Examworthyexamworthy.comCertified Information Privacy Professional/US (CIPP/US) cheat sheet
IAPP
Free to share. Examworthy is not affiliated with or endorsed by IAPP; CIPP-US and related marks belong to their respective owners.
At a glance
Format: Multiple choice, online proctored or Pearson VUE test centre
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
There is no single US privacy law, so the exam tests whether you can navigate the patchwork and pick the regime that governs a situation.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
A representation that the buyer has independently satisfied itself and waives reliance on any seller data-handling statement allocates risk to the seller.
Why it fails
This sounds rigorous and confuses buyer diligence with risk allocation, but it actually waives the buyer's recourse. The effect is to shift privacy risk onto the buyer rather than the seller, the opposite of the goal.
Limits on Private-Sector Collection and Use of Data
Tempting but wrong
The FTC's authority over deceptive business practices comes from a constitutional right to fair dealing implied by the Fourteenth Amendment's Due Process Clause.
Why it fails
Tempting because due process sounds protective, but it limits government conduct toward individuals and is not the source of FTC authority over deceptive business practices, which rests on Section 5 of the FTC Act.
Introduction to the U.S. Privacy Environment
Tempting but wrong
Any automated processing of personal data triggers the profiling opt-out, because the right applies whenever a model processes any personal data at all.
Why it fails
Tempting because it sounds like the right is broad, but the opt-out is tied to profiling in furtherance of decisions with legal or similarly significant effects, not to processing generally. Treating all automated processing as a trigger overstates the scope.
State Privacy Laws
Tempting but wrong
Once an NSL nondisclosure requirement is imposed, it is permanent and the provider has no statutory mechanism to seek its removal at any later time.
Why it fails
Tempting because NSL gag orders were historically open-ended, but USA FREEDOM created review and termination mechanisms, so the gag is neither permanent nor unchallengeable.
Government and Court Access to Private-Sector Information
Tempting but wrong
An interview-based reputation report is just an ordinary consumer report, so the standard stand-alone disclosure and authorisation satisfy every FCRA obligation.
Why it fails
Tempting because every investigative consumer report is also a consumer report. But the interview-based character information triggers additional investigative disclosure duties that the ordinary disclosure-and-authorisation process alone does not meet.
Workplace Privacy
Tempting but wrong
On a FCRA dispute, the agency can simply refer it to the furnisher and take no further action, since the furnisher alone is responsible for accuracy.
Why it fails
Plausible because furnishers do have investigation duties, but the agency cannot merely hand off the matter. It must itself reinvestigate and resolve the dispute, not abdicate the outcome to the furnisher.
Limits on Private-Sector Collection and Use of Data
Tempting but wrong
Publishing a privacy notice and obtaining opt-in consent before secondary use is what makes a firm an information fiduciary.
Why it fails
Notice and consent look relevant because they govern data use, but consent-based processing is the notice-and-choice model the fiduciary theory is meant to supplement; consent alone does not create fiduciary status.
Introduction to the U.S. Privacy Environment
Tempting but wrong
A request to limit use of sensitive data is really the right to opt out of sale, which would prevent the business from using the data for any internal research.
Why it fails
Tempting because both rights curb data use, but the sale opt-out only governs disclosures to third parties for consideration, not a business's own internal use of sensitive data. The request here invokes the right to limit, not the sale opt-out.
State Privacy Laws
Key terms
Exam-day rules
- Read the last line of the question first. It tells you whether you are being asked about the governing law, a required action, or an exception, so you can read the scenario looking for that.
- Identify the actor and the data type before you choose. The same facts can fall under GLBA, FCRA, or HIPAA depending on who is processing what, and that single read usually decides the answer.
- Watch for absolutes such as always, never, all, and no exceptions. US privacy law is full of carve-outs and consent exceptions, so a sweeping option is usually the wrong one.
- When two answers both look correct, pick the one whose statute actually governs the actor in the scenario. The exam rewards the most specific applicable law, not a generally true statement.
- Flag and move on. Do not burn time on one hard statute question when easier marks are waiting; cover every question first, then return to the flagged ones.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Lay the foundation (Introduction)
- Weeks 2-3Go deep on the sector laws (Private-Sector Limits)
- Weeks 3-4Cover access, workplace, and the state patchwork
- Week 5Practise on scenarios with worked explanations