA FREEDOM reformed PATRIOT-era surveillance.
2018 / 2020	CCPA enacted 2018, effective 2020; CLOUD Act (2018); Schrems II (2020)	First U.S. comprehensive state law; CLOUD Act = overseas data in criminal cases.
2023	CPRA fully effective (CPPA); EU-US Data Privacy Framework; CA Delete Act; WA My Health My Data Act	CPRA created the dedicated California agency; DPF restored EU-US transfers.
2024	HBNR update; 42 CFR Part 2 final rule; BIPA amendment; Texas v. Meta $1.4B	Largest-ever single-state biometric settlement.
2025	COPPA Final Rule; TAKE IT DOWN Act; Warby Parker ($1.5M); CISA sunset (extended to Jan 30, 2026)	Opt-in parental consent for kids' targeted ads; AI-deepfake NCII criminalised.

First vs comprehensive

FCRA (1970) was the FIRST U.S. privacy law. CCPA was the first U.S. COMPREHENSIVE state law - enacted 2018 but effective 2020. Do not confuse the two.

Who enforces what (the single most tested distinction)

Regulator	Laws it enforces
FTC	Section 5 (unfair/deceptive), COPPA, CAN-SPAM, FACTA Red Flags & Disposal, the Health Breach Notification Rule, GLBA Safeguards for non-bank financial institutions, and shares FCRA.
CFPB	Rulemaking for FCRA and GLBA privacy; Dodd-Frank "abusive" acts; supervises larger financial institutions.
FCC	TCPA rules, the Do-Not-Call rules, CPNI, the Cable Act, and the 2023 telecom data-breach rules.
HHS Office for Civil Rights	HIPAA Privacy/Security/Breach rules and HITECH.
Dept. of Education	FERPA.
DOJ	FISA, USA PATRIOT/FREEDOM, the Privacy Act, ECPA enforcement.
Federal Reserve / OCC	GLBA for banks; bank supervision. FinCEN enforces the Bank Secrecy Act (with OCC).
State attorneys general	State UDAP laws, breach-notification laws, and may enforce COPPA, HIPAA, CAN-SPAM, GLBA alongside federal agencies.
CPPA	The California Privacy Protection Agency enforces the CCPA/CPRA and the Delete Act (shares with the CA AG).

FTC has no power over...

The FTC's Section 5 authority does not reach banks, common carriers (telecom/transport), or non-profits. Those go to sector regulators (e.g., the FCC, banking regulators).

Opt-in vs opt-out (the classic exam hinge)

The default

The U.S. default is opt-out; the EU default is opt-in. Memorise which U.S. laws flip to opt-in.

Requires OPT-IN (affirmative consent)	Uses OPT-OUT (consent assumed unless declined)
COPPA - verifiable parental consent (under 13)	GLBA - before sharing NPI with a nonaffiliated third party for its own use
HIPAA - before disclosing PHI outside treatment/payment/operations	CAN-SPAM - commercial email (honor opt-out within 10 business days)
FCRA - written consent before a consumer report for employment	Most state comprehensive laws - sale, sharing, targeted advertising, profiling
CAN-SPAM wireless messages (MSCMs) - express prior authorization	Telemarketing / the Do-Not-Call Registry
California - opt-in for sensitive PI of minors; sale/share of under-16 data	California adults - a right to limit use of sensitive PI (not opt-in)

Financial privacy: FCRA vs FACTA vs GLBA

Law	Core idea	Watch for
FCRA (1970)	Regulates consumer reporting agencies and consumer reports; accuracy, access, permissible purpose.	Users need a permissible purpose; adverse-action notices; private right of action.
FACTA (2003)	Amends FCRA: free annual credit report, truncation, fraud alerts, identity-theft protection.	Adds the Red Flags Rule and the Disposal Rule. Generally preempts stricter state law (with narrow exceptions).
GLBA (1999)	Financial institutions must give privacy notices and let consumers opt out of NPI sharing.	Privacy Rule (notice + opt-out, processed in 30 days) vs Safeguards Rule (security program). Does not preempt stricter state law.

Red Flags vs Disposal

Red Flags Rule = detect/prevent identity theft with a written program. Disposal Rule = securely dispose of consumer-report information. Both are FACTA, but they solve different problems.

Bank Secrecy Act numbers

File a Currency Transaction Report for cash transactions over $10,000. File a Suspicious Activity Report (SAR): insider activity any amount; with a suspect at $5,000; without a suspect at $25,000. Keep credit records over $10,000 for 5 years.

Health: HIPAA, and HIPAA vs FERPA

HIPAA	FERPA
Protects PHI held by covered entities (providers who bill electronically, health plans, clearinghouses) and business associates.	Protects education records at schools receiving federal funding.
Enforced by HHS OCR.	Enforced by the Dept. of Education (penalty = loss of funding).
A school nurse's records at a public K-12 school are usually FERPA, not HIPAA.	Rights transfer to the student at age 18 or when they attend a postsecondary school.

Three HIPAA rules

Privacy Rule = uses and disclosures of PHI (minimum necessary; notice; access). Security Rule = safeguards for ePHI (administrative, physical, technical). Breach Notification Rule = notify within 60 days; breaches of 500+ go to HHS and the media without unreasonable delay.

HIPAA companions

HITECH (2009) strengthened HIPAA and made business associates directly liable. GINA bars genetic discrimination in health insurance and employment. The FTC Health Breach Notification Rule covers health apps outside HIPAA - and unlike HIPAA has no deidentified-data exemption.

Children and education

COPPA - applies to sites/services directed to children under 13 (or with actual knowledge); needs verifiable parental consent. The 2025 Final Rule added opt-in consent for targeted advertising, limited data retention, and put biometric and government-issued IDs inside "personal information."
FERPA - directory information may be disclosed unless the parent/student opts out; otherwise written consent is needed (with exceptions like school officials, health/safety emergencies).
PPRA - parental rights around surveys and marketing in schools.

Epic Games (Fortnite), 2023

$520 million total: $275M for COPPA violations + $245M in refunds for dark patterns. Enforced by the FTC.

Telecommunications and marketing

Rule	What to remember
TCPA / FCC	Robocalls, autodialers, texts and faxes; has a private right of action.
TSR / Do-Not-Call	Scrub the DNC list every 31 days; call only 8 a.m.-9 p.m.; EBR exception = 18 months after purchase / 3 months after an inquiry.
CAN-SPAM	Commercial email; opt-out, no false headers, valid physical address; honor opt-outs in 10 business days. No private right of action.
Junk Fax Prevention Act	$500/page, up to $1,500 for willful violations.
CPNI (Telecom Act)	Carrier customer data - consent before marketing use; FCC-enforced.
VPPA	Video rental/streaming records; private right of action; one-time consent valid up to 2 years.
Section 230 (CDA)	Platforms are not treated as the publisher of users' content. TAKE IT DOWN Act (2025) carves out AI-deepfake NCII.

State comprehensive privacy laws

CCPA/CPRA applicability (meet ONE)

A for-profit doing business in CA that: has $25M+ gross annual revenue; OR buys/sells/shares the PI of 100,000+ consumers or households; OR derives 50%+ of revenue from selling/sharing PI.

Theme	The high-yield point
Penalties (CA)	$2,500 per unintentional violation; $7,500 per intentional violation (or violations involving minors).
Enforcer (CA)	The CPPA - the first dedicated U.S. privacy agency - shares enforcement with the AG.
Universal opt-out	California and Colorado require honoring a universal opt-out signal such as the Global Privacy Control (GPC).
Sensitive data	Most states require opt-in; California instead gives a right to limit its use.
Rulemaking agencies	California, Colorado, and New Jersey grant rulemaking to an agency; only California has a dedicated enforcement agency.
Cure periods	Many laws give a temporary right to cure before penalties - several expire over time.

State data breach and sectoral laws

Breach notification - all 50 states (plus DC and territories) have one; most use a risk-of-harm trigger, an encryption safe harbor, and notice "as expeditiously as possible" (often a 45-day cap), with AG notice above a resident threshold.
BIPA (Illinois) - biometric law with a private right of action and $1,000 / $5,000 per violation; Texas (CUBI) and Washington have no private right (AG-enforced).
Washington My Health My Data Act - consumer health data outside HIPAA; has a private right of action (Nevada and Connecticut copies do not).
Illinois GIPA - genetic privacy; private right of action, uncapped per-violation damages.
Data brokers - Vermont was first (2019); the California Delete Act adds one-stop deletion via the CPPA.
AI - NYC Local Law 144 (bias audits for hiring tools); the NAIC Model Bulletin for insurers; Colorado's AI Act.

Biometric settlements

Texas v. Meta = $1.4 billion (2024), the largest ever obtained by a single state. Illinois v. Facebook = $650 million BIPA class settlement (2021). Kronos = $15.28M (a biometric-device vendor held liable).

Government access and surveillance

Authority	What it does
ECPA (1986)	Title I Wiretap Act (real-time intercept), Title II Stored Communications Act (stored records), Title III pen registers / trap-and-trace.
FISA / Section 702	Foreign-intelligence surveillance via the FISC; Section 702 targets non-U.S. persons abroad.
National Security Letters	FBI subpoenas for limited records without judicial approval.
USA PATRIOT vs USA FREEDOM	PATRIOT (2001) expanded surveillance; FREEDOM (2015) reined it in after Snowden (ended bulk Section 215 collection).
CALEA	Telecom carriers must build interception capability (the "Digital Telephony" law).
CLOUD Act (2018)	Access to data stored abroad in criminal investigations.
RFPA / PPA	RFPA = government access to bank records (records must be reasonably described). PPA protects journalists' work product.

Real-time vs stored

Intercepting a live communication (the Wiretap Act) is held to a higher standard than obtaining a stored record (the Stored Communications Act). Exam scenarios turn on this.

Constitution and key Supreme Court cases

Amendments with privacy hooks

1st (anonymity/association), 3rd (home), 4th (searches/seizures), 5th (self-incrimination), 9th (unenumerated rights), 14th (due process). The word "privacy" is not in the Constitution.

Case	Holding
Olmstead (1928)	Wiretapping phone lines was not a Fourth Amendment search (later overturned).
Katz (1967)	Reasonable expectation of privacy test; a warrant is needed where one exists.
Smith v. Maryland (1979)	The third-party doctrine - no expectation of privacy in numbers given to the phone company (pen register).
U.S. v. Jones (2012)	Attaching a GPS tracker is a search.
Riley v. California (2014)	Police need a warrant to search a cell phone incident to arrest.
Carpenter (2018)	A warrant is needed for historical cell-site location records - limits the third-party doctrine.

FTC enforcement mechanics

Section 5 - prohibits unfair and deceptive acts or practices. Deception = a material misrepresentation likely to mislead; unfairness = substantial injury, not reasonably avoidable, not outweighed by benefits.
Consent decrees - most privacy cases settle this way; FTC decrees typically run 20 years.
AMG Capital (2021) - the Supreme Court held the FTC cannot get monetary relief under Section 13(b), pushing the FTC toward rulemaking.

Landmark FTC settlements

Facebook = $5 billion (2019). Equifax = at least $575 million (up to $700M, 2019). Warby Parker = $1.5M HIPAA Security Rule penalty (HHS OCR, 2025).

International transfers (the U.S. angle)

The U.S. is sectoral and traditionally does not restrict outbound transfers - the opposite of the GDPR.
EU-US history: Safe Harbor (struck down by Schrems I, 2015) -> Privacy Shield (struck down by Schrems II, 2020) -> Data Privacy Framework (adequacy, 2023).
GDPR transfer tools your U.S. clients may use: adequacy, SCCs, binding corporate rules, and narrow derogations.

Easily confused - know the difference

This	Not this
Opt-out (GLBA, CAN-SPAM, most state sales) - shared unless you decline	Opt-in (COPPA, HIPAA disclosures, FCRA employment) - nothing happens until you agree
FCRA - the core consumer-reporting law	FACTA - the 2003 amendment adding Red Flags, Disposal, free reports
GLBA Privacy Rule - notices and opt-out	GLBA Safeguards Rule - the written information-security program
HIPAA - health data at covered entities	FERPA - education records at funded schools; the FTC's HBNR covers health apps outside HIPAA
Wiretap Act - real-time interception	Stored Communications Act - data already stored
USA PATRIOT Act - expanded surveillance	USA FREEDOM Act - curtailed it (ended bulk Section 215)
Comprehensive law (EU, U.S. states) - broad, cross-sector	Sectoral law (U.S. federal) - industry-by-industry
Controller / processor - EU terms also used in U.S. state laws	Data owner - not a defined privacy-law role
Private right of action - TCPA, VPPA, FCRA, BIPA, MHMDA	No private right - CAN-SPAM, GLBA, most state comprehensive laws (CA has a limited one for breaches)

Tricky terms worth a last look

Personal information (CCPA): Information that identifies, relates to, or could reasonably be linked with a consumer or household.
Nonpublic personal information (NPI): The GLBA term for personally identifiable financial information a consumer gives a financial institution.
Protected health information (PHI): Individually identifiable health information held by a HIPAA covered entity or business associate.
Covered entity: Under HIPAA: a health plan, health care clearinghouse, or provider that transmits health data electronically.
Business associate: A vendor that handles PHI for a covered entity - bound by a business associate agreement and directly liable under HITECH.
Consumer report: An FCRA communication from a consumer reporting agency bearing on creditworthiness, character, or reputation.
Permissible purpose: The FCRA requirement that a user certify a legitimate reason (e.g., employment) before obtaining a consumer report.
Preemption: A superior government's law overriding an inferior one (Supremacy Clause). FACTA and CAN-SPAM preempt; GLBA and HIPAA set a floor.
Unfair practice (FTC): Causes substantial injury, not reasonably avoidable, not outweighed by benefits.
Deceptive practice (FTC): A material representation or omission likely to mislead a reasonable consumer.
Consent decree: A settlement, typically 20 years, in which a company agrees to change practices without admitting fault.
CPNI: Customer Proprietary Network Information - telecom usage data protected under the Telecommunications Act.
Section 230: Immunises interactive computer services from liability for third-party content.
Universal opt-out mechanism: A browser/device signal (e.g., GPC) that opts a consumer out across all sites at once.
Private right of action: A statutory right for individuals to sue directly (TCPA, VPPA, FCRA, BIPA, MHMDA).
Red Flags Rule: FACTA rule requiring an identity-theft detection and prevention program.
Disposal Rule: FACTA rule requiring secure disposal of consumer-report information.
Third-party doctrine: The idea that information shared with a third party loses Fourth Amendment protection - narrowed by Carpenter.
Adequacy / DPF: The EU mechanism (and the 2023 EU-US Data Privacy Framework) permitting transfers to the U.S.
Dark pattern: A deceptive interface design that manipulates users - central to the Epic Games settlement.

Memory hooks

"FCRA is first; CCPA is comprehensive"

FCRA (1970) = first U.S. privacy law. CCPA = first U.S. comprehensive state law (effective 2020).

"GLBA opts out; COPPA opts in"

Financial sharing is opt-out (GLBA); kids' data is opt-in (COPPA). HIPAA disclosures and FCRA employment reports are also opt-in.

"Privacy = uses; Security = safeguards"

For HIPAA and GLBA alike: the Privacy rule governs uses/disclosures and notices; the Security/Safeguards rule governs the protection program.

"Wiretap is live; SCA is stored"

Real-time interception (Wiretap Act) needs more than a stored record (SCA). PATRIOT expanded, FREEDOM reformed.

Next: how to pass the CIPP/US, the free study notes, and the practice exam.

Frequently asked questions

What was the first U.S. privacy law, and the first comprehensive state law?

The Fair Credit Reporting Act (1970) was the first U.S. law regulating consumer information. The California Consumer Privacy Act (CCPA) was the first comprehensive state privacy law - enacted in 2018 and effective in 2020.

Which U.S. privacy laws require opt-in rather than opt-out?

COPPA (verifiable parental consent), HIPAA (before disclosing PHI outside treatment/payment/operations), and the FCRA (written consent before a consumer report for employment) require opt-in. GLBA, CAN-SPAM, and most state comprehensive laws use opt-out.

What is the difference between FCRA, FACTA, and GLBA?

FCRA (1970) governs consumer reporting agencies and consumer reports. FACTA (2003) amends FCRA and adds the Red Flags and Disposal Rules and the free annual credit report. GLBA (1999) requires financial institutions to give privacy notices and an opt-out, and to maintain a security program under the Safeguards Rule.

When does HIPAA apply versus FERPA?

HIPAA covers protected health information held by covered entities (and business associates) and is enforced by HHS OCR. FERPA covers education records at federally funded schools and is enforced by the Department of Education; a public school's student health records are generally FERPA, not HIPAA.

Who enforces the main U.S. privacy laws?

The FTC enforces Section 5, COPPA, CAN-SPAM, the FACTA Red Flags and Disposal Rules, and the Health Breach Notification Rule. HHS OCR enforces HIPAA, the FCC enforces the TCPA and CPNI rules, the Department of Education enforces FERPA, and state attorneys general enforce state UDAP and breach-notification laws. California's CPPA enforces the CCPA/CPRA.

What are the CCPA applicability thresholds and penalties?

A for-profit doing business in California qualifies if it has $25 million or more in gross annual revenue, buys/sells/shares the personal information of 100,000 or more consumers or households, or derives 50% or more of revenue from selling or sharing personal information. Penalties are $2,500 per unintentional violation and $7,500 per intentional violation or violations involving minors.