Certified Information Privacy Professional/United States Study Guide

How the Exam Is Structured

Certified Information Privacy Professional/United States (CIPP/US) validates u.s. privacy environment and privacy program governance, state privacy laws, federal privacy laws, workplace privacy. The ExamPal practice bank includes 187 premium questions and 40 free questions mapped across the official blueprint.

25% of exam

Domain 2: State Privacy Laws

Covers major comprehensive state privacy statutes, consumer rights, business obligations, California privacy law, and state enforcement and litigation risk. It also addresses harmonization strategies for organizations operating across multiple states.

7% of exam

Domain 4: Workplace Privacy

Covers privacy issues in the employment context, employee data management across the employment lifecycle, and workplace legal and operational constraints. It emphasizes monitoring, notices, retention, sensitive workforce data, and governance roles.

Key Terms to Know

These terms are loaded from the shared terminology pack and appear across the question explanations.

Audit trail

A record showing who accessed or modified data and when, used to support accountability and investigations.

Automated decisionmaking technology

Technology that processes personal information and uses computation to make or support decisions about individuals.

Board reporting

The requirement that privacy or security leadership provide regular written reports to a board of directors or equivalent governing body.

Breach notification

A legal requirement to notify affected individuals or authorities after unauthorized access to certain personal information.

CPPA

The California Privacy Protection Agency, the regulator responsible for implementing and enforcing key California privacy rules.

California Consumer Privacy Act

A California privacy law granting consumers rights regarding personal information and imposing obligations on businesses.

Centralized privacy review

A governance process in which proposed data uses or products are escalated for specialized privacy evaluation rather than handled only by individual teams.

Consumer Financial Protection Bureau

The federal agency with primary rulemaking authority for the FCRA after Dodd-Frank.

Consumer report

A communication bearing on a consumer’s creditworthiness, character, or similar traits used for eligibility decisions under the FCRA.

Covered entity

Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with certain transactions.

Cybersecurity audit

A formal review of an organization’s security controls and practices, sometimes required by privacy regulations to support compliance and governance.

Data minimization

The principle of limiting data collection, use, and retention to what is reasonably necessary for a stated purpose.

Driver's Privacy Protection Act

A federal law restricting disclosure and use of personal information contained in motor vehicle records.

Education record

A record directly related to a student and maintained by an educational institution or party acting for it, as defined by FERPA.

Executive oversight

Senior leadership involvement in supervising privacy risk, compliance, and strategy within an organization.

FCRA

The Fair Credit Reporting Act, a federal law regulating consumer reports, consumer reporting agencies, and permissible uses of credit information.

FERPA sole-possession record

A note kept solely by its maker as a personal memory aid and not shared with others, excluded from FERPA’s definition of education records.

FTC Section 5

The provision of the FTC Act that prohibits unfair or deceptive acts or practices in or affecting commerce.