Privacy · Comparison
CIPP/E vs CIPP/US: Which Privacy Certification Is Right for You?
Both are IAPP's Certified Information Privacy Professional credentials - same exam format, same price, same pass mark - but they cover entirely different legal systems. CIPP/E is the European law exam, built around the GDPR and the EU regulatory framework. CIPP/US is the American exam, built around sectoral federal statutes and a growing body of state law. The right choice follows the law that governs your data.
CIPP/E vs CIPP/US is not a quality question - it is a jurisdiction question. Pick the law you work with, then consider adding the other.
Practise the certifications in this article
- Certified Information Privacy Professional/Europe (CIPP/E) (CIPP-E)Practice questionsStudy guide
- Certified Information Privacy Professional/US (CIPP/US) (CIPP-US)Practice questionsStudy guide
CIPP/E vs CIPP/US at a Glance
Both exams share the same chassis. Each delivers 90 multiple-choice questions across a 150-minute sitting, administered through Pearson VUE either online with remote proctoring or at a physical test centre. The passing score is 300 out of 500, and the exam fee is USD 550 for a first sitting whether or not you hold IAPP membership. That fee drops to USD 375 only on a retake, or when you already hold another IAPP certification. Active certification runs for two years and requires 20 continuing professional education credits per term, plus a maintenance fee of USD 250 - or membership, which bundles that cost.
The difference is entirely in what the questions test. CIPP/E is built on the current IAPP Body of Knowledge version 1.3.3, effective 1 September 2025, and covers five domains: Introduction to European Data Protection (13% of scored questions), European Data Protection Law and Regulation (31%), European Data Processing (23%), European Data Protection Scope and Accountability (17%), and Compliance with European Data Protection Law and Regulation (16%). CIPP/US is built on BoK version 2.6, also effective 1 September 2025, and covers five parallel domains: Introduction to the US Privacy Environment (24%), Limits on Private-Sector Collection and Use of Data (31%), Government and Court Access to Private-Sector Information (12%), Workplace Privacy (10%), and State Privacy Laws (23%).
Neither exam has formal prerequisites. The IAPP recommends prior privacy experience but does not enforce it. There is no prior certification required, no mandatory training, and no law degree required.
What the CIPP/E Actually Tests
The CIPP/E is, at its core, a GDPR exam - but one that situates the regulation inside a broader legal order. About a third of scored questions sit in Domain II, covering the foundational GDPR rules: the definitions of personal and special-category data, lawful processing bases, data subject rights, controller and processor relationships, consent validity, and breach notification. This is the section where candidates earn or lose the credential.
The surrounding domains add context that distinguishes a practitioner from someone who has merely memorised the GDPR text. Domain I traces the legal lineage from the OECD Guidelines and Convention 108 through to the NIS 2 Directive and the EU AI Act. Domain III tests the processing principles - purpose limitation, storage limitation, data minimisation - and the international transfer toolkit: adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and the EU-US Data Privacy Framework. Domain IV covers territorial scope, the accountability obligations of controllers and processors, DPIAs, DPO requirements, and the Article 83 fine tiers. Domain V applies all of this to real-world scenarios: employment data, CCTV and biometrics, direct marketing under the ePrivacy Directive, and cookie consent.
For 2025-2026 candidates, the European Commission's Digital Omnibus Package, presented in November 2025, proposes amendments to the GDPR, ePrivacy Directive, NIS 2 Directive, and the EU AI Act. Those proposals are in legislative negotiations as of mid-2026 and have not yet taken effect. The current exam tests the law as it stands, not proposed amendments. The AI Act's obligations around high-risk AI systems are subject to a provisional trilogue agreement (May 2026) to defer key deadlines, still pending final adoption - the IAPP BoK and exam blueprint address the Act's structure and scope rather than implementation deadlines, so candidates should focus on the framework rather than specific dates.
What the CIPP/US Actually Tests
The CIPP/US is a sectoral law exam. The US has no single omnibus federal privacy statute comparable to the GDPR. Instead, it has a patchwork of sector-specific laws - HIPAA for health data, GLBA and FCRA for financial data, FERPA for education records, COPPA for children's online data, the TCPA and CAN-SPAM for marketing - plus the FTC's cross-sector authority under Section 5 of the FTC Act. Domain II tests all of these, and at 31% of the exam it is the heaviest domain by weight.
The biggest structural shift in the 2025-2026 blueprint is Domain V, State Privacy Laws, which now accounts for 23% of scored questions. The IAPP's published section ranges show 13-17 questions on state law alone - the largest single-section allocation on the exam. California (CCPA as amended by the CPRA) is the anchor, but the domain also covers the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and Illinois BIPA. Candidates also need to understand federal preemption doctrine - where federal law sets a ceiling rather than a floor - and where state laws survive it by offering greater protection. Around 20 states now have comprehensive consumer privacy statutes, and the exam reflects that landscape.
Beyond sector law and state law, Domain III covers the instruments by which government compels access to private-sector data: subpoenas, National Security Letters, FISA orders, and eDiscovery under the Federal Rules of Civil Procedure. Domain IV covers workplace privacy - pre-employment screening under FCRA, employee monitoring under ECPA and state wiretapping statutes, and post-employment data obligations. Domain I grounds all of this in the structure of US law: constitutional, statutory, regulatory, and common law sources, the role of federal and state enforcement agencies, and data inventory and flow-mapping as a compliance foundation.
Who Each Certification Is For
The deciding factor is simple: which legal system governs the data you work with day to day? If your organisation processes personal data of EU or EEA residents - whether you are based in Europe or operating from outside it and targeting EU users - the CIPP/E is the credential that maps directly to your professional obligations. It is the standard qualification for privacy roles at EU-headquartered companies, for legal and compliance teams managing GDPR programmes, and for consultants advising European clients. The GDPR's territorial reach under Article 3 means that organisations headquartered in the US, Australia, or anywhere else are subject to it if they offer goods or services to EU residents, which makes the CIPP/E relevant well beyond European borders.
The CIPP/US is the natural credential for practitioners whose work centres on US law - privacy officers at US companies, compliance attorneys advising financial or healthcare organisations, technology lawyers dealing with state consumer privacy requirements, and HR professionals managing employee data programmes. The exam's growing emphasis on state privacy laws makes it particularly relevant for anyone navigating multi-state compliance programmes, especially given that California, Virginia, Colorado, Connecticut, and a growing number of other states now impose independent obligations on businesses that collect consumer data.
Many practitioners hold both. A privacy lawyer at a US multinational with European operations, a consultant who advises clients across jurisdictions, or a DPO working at a company that also has a large US user base will find that the two credentials complement rather than overlap - the legal frameworks are genuinely different, and holding both signals a practitioner who can operate in either system.
How the Two Exams Think Differently
Sitting both exams, or preparing for one after the other, reveals a meaningful difference in how the questions are constructed. CIPP/E questions tend to test precise knowledge of a single, coherent regulatory framework. The GDPR is a regulation - directly applicable across all EU member states, with definitions and obligations set out in numbered articles and recitals. When a CIPP/E question gives you a processing scenario, the answer usually turns on which Article 6 lawful basis applies, whether Article 9 is engaged, or what the Article 83 fine tier is. The law is dense but unified.
CIPP/US questions require you to navigate multiplicity. Federal law and state law may both apply to the same processing activity, sometimes giving conflicting answers that require a preemption analysis. A question about a health data breach might invoke HIPAA, FTC Section 5, and one or more state breach notification statutes simultaneously. A workplace monitoring question might turn on ECPA's federal floor and then a stricter state all-party consent rule. The skill the exam tests is the ability to identify which body of law controls a given fact pattern and apply the correct obligations.
This does not make one exam harder than the other in an absolute sense - candidates who have worked in the relevant jurisdiction typically find their own exam more manageable and the other more disorienting. The CIPP/E rewards systematic knowledge of GDPR text and EDPB guidance. The CIPP/US rewards breadth across statutes and a good instinct for how American regulatory structures layer.
Which Should You Take First?
Take the exam that covers the law you already work with. The credential delivers the most immediate professional value when it maps to your current role. If you are a privacy analyst at a German company, start with CIPP/E. If you are a compliance manager at a US healthcare organisation, start with CIPP/US. The knowledge you already hold from your work will carry you further, and passing gives you a usable credential right away rather than one you will not exercise for some time.
If you are building toward a dual certification, the sequencing question is less critical than the study logistics. Both exams use the same format and the same passing standard. Some practitioners prefer to sit them close together while study habits and exam techniques are fresh. Others prefer to become fully competent in one jurisdiction first and add the second once the first credential is active and the 20 CPE credits per term are being accumulated. Either approach works; there is no prerequisite structure between them.
If you have no background in either jurisdiction - perhaps you are moving into privacy from another field - the CIPP/E has the advantage of a more internally consistent law to study, which some candidates find easier to get initial traction with. The CIPP/US requires familiarity with a wider range of statutes from the outset. Neither path is prohibitively difficult with good preparation, and the IAPP publishes the complete Body of Knowledge for both exams as a free download, which is the most authoritative starting point for any study plan.
Practising on Questions That Match the Real Exam
Both BoKs publish domain weights and section question ranges, which means you can prioritise preparation by expected question volume. For CIPP/E, Domain II - the GDPR core - carries 31% of scored questions and should anchor any study plan. For CIPP/US, Domain II (sectoral federal law) and Domain V (state law) together account for over half the exam and deserve the most preparation time.
Reading the BoK and a study guide will teach you the material. Doing practice questions under exam conditions is what converts knowledge into exam performance. The distinction matters because both exams are scenario-based: they describe a fact pattern and ask you to apply the correct legal rule, not just recall a definition. A candidate who has read every GDPR article but has never worked through application questions often stalls on the logic of controller versus processor in a complex supply chain, or on which Article 6 basis survives a legitimate-interests assessment. A candidate who has drilled realistic scenarios with worked explanations builds the judgment to work through novel patterns.
The most useful practice questions come with a worked explanation that shows the full reasoning path - not just why the correct answer is correct, but why each of the other three options fails. Distractors on these exams are carefully constructed: they use plausible-sounding principles, near-miss article references, or jurisdiction-swapped rules that trip candidates who have surface-level knowledge. Understanding why a distractor is wrong is as valuable as knowing the right answer, because it closes the gap between recognising familiar material and correctly handling the question the exam actually asks.
Stop guessing whether you are ready.
Practise on an audited bank with a worked explanation and a per-distractor rationale on every question. Free to start, no sign-up.
Frequently asked questions
Which is harder, CIPP/E or CIPP/US?
Practitioners consistently report that the exam covering their own jurisdiction is more approachable. CIPP/E tests a single, unified regulation in depth; CIPP/US tests a wide range of federal and state statutes. Neither has a published pass rate, so objective comparison is not possible - both use the same 300/500 passing score.
Do I need work experience to sit either exam?
No. The IAPP imposes no formal prerequisites - no experience requirement, no law degree, and no prior IAPP certification. The IAPP does recommend privacy experience as preparation, but the exam is open to candidates at any career stage.
Can I hold both CIPP/E and CIPP/US at the same time?
Yes. Many practitioners hold both. Each requires a separate exam and a separate certification maintenance fee every two years. The credentials are independent and can be active simultaneously.
How long does it take to prepare?
Preparation time varies widely by background. Candidates with active roles in the relevant jurisdiction and regular exposure to the applicable law typically need less structured study than those moving into privacy from another field. The IAPP publishes the full Body of Knowledge for each exam, which is the starting point for any study plan.
Is CIPP/E relevant outside Europe?
Yes. The GDPR's Article 3 extends its reach to any organisation that targets EU or EEA residents with goods or services, regardless of where the organisation is based. Privacy professionals at US, Australian, or other non-European companies are frequently required to understand and apply GDPR obligations.
How much does it cost to maintain both certifications?
Each certification carries a USD 250 maintenance fee per two-year term and a requirement for 20 CPE credits per term. IAPP membership (USD 295 per year) bundles the maintenance fee as a benefit. The exam itself is USD 550 for a first sitting regardless of membership; it falls to USD 375 only on a retake or once you already hold another IAPP certification, so a candidate going for both credentials pays the discounted rate on the second exam. That changes the economics for anyone planning to hold multiple credentials long-term.
Examworthy is not affiliated with or endorsed by IAPP. This article is original commentary based on public exam blueprints and published sources. We never reproduce live exam items. All certification names and marks belong to their respective owners.