What Is CIPP/US?

The Certified Information Privacy Professional/United States (CIPP/US) credential is the premier certification in privacy law for U.S. privacy professionals. The CIPP/US designation demonstrates that an individual has the knowledge and skills necessary to comply with U.S. privacy laws and regulations. The CIPP/US credential is recognized by the International Association of Privacy Professionals (IAPP) and is a privacy certification designated by the American National Standards Institute (ANSI).

CIPP/US 2022 IAPP Updates

The IAPP has released updates to the CIPP/US exam content that became effective on October 3, 2022. This post covers the changes in this annual update to assist candidates preparing to the CIPP/US exam.


The changes made to each of the above sections is outlined below.

  • Implications of Schrems II decisions
  • Exemptions under state financial laws 
  • Automated employment decision tools 
  • Addition of new state laws added and removal of older laws

What’s Included In These Updates?

The CIPP/US exam blueprint has no changes and hence no change in the structure of the exam for the year. The exam consists of 90 exam questions that will be distributed into the following five sections:

  1. Introduction to U.S. Privacy Enforcement – 31
  2. Limits on Private-Sector Collection and Use of Data – 20
  3. Government and Court Access to Private-Sector Information – 5
  4. Workplace Privacy – 7
  5. State Privacy Laws – 12

Introduction to U.S. Privacy Enforcement

The CIPP/US exam content has been updated to include a new section on international data transfers. The new section covers the Schrems II decisions and their implications for data privacy enforcement in the United States.

Limits on Private-Sector Collection and Use of Data

The CIPP/US exam content limits on private-sector collection and use of data are designed to protect the privacy of individuals and their personal information. The changes to the exam content limits will require private-sector organizations to take steps to ensure that they collect and use only the data that is necessary for their business purposes. In addition, private-sector organizations will be required to disclose their data collection and use practices to individuals who are affected by them. This section has two additional topics that were added under the financial and marketing subcategories.

The Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 and includes a section entitled Financial Services Modernization Act of 1999. The GLBA significantly affects the way financial institutions do business by exempting them from certain provisions of state law. The CIPP/US exam content now includes a section on GLBA exemptions under state law. The intention here is to make exam takers to be aware that the recently passed laws in California, Colorado, Connecticut, Utah, and Virginia do not apply where personal data is subject to regulation under GLBA. This also applies to other federal laws, such as Health Insurance Portability and Accountability Act (HIPAA).

The inclusion of the Driver’s Privacy Protection Act (DPPA) on the CIPP/US exam is a recognition of the growing importance of data privacy laws in the United States. The DPPA is just one of many federal and state laws that protect the privacy of personal information. As more and more information is collected and shared online, it is important for privacy professionals to be familiar with the laws that govern the disclosure of this information.

Government and Court Access to Private-Sector Information

No changes made to this section.

Workplace Privacy

The CIPP/US exam content on workplace privacy now mentions the use of automated employment decision tools. The use of artificial intelligence and other techniques has been on the rise in recent years, as they can help employers save time and money in the hiring process. However, there are some concerns about the accuracy of these tools, and whether or not they could lead to discrimination against certain groups of people. These privacy changes are intended to help organizations better protect the privacy of their employees and customers, and to ensure that their automated employment decisions are fair and unbiased.

State Privacy Laws

The Colorado Privacy Act (CPA) and the Nevada Privacy Law and Amendments (SB260) are the only new topics subject to testing on the updated Body of Knowledge. There were several other state laws – California, Connecticut, Utah, and Virginia, that have been established after the IAPP content update. Students are advised to be aware of these new changes. This will not only increase your breadth of knowledge as a privacy practitioner but also will help you answer a question or two that may show up purely for beta testing perspective. (IAPP exams have few sample questions in each of the exams that are not graded but are evaluted for stength and relevance to be included/not included in future exams).

Why Train With An Official Training Partner (OTP)?

The above changes have not been added to the official CIPP/US textbook yet. The only avenue to gather and learn on these topics is to do your own research and exploration on each of them. A better option would be to register for a CIPP/US training with any of the IAPP’s official training partners (OTP). CYRVANA is an OTP with trainers who have a diverse experience offering relavent war stories from their experience, but also cover these updates as part of the training. The training also provides the participant guides that reflect these changes to refer back and prepare for the exam the right way.

At CYRVANA we align our training to all IAPP’s updates throught the year. Please check our CIPP/US training page for additional details and schedule. You can check our privacy training schedule for other IAPP certifications.

Useful Exam References

Please review the following references for the body of knowledge and exam blueprint documents effective starting October 3, 2022:

  1. CIPP/US Body of Knowledge (BOK)
  2. CIPP/US Exam Blueprint