How to pass the CIPP/US

A practical guide to passing the IAPP Certified Information Privacy Professional/United States (CIPP/US) exam: what it tests, how to study the sectoral patchwork, and the distinctions that trip people up. Written by someone who sat the IAPP exams and scored well.

What the CIPP/US actually tests

The CIPP/US certifies that you understand the U.S. approach to privacy: a sectoral, law-by-law patchwork rather than one comprehensive statute, plus the fast-growing set of state laws. The exam is built from the IAPP body of knowledge, which spans:

The U.S. privacy environment - structure of government, sources of law, the FTC and other regulators, and how privacy is enforced (unfair and deceptive practices).
Limits on private-sector data: the big sectoral laws - FCRA/FACTA (credit), GLBA (financial), HIPAA/HITECH (health), FERPA (education), COPPA (children), TCPA/TSR/CAN-SPAM (telecom and marketing).
State laws: CCPA/CPRA and the comprehensive state laws, breach-notification laws, and sectoral state laws (biometrics, health, AI).
Government and court access: the ECPA, FISA and Section 702, the USA PATRIOT and FREEDOM Acts, the CLOUD Act, and civil-litigation e-discovery.
Workplace privacy across the employment life cycle.

You can read every one of these areas free in the study notes.

The exam format

The CIPP/US is 90 multiple-choice questions in 2.5 hours, reported on a scaled score where 300 out of 500 is a pass. Confirm the current format on the IAPP's official exam blueprint before you book.

A study plan that works

Weeks 1 to 2, build the map. Read the notes chapter by chapter. The goal is to place each law: who it covers, what it regulates, who enforces it, and opt-in vs opt-out.
Weeks 3 to 4, drill application. Switch to questions. CIPP/US questions are scenario-based, so practising "which law applies / what must they do" is where the marks are. Read every explanation.
Week 5, spaced review. Let the spaced-repetition schedule resurface the laws you keep mixing up.
Final week, simulate. Sit the full official practice exam under timed conditions and review every miss by domain.

Where people lose marks

Mixing up the sectoral laws. Know the lanes: FCRA (consumer reports) vs FACTA (its identity-theft amendment) vs GLBA (financial institutions); HIPAA (covered entities) vs FERPA (education records).
Which regulator. The FTC (unfair and deceptive practices), state attorneys general, the CFPB, HHS/OCR, the FCC - the exam loves "who enforces this".
Opt-in vs opt-out. U.S. law usually defaults to opt-out; know the opt-in exceptions (children, sensitive data in some states, CAN-SPAM's MSCM rule).
Preemption. When a federal law preempts stricter state law (COPPA, CAN-SPAM, FACTA) versus when stronger state law survives (HIPAA, GLBA).
State patchwork. California (CCPA/CPRA) is the model; know how thresholds, rights and enforcement differ across states.
Reading too fast. Scenario questions hinge on one detail - the sector, the actor, or a single qualifying word. Slow down on the stem.

How this site helps

The study notes are free and structured for active recall, with the exam-critical wording highlighted. The practice question bank includes the official practice exam plus hundreds of application-style topic questions, each with a worked explanation, marked automatically and on a spaced-review schedule. Your progress syncs across your devices.

Frequently asked questions

Is the CIPP/US hard?

It is broad and detail-heavy rather than conceptually difficult. The challenge is the sheer number of sectoral laws (FCRA, GLBA, HIPAA, FERPA, COPPA, TCPA, ECPA and more) plus the growing patchwork of state laws. With structured study and application practice it is very passable.

How long should I study for the CIPP/US?

Plan for around 30 hours, more if U.S. privacy law is new to you. The IAPP itself suggests a minimum of 30 hours. Quality of practice - testing yourself on application questions - matters more than raw hours.

What is the CIPP/US exam format and passing score?

90 multiple-choice questions in 2.5 hours, reported on a scaled score where 300 out of 500 is a pass. Confirm the current details on the IAPP exam blueprint before you book.

Do I need to be a lawyer to pass the CIPP/US?

No. It tests applied understanding of how U.S. privacy laws work and interact, not legal practice. Many non-lawyers pass it.

How current do I need to be on state laws?

Know the framework and California (CCPA/CPRA) well, plus how the comprehensive state laws are similar and different. The exam is built from the body of knowledge, not the latest headline - but understanding the patchwork and preemption is essential.

Are these notes enough on their own?

They cover the full body of knowledge and pair with a practice question bank including the official practice exam, but U.S. privacy law moves fast, so always cross-check against current official sources.

See the practice exam