CIPP/US essentials
The middle layer between the full guide and the cram sheet: the must-know laws, regulators, opt-in/opt-out rules and distinctions for each exam area - and nothing else. When you can recall every row here, drop to the cram sheet; if a row is fuzzy, jump up to the full one-page guide.
Introduction to Privacy
| Law / concept | The one thing to know |
|---|---|
| Privacy vs. data protection | "Privacy law" = U.S. term; "data protection law" = EU term - same field. Warren & Brandeis (1890): "the right to be let alone." |
| U.S. Constitution | The word "privacy" does NOT appear; inferred from 3rd/4th/5th/14th Amendments. The California Constitution expressly added it by ballot (1974). |
| FIPs / FIPPs | Four categories: rights of individuals, controls on information, information life cycle, management. The 1980 OECD Guidelines are the most recognized, endorsed by the FTC (8 principles, incl. Accountability). |
| 1970 "firsts" | Hesse, Germany = world's first modern data protection law; FCRA = first U.S. national privacy law (sectoral, credit only). |
| Sensitive vs. anonymized | Sensitive PII (SSN, financial, driver's license, health) needs extra safeguards. Anonymized/deidentified data is outside privacy law; pseudonymized data is reversible and still in scope. |
| Data roles | Controller decides how/why and bears most obligations; processor acts on its behalf = HIPAA "business associate." Subject = the individual. |
| Comprehensive vs. sectoral | Comprehensive (EU) = economy-wide with a DPA. Sectoral (U.S.) = industry-specific laws, no single DPA, prone to gaps and overlaps. |
⚠️ Trap
Watch the region/regime swap: U.S. = sectoral + "privacy law", EU = comprehensive + "data protection law." Also: an IP address is "personal data" in the EU but generally NOT under the U.S. Privacy Act - the answer depends on the regime.
U.S. Legal Framework
| Law / concept | The one thing to know |
|---|---|
| Federal preemption | HIPAA = floor, states MAY go stricter; CAN-SPAM preempts stricter state email rules. Do not reverse them. |
| Opt-in vs opt-out | Opt-in = affirmative "yes," silence means NOT shared; opt-out = silence means data IS shared. |
| FTC authority | Has BOTH general authority over unfair/deceptive practices (broken privacy promises) AND specific authority to enforce COPPA. |
| Privacy notice promises | Enforceable by the FTC and the states; a notice the consumer relied on may itself be a contract. |
| Consent decree | Judge-approved settlement to stop activity, typically no admission of guilt; once approved has effect of a court decision (FTC uses for COPPA). |
| Consideration | Contract needs offer + acceptance + consideration; no consideration, no contract. |
| Negligent tort | Inadequate security = negligence; privacy torts often beaten by a First Amendment defense. |
| CPPA (CPRA) | First U.S. agency dedicated to a state comprehensive law; Dept. of Commerce has NO privacy regulatory authority. |
| California SB 1386 | First breach law; covers entities doing business in California; only unencrypted name+SSN/license/account triggers notice; CA AG + private right of action. |
⚠️ Trap
HIPAA lets states pass STRICTER rules, but CAN-SPAM preempts stricter state email laws. The exam loves to flip these - memorize which way each cuts.
Technological Aspects of Privacy
| Law / concept | The one thing to know |
|---|---|
| IP address as personal data | Persistent/static IP lets a site re-identify a device, so the EU treats IP as personal info; some US regulators do not. |
| CPRA (eff. Jan 2023) - third-party cookies | Requires notice + an opt-out (not EU-style opt-in) for third-party cookies. |
| First-party cookies vs terms of use | Cookie consent only allows setting cookies; broad rights (selling data, location) come from terms of use. CA + EU give notice before setting cookies. |
| Marketing messages | CAN-SPAM = commercial email opt-outs; TCPA = marketing texts. |
| Carpenter v. US + COPPA | Police need a warrant for long-term location tracking; COPPA includes location as personal data. |
| Pseudonymous vs anonymous (EU) | Pseudonymized = still personal data under GDPR; only true anonymization falls outside it. |
| HIPAA deidentification | Safe harbor = remove 18 identifiers; expert determination = documented very-small risk. (FTC's non-HIPAA test: reasonable measures + public commitment + contractual ban on re-ID.) |
| Encryption at rest | Under most breach-notice laws, encryption at rest excepts you from the duty to report a breach. |
| NIST CSF + Privacy by Design | CSF (Identify-Protect-Detect-Respond-Recover) is guidance, not law; Privacy by Design is required in CA and the EU. |
⚠️ Trap
The CPRA third-party-cookie rule is opt-out, matching the US tradition - not EU-style opt-in consent. Pairing it with "opt-in" is the classic wrong answer.
Information & Privacy Risk Management
| Law / concept | The one thing to know |
|---|---|
| Opt-in laws | COPPA (verifiable parental consent for under-13), HIPAA disclosure of PHI, FCRA release of credit report - all need affirmative consent first. |
| Opt-out laws | GLBA (before sharing PI with an unaffiliated third party; affiliate sharing needs none), VPPA, CAN-SPAM, Do Not Call. Opt-out is still an enforceable promise. |
| No option | Order fulfillment, fraud prevention, first-party marketing - "commonly accepted practices" need neither opt-in nor opt-out. |
| Policy vs notice | Policy = internal (guides staff); notice = external (a promise to consumers). Breaking the notice = deceptive practice the FTC or state AG can pursue. |
| Material policy change | FTC requires opt-in (express affirmative consent) before applying a material change retroactively; at minimum, sharing with third parties after promising not to. |
| GLBA notice | Financial institutions must deliver the privacy notice annually with clear opt-out rights, and honor an opt-out across all channels. |
| Controller vs processor | Controller sets purposes/means; processor acts on its behalf. Processor analogues: HIPAA business associate, GLBA service provider. |
| Encryption / breach notice | Under many breach laws, no notice required if lost PI was sufficiently encrypted. |
| CIA triad | Security = confidentiality, integrity, availability; controls are physical, administrative, technical. Security protects data; privacy decides authorized use. |
⚠️ Trap
Match each law to its consent model: COPPA, HIPAA, FCRA = opt-in; GLBA third-party transfer, VPPA, CAN-SPAM = opt-out. Order fulfillment is the canonical "no option" practice.
Federal & State Regulators and Enforcement
| Law / concept | The one thing to know |
|---|---|
| Section 5, FTC Act | Bars "unfair or deceptive acts in commerce" - the lead U.S. privacy tool; FTC enforces. Trap: does NOT reach nonprofits, banks, or common carriers. |
| Deceptive vs Unfair | Deceptive = material statement/omission likely to mislead (broken privacy promise). Unfair = substantial injury, not reasonably avoidable, not outweighed by benefits - no false statement needed. |
| AMG v. FTC (2021) | FTC cannot get monetary relief under Section 13(b). Non-monetary remedies (algorithmic disgorgement) survive. |
| Wyndham / LabMD | Wyndham (2015): Section 5 unfairness covers cybersecurity. LabMD (2018): authority confirmed but order vacated as too vague. |
| Sectoral regulators | HIPAA = OCR/HHS; GLBA = CFPB/bank regulators; FERPA = Dept. of Education; TCPA = FCC; ADA = EEOC. Don't pick the FTC for these. |
| OMB / DOJ | OMB interprets the Privacy Act of 1974 (federal agencies + contractors). DOJ is the sole federal criminal enforcer. |
| COPPA | Children under 13; requires verifiable parental consent; FTC enforces. |
| FCRA | Has a private right of action (sue directly). State AGs must notify FTC before suit. |
| State AGs + UDAP | All 50 states have UDAP statutes; FTC Act does not preempt them. AGs may join HIPAA, GLBA, CAN-SPAM actions. |
⚠️ Trap
If the entity is a nonprofit, bank/financial institution, or common carrier, the FTC has no Section 5 jurisdiction - the answer is the sector regulator (or state AG), never the FTC.
State Comprehensive Privacy Laws
No federal comprehensive law - the US is sectoral; states fill the gap. 5 laws in effect 2023: California (broadest, most GDPR-like) + Colorado, Connecticut, Virginia (similar) + Utah (narrowest outlier).
| Law / concept | The one thing to know |
|---|---|
| California (CCPA/CPRA) | Enacted 2018, effective Jan 1 2020; CPRA passed late 2020, effective Jan 1 2023, created the CPPA. Only state to include employees + household data and to regulate sharing; $25M revenue alone triggers coverage. |
| Threshold trap | CA, CO, CT, VA use a 100,000-consumer trigger; Utah requires $25M revenue PLUS a processing threshold (revenue alone never enough). CT excludes payment transactions. |
| FCRA / GLBA / HIPAA | FCRA-covered entities exempt in all five; GLBA in four (not CA); HIPAA in three. Entity-level (whole org) vs data-based (only that data) exemption matters. |
| Sale vs sharing | Utah + Virginia: sale = money only; CA, CO, CT include bartering (any value). Only CA regulates sharing (cross-context behavioral ads). |
| Sensitive data | CO, CT, VA require opt-in consent; Utah only notice + opt-out; CA self-restrict/opt-out. CO, CT, VA treat children's data as sensitive. |
| Consumer rights | Response 45 days (+45); CA opt-out only 15 days. Right to appeal: CO, CT, VA only. Utah lacks correction + automated-decision rights. |
| Children opt-in | CA: under 16 (sell/share); CT: 13-16; Utah: under 13. |
| Enforcement | State AG everywhere; CA adds the CPPA; CO adds district attorneys ($20,000 cap, highest). VA + Utah sole AG ($7,500). No general private right of action; CA's is breach-only. |
⚠️ Trap
No state has a traditional private right of action. California's is limited to data breaches and account credentials - NOT access, deletion, or opt-out rights.
State Breach, Security & Sectoral Laws
| Law / concept | The one thing to know |
|---|---|
| No federal breach law | All 50 states have breach laws; no comprehensive federal law - businesses want preemption of stricter state laws, advocates want the strictest floor. |
| "Personal information" | Name + (SSN, license/state ID, or financial/card number); trap: email-only or browsing data usually does NOT trigger. |
| Encryption safe harbor | Encrypted/unreadable data is exempt - unless the decryption key is also breached (e.g. Illinois). |
| Risk-of-harm | Nearly all states excuse notice if harm unlikely; NOT California, Georgia, Illinois, Minnesota, North Dakota, Texas. |
| Who/when to notify | Affected residents (all 50); AG + CRAs (~two-thirds); standard = without unreasonable delay, 30-day best practice. |
| CA statutory damages (CCPA/CPRA) | $100-$750 per incident, no proof of loss, for failure to keep reasonable security; barred by a 30-day cure. |
| Private right of action | Breach laws: nearly 15 states (capped at actual damages). AG-only otherwise; highest AG cap $750,000 (Michigan). |
| Illinois BIPA (biometric) | First biometric law (2008); private right of action, $1,000/$5,000. Texas CUBI + Washington are AG-only (Texas won $1.4B from Meta). |
| Consumer health / genetic | WA MHMDA has a private right of action; Nevada + Connecticut are AG-only. Illinois GIPA: uncapped per-violation damages. |
⚠️ Trap
The biggest trap is private right of action vs AG-only: Illinois (BIPA, GIPA) and Washington (MHMDA) let individuals sue; Texas (CUBI), Washington biometric, Nevada and Connecticut are enforced by the AG only. Also do not assume the encryption safe harbor survives a stolen decryption key.
Medical Privacy
| Law / concept | The one thing to know |
|---|---|
| HIPAA scope | Only binds covered entities (providers doing electronic transactions, health plans, clearinghouses) + business associates. Trap: a cash-only doctor who never bills electronically is NOT covered. |
| Privacy Rule | Covers all PHI in any form; OCR enforces. TPO (treatment/payment/operations) needs no authorization; everything else (e.g. marketing by mail) is opt-in. |
| Security Rule | Covers only ePHI (paper, paper-to-paper fax, voice calls are NOT ePHI). Specs are required vs addressable (assess; if declined, document why). |
| Enforcement | No private right of action - file with OCR. OCR civil up to ~$2M/yr per violation type; DOJ criminal up to 10 years. |
| Preemption | HIPAA is a federal floor and does NOT preempt stricter state law (e.g. CMIA). |
| HITECH (2009) | Breach presumed unless risk assessment shows low probability; notify individuals within 60 days, HHS immediately if >500, media if 500+ in one jurisdiction. Encryption avoids liability. |
| FTC HBNR / FTC Act | Reaches health apps/wearables outside HIPAA; no deidentified-data exemption (unlike HIPAA). 2024 update: FTC notice simultaneous with consumer notice at 500+. |
| GINA (2008) | Bars genetic discrimination by health insurers + employers absent manifest symptoms; floor only. Trap: does NOT cover life insurers, mortgage lenders, or schools. |
| 42 CFR Part 2 | Substance-use records, generally stricter than HIPAA; needs written consent (2024 rule: single consent for TPO). |
⚠️ Trap
"Health data" does NOT mean "HIPAA." It is only HIPAA-protected if a covered entity or business associate holds it. A personal smartwatch, retail DNA test, or wellness app is generally outside HIPAA and instead reached by the FTC Act (unfair/deceptive practices).
Financial Privacy
| Law / concept | The one thing to know |
|---|---|
| FCRA (1970) | Governs CRAs/consumer reports; users need a permissible purpose + must certify it. Has a private right of action; statutory damages up to $1,000/violation. Enforced by FTC, CFPB, state AGs. |
| FCRA obsolescence | Negative account data drops off after 7 years; bankruptcies after 10 years. Trap: 8-yr bankruptcy may stay, 8-yr charge-off cannot. |
| Adverse action | Negative credit/employment decision triggers notice + right to free disclosure within 60 days. Trap: an accepted counteroffer is NOT an adverse action. |
| FACTA (2003) | Amended FCRA; preempts stricter state credit-reporting laws. Added free annual report, receipt truncation, Disposal Rule + Red Flags Rule. |
| GLBA (1999) | Opt-out model for sharing NPI with nonaffiliated third parties. No private right of action; does NOT preempt stricter state laws. Process opt-outs within 30 days. |
| GLBA Safeguards Rule | Written info-security program: administrative, technical, physical safeguards scaled to size/complexity. (Privacy Rule = notice + opt-out.) |
| Dodd-Frank (2010) | Created the CFPB, now lead rulemaker for FCRA/FACTA and most GLBA institutions. |
| State laws | California CFIPA = opt-in for nonaffiliated sharing (stricter than GLBA); NY NYDFS cybersecurity rule adds a CISO + incident response. |
| BSA / AML | Mandates AML program + Suspicious Activity Reports; enforced by OCC and FinCEN (not the FCRA regulators). |
⚠️ Trap
FACTA preempts stricter state credit-reporting laws, but GLBA does NOT preempt stricter state financial-privacy laws. Confusing the two is the classic exam error - that is exactly why California's opt-in CFIPA survives alongside GLBA.
Education & Children's Privacy
| Law / concept | The one thing to know |
|---|---|
| FERPA | Protects K-12 + university education records; trigger is federal funding. Enforced by Dept. of Education (FPCO); no private right of action; sanction is loss of funding. |
| FERPA directory info | Opt-out, not opt-in (most other PII is opt-in). SSNs and student ID numbers cannot be directory info. |
| FERPA rights holder | Parent until student turns 18 OR attends only college (any age). Trap: school may disclose to parents of a tax dependent without consent. |
| FERPA preemption | A floor, not a ceiling - it does NOT preempt stricter state law. Access within 45 days. |
| PPRA (NCLB) | Parental rights over sensitive surveys; K-12 only, NOT colleges. Opt-out for commercial-purpose data. |
| FERPA vs HIPAA | HIPAA exempts records already covered by FERPA. Public K-12 nurse = FERPA. Mixed university clinic = FERPA (students) + HIPAA (nonstudents). |
| COPPA (2025 Rule) | Under-13; enforced by FTC + state AGs. Now needs opt-in verifiable parental consent for targeted ads. |
| FTC v. Epic Games (2023) | $520M = $275M COPPA penalty (largest ever) + $245M refunds for dark patterns. |
| SOPIPA / GLBA | SOPIPA = first state law banning student data for targeted ads. GLBA Safeguards Rule hits universities holding financial aid data. |
⚠️ Trap
Watch the opt-in vs opt-out split: FERPA directory info and PPRA commercial data are opt-out, but COPPA targeted advertising requires opt-in consent. And FERPA's enforcer is the Dept. of Education (no private suit), while COPPA's is the FTC.
Telecommunications & Marketing
| Law / concept | The one thing to know |
|---|---|
| TCPA | FCC-enforced; restricts robocalls, faxes, texts. Robocalls to residential lines need prior express written consent (opt-in) - an EBR is NOT enough. |
| TSR | FTC + state AGs enforce; calls only 8 a.m.-9 p.m.; civil penalty up to $50,120 per call; private suit needs $50,000 actual damages. Neither TSR nor FCC rules preempt state law. |
| National DNC Registry | Scrub before calling, refresh every 31 days; failing to check is a violation even if the number is not listed. Each seller's SAN is non-transferable. |
| EBR exception (DNC) | Customer = 18 months from last transaction; prospect = 3 months from inquiry. Internal (entity-specific) suppression lists must be honored regardless of registry status. |
| Facebook v. Duguid (2021) | Narrowed autodialer to equipment using a random or sequential number generator - clears most targeted text campaigns. |
| Junk Fax Prevention Act (2005) | FCC-enforced; EBR-based commercial faxes OK if sender offers an opt-out. Private right of action, up to $500 per fax. |
| CAN-SPAM (2003) | FTC-enforced, opt-out basis; honor unsubscribe within 10 business days; preempts most state email laws; no individual private right of action. Transactional messages are exempt. |
| CAN-SPAM wireless (MSCM) | FCC requires express prior authorization (opt-in) for each message; no sending on behalf of third parties. |
| CDA Section 230 | Platform not treated as publisher of user content; TAKE IT DOWN Act (2025) carves out nonconsensual intimate imagery / deepfakes - remove on notice. |
⚠️ Trap
Telemarketing law (TSR/FCC) does NOT preempt state law - full federal compliance still fails if you ignore a stricter state mini-TCPA, and over half the states require licensing/registration. CAN-SPAM is the opposite: it does preempt state email laws (except those barring false/deceptive activity).
Workplace Privacy
| Law / concept | The one thing to know |
|---|---|
| Fourth Amendment (state action) | Limits searches only by government employers - no state action means it never binds private employers (except CA extends its constitution to private workers). |
| FCRA (background checks) | Enforced by FTC and CFPB; covers any CRA report (credit, criminal, driving). Need permissible purpose + written consent + pre-adverse-action notice with report copy. Has a private right of action. |
| ADA (medical screening) | EEOC; employers with 15+ employees. Pre-offer exams only if job-related/business necessity; post-conditional-offer exams must apply to all entering employees. Excludes current illegal drug use; protects qualified alcoholics. |
| EPPA (polygraphs) | DOL; bars private-employer lie detectors. Ongoing-investigation exception needs reasonable suspicion. Does NOT preempt stricter state laws. |
| Antidiscrimination (Title VII, ADEA, GINA) | EEOC; ADEA = age 40+, GINA = genetic info. Ask all candidates the same questions; criminal screens must be job-related and consistent with business necessity. |
| Fair Chance Act / Ban the Box | Delays criminal-history inquiry until a conditional offer. FCA binds federal agencies and contractors only; state/local Ban-the-Box laws may reach private employers. |
| Substance testing | No federal privacy statute on testing. Federal law mandates testing for safety-sensitive roles (aviation, rail, trucking) and preempts contrary state cannabis-legalization law. |
| Illinois BIPA (Kronos) | Requires opt-in consent before collecting biometrics. A device vendor (not just the employer) can be liable - Kronos settled for $15.28 million. |
| NYC Local Law 144 (AEDT) | AI hiring tools require a bias audit, published results, and candidate notice of the tool plus any alternative process. |
⚠️ Trap
Watch the preemption direction: FACTA/FCRA do NOT preempt stronger state employment credit-check laws (e.g., CA ICRAA) and the EPPA does NOT preempt stricter state polygraph laws - but federal safety-sensitive drug-testing rules DO preempt contrary state cannabis law.
Government & Court Access to Data
| Law / concept | The one thing to know |
|---|---|
| HIPAA / COPPA | Opt-in - no consent, no sharing. HIPAA permits law-enforcement PHI only via court order, or "required by law" where state law expressly requires it (post-Dobbs HHS). |
| GLBA | Opt-out - sharing allowed unless the consumer says stop. Permits disclosure to respond to judicial process (covers civil discovery). |
| FRCP 5.2 (2007) | Attorneys must redact civil filings to last 4 digits of SSN/account, year of birth only, minor's initials. Criminal filings: home address = city/state only. |
| Litigation hold (ESI) | Once on notice of litigation, suspend routine deletion. Discovery obligations generally prevail over business practices. |
| Fourth Amendment | Warrant needs probable cause + neutral magistrate. Katz = reasonable expectation of privacy; Riley = warrant to search a phone; Carpenter = warrant for cell-site location, narrowing the third-party doctrine. |
| RFPA (1978) / ECPA (1986) | Congress added statutory process after the Court found no Fourth Amendment protection for bank records / dialed numbers - require less than a probable-cause warrant. |
| Wiretap Act / ECPA | Federal = one-party consent; many states require all-party consent. Federal law is NOT preemptive - recording can still break stricter state law. Has a private right of action. |
| CISA (2015) | Voluntary sharing of cyber threat indicators for liability protection (DHS coordinates). Sunset Sept 30, 2025, extended to Jan 30, 2026. |
⚠️ Trap
Do not flip the consent direction: HIPAA and COPPA are opt-in; GLBA is opt-out. And federal wiretap law is not preemptive - one-party consent does not cure an all-party-consent state violation.
GDPR & International Privacy
| Law / concept | The one thing to know |
|---|---|
| GDPR scope | Applies to EU establishments, to selling goods/services to or monitoring people in the EU, and to data stored in the EU - no EU office needed. |
| Fines (2 tiers) | Enforced by DPAs. Higher: greater of €20M or 4% global revenue (principles, rights, transfers). Lower: €10M or 2% (records, security, breach notice, DPO). |
| Personal data | Anything identifying directly/indirectly. Trap: IP address and cookie ID ARE personal data (unlike US PII). Anonymized only if irreversible. |
| Consent | Must be freely given, specific, informed, unambiguous affirmative action. Sensitive data needs explicit consent. No pre-ticked boxes; business must prove it. |
| Controller vs processor | Controller sets purposes/means and bears more responsibility; processor acts on instructions. In same processing each liable for entire damage. |
| DPO / EU rep | No-EU-presence firms appoint an EU representative; EU firms appoint a DPO with no conflict of interest. |
| Data subject rights | Respond within 1 month (to 3), generally free. Direct-marketing objection is absolute; legitimate-interest objection is not. |
| Breach notice | Controller to DPA within 72 hours; processor to controller without undue delay; subjects only on high risk. |
| Transfers | EEA-out banned unless adequacy, safeguard (SCCs most common, BCRs intra-group), or narrow derogation. US relies on EU-U.S. Data Privacy Framework (EO 14086) after Schrems II. |
⚠️ Trap
The headline max is 4% of worldwide revenue, but 2% is the lower tier for administrative duties (records, security, breach notification, DPO). Match the violation to the right tier.