How to pass Certified Information Privacy Professional/US (CIPP/US) (CIPP-US)
19 min read5 domains coveredFree practice, no sign-up
The IAPP Certified Information Privacy Professional/US (CIPP/US) is a knowledge exam about how privacy is regulated in the United States. It tests whether you can navigate the patchwork: there is no single omnibus federal privacy law, so the exam covers constitutional and common-law roots, the Federal Trade Commission's cross-sector authority, the sector laws (health, financial, education, telecommunications), government access regimes, workplace privacy, and the fast-moving body of state law led by California. It is not a technical exam and there is no coding; it is law and information-management knowledge applied to fact patterns.
It suits privacy professionals, compliance and legal staff, security people who touch privacy obligations, and anyone whose role needs a defensible map of US privacy regulation. You do not need to be a lawyer, but you do need to hold a lot of statutes in your head and tell apart instruments that sound similar: GLBA versus FCRA, HIPAA's Privacy Rule versus its Security Rule, a subpoena versus a National Security Letter. The breadth is the real challenge, not the depth of any single topic.
The exam rewards precise recall married to judgement. Many questions are short scenarios where two answers look plausible and the right one turns on which statute actually governs the actor and the data in front of you. The state-law and information-management material moves year to year, so study from current sources and practise on scenario questions with worked explanations so you learn why a near-miss answer is wrong, not just which one is right.
There is no single US privacy law, so the exam tests whether you can navigate the patchwork and pick the regime that governs a situation.
Difficulty
Intermediate
Best for
Privacy, legal, and compliance professionals working with US data, and CIPP candidates broadening into the US framework.
Prerequisites
None. Familiarity with US business or legal contexts helps but is not assumed.
90
Questions
150 min
Time allowed
300 / 500
Pass mark
$550
Exam cost (USD)
286
Practice questions
How this exam thinks
The CIPP/US rewards one habit above all: matching the scenario to the regime that governs it. The United States has no single omnibus privacy law, so there is rarely a general right answer. The right answer is whichever sector law or state regime applies to the specific actor and the specific data in front of you. Read the scenario to fix two things first - who is processing the data, and what kind of data it is - because that pair usually decides which statute controls. A bank triggers GLBA, a consumer reporting agency triggers FCRA, a healthcare provider triggers HIPAA, a website aimed at under-13s triggers COPPA. Change the actor and you change the law, even when the facts otherwise look identical.
Second, the exam thinks in terms of the FTC as the cross-sector backstop. Where no specific sector statute reaches, FTC Act Section 5 and its bar on unfair or deceptive acts or practices usually does, so an option grounded in Section 5 is often the correct one when no narrower law fits. Hold the FTC's role as the default enforcer in your head and reach for the more specific statute only when the scenario names an actor a sector law clearly covers. The wrong answers are built to exploit confusion between adjacent regimes: they offer a real law that governs a neighbouring situation, not the one in front of you.
Third, the exam distrusts absolutes and rewards the carve-out. US privacy law is a lattice of exceptions, consent provisions, and safe harbours, so an option that says always, never, all, or no exceptions is usually wrong. When two answers both look correct, choose the one whose statute most specifically governs the actor in the scenario rather than the one that states a broadly true principle. The exam wants the most specific applicable law, applied to the facts as written, not a textbook generality that happens to be true.
What each domain tests and how to study it
The CIPP-US blueprint is split across 5 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Identify which source of law and which enforcer governs a situation, and walk personal data from inventory through to a defensible retention decision.
In one sentenceThe foundations the rest of the exam assumes: the four sources of US law, who enforces privacy, and the information-management discipline that carries the most marks here.
Recall check: answer these from memory first
Name the four sources of US law and give one privacy obligation that flows from each.
What does FTC Act Section 5 prohibit, and why is it called the cross-sector backstop?
Walk a data inventory through to a retention decision: name the steps in order.
What it tests. The foundations of US privacy regulation: the four sources of law (constitutional, statutory, regulatory, common law) and how each creates obligations, the enforcement roles of the FTC, sector regulators, and state attorneys general, and the information-management discipline (data inventory, classification, flow mapping, retention) that the official study guide flags as the highest-weighted chapter. It also reaches into cross-border transfer mechanisms and the information-fiduciary concept.
How to study it. Build the mental map before the detail: who makes law, who enforces it, and why the US has no single omnibus statute. Memorise FTC Act Section 5 (unfair or deceptive acts) as the cross-sector backstop, because it threads through later domains. Give the information-management section real time, not a skim, since it carries the most marks here: be able to walk a data inventory through to a retention decision. Treat transfers and fiduciary duty as the harder, lower-frequency items.
Easy to confuse
Statutory law versus common law. Statutory law is enacted by a legislature (HIPAA, GLBA); common law is judge-made through court decisions, such as the privacy torts. A scenario about a published statute points to the former; one about a tort claim such as intrusion upon seclusion points to the latter.
FTC enforcement versus state attorney general enforcement. The FTC enforces Section 5 and federal privacy rules at the national level; a state attorney general enforces that state's own privacy and consumer laws, and often shares enforcement of statutes like CCPA. The named actor and the cited law tell you which enforcer the question wants.
Data classification versus data inventory. An inventory records what data you hold and where it lives; classification labels each category by sensitivity so handling rules attach to it. Inventory answers what and where; classification answers how protected, and the two are sequential steps, not synonyms.
Worked example from the CIPP-US bank
lock_openFree sampleIntroduction to the U.S. Privacy Environmentmedium
A technology company has not violated any specific privacy statute, yet the Federal Trade Commission opens an enforcement action alleging the company misrepresented its data-sharing practices to consumers. On what legal source does the FTC most directly rely to bring this action?
AThe common law tort of intrusion upon seclusion, which the FTC enforces on behalf of consumers in federal court.
BIts statutory authority under Section 5 of the FTC Act to challenge unfair or deceptive acts or practices.check_circle Correct
CA constitutional right to fair dealing implied by the Due Process Clause of the Fourteenth Amendment.
DA self-regulatory code of conduct that the company adopted and the FTC enforces as binding federal regulation.
Identify Section 5 of the FTC Act as the statutory basis for FTC enforcement against deceptive privacy representations. The FTC's general enforcement power comes from Section 5 of the FTC Act, which bars unfair or deceptive acts or practices, allowing action against misrepresentations even absent a sector-specific privacy statute.
Why A is wrong: Tempting because intrusion is a privacy wrong, but it is a private tort claim brought by individuals, not a statutory power the FTC invokes for enforcement.
Why B is correct: Correct: Section 5 of the FTC Act prohibits unfair or deceptive acts or practices, letting the FTC act on a misrepresentation even where no specific privacy statute applies.
Why C is wrong: Tempting because due process sounds protective, but it limits government conduct toward individuals and is not the source of FTC authority over deceptive business practices.
Why D is wrong: Tempting because broken promises in a code can support a case, but the code is not itself the legal source, and the FTC's authority flows from the FTC Act.
What you must be able to do. From the actor and the data type, pick the single sector statute that governs, and state the right or obligation it creates.
In one sentenceThe single heaviest domain: the federal sector laws (FTC, COPPA, HIPAA, GLBA, FCRA, FERPA, and the marketing statutes) that constrain how private companies handle personal data.
Recall check: answer these from memory first
Give the one-line trigger for GLBA, FCRA, HIPAA, COPPA, and FERPA: who each regulates and what data.
What does HIPAA's Privacy Rule govern, and what does its Security Rule govern?
State COPPA's age threshold and the core consent it requires before collecting a child's data.
What it tests. The sector-specific federal laws that constrain how private companies collect and use personal data, and this is the single heaviest domain. It covers the FTC's authority plus COPPA for children, HIPAA and HITECH for health data, GLBA and FCRA/FACTA for financial and credit data, FERPA for education records, the TCPA, Telemarketing Sales Rule, and CAN-SPAM for marketing, and privacy due diligence in mergers and acquisitions.
How to study it. This domain wins or loses the exam, so spend the most time here. Build a one-line trigger for each law: who it regulates, what data, what right or obligation it creates. The classic trap is confusing adjacent regimes, so drill the pairs directly: GLBA (financial institutions, privacy notice and Safeguards) against FCRA (consumer reporting agencies, adverse-action notice and accuracy), and HIPAA's Privacy Rule (uses and disclosures of PHI) against its Security Rule (safeguards). Learn COPPA's age line and the CAN-SPAM opt-out mechanics as reliable marks.
Easy to confuse
GLBA versus FCRA. GLBA governs financial institutions and their handling of customer financial information, requiring a privacy notice and the Safeguards Rule; FCRA governs consumer reporting agencies and the use of consumer reports, requiring accuracy and adverse-action notices. A bank sharing customer data points to GLBA; a credit report used to deny an application points to FCRA.
HIPAA Privacy Rule versus Security Rule. The Privacy Rule sets who may use or disclose protected health information and when; the Security Rule sets the administrative, physical, and technical safeguards for electronic PHI specifically. A question about a permitted disclosure is Privacy Rule; one about encryption or access controls is Security Rule.
TCPA versus CAN-SPAM. The TCPA governs telephone and text marketing, including the Do Not Call rules and consent for autodialled calls; CAN-SPAM governs commercial email, requiring a working opt-out and accurate headers. The channel named in the scenario, a call or text versus an email, decides which statute applies.
Worked example from the CIPP-US bank
lock_openFree sampleLimits on Private-Sector Collection and Use of Datahard
Counsel is drafting the privacy representations and warranties for a stock purchase agreement covering a target that markets to California consumers. The buyer wants the representations to do real diligence work rather than merely paper over risk. Which drafting choice best serves the buyer's goal of allocating privacy risk to the seller?
AA narrow representation that the target has a privacy policy posted on its website, with no statement about the accuracy of that policy or compliance with it.
BA representation that the buyer has independently satisfied itself as to the target's privacy practices and waives reliance on any seller statement about data handling.
CA representation limited to the statement that no data breach has been publicly disclosed in the past twelve months.
DA broad representation that the target has at all times complied with all applicable privacy and data protection laws and its own published commitments, qualified only by a disclosure schedule of known exceptions.check_circle Correct
Understand that a broad law-and-commitments compliance representation with a disclosure schedule best shifts privacy risk from buyer to seller. Representations and warranties allocate risk by giving the buyer a contractual remedy if facts differ from what is represented; a broad compliance representation backed by a disclosure schedule both forces the seller to surface known issues and leaves the seller liable for undisclosed non-compliance.
Why A is wrong: This is tempting because it looks like a privacy representation, but mere existence of a posted policy says nothing about compliance, so it gives the buyer almost no protection and fails to allocate risk to the seller.
Why B is wrong: This sounds rigorous but actually waives the buyer's recourse, so a candidate confusing buyer diligence with risk allocation would choose it, while in fact it shifts risk onto the buyer rather than the seller.
Why C is wrong: Public-disclosure-only and a twelve-month window leave undisclosed breaches and broader compliance gaps untouched, so although it addresses one risk it is far too narrow to allocate privacy risk to the seller.
Why D is correct: Correct: a compliance representation tied to applicable law and the target's own commitments, backed by a disclosure schedule and indemnity, shifts unknown privacy exposure to the seller and surfaces known issues for pricing.
What you must be able to do. Rank the legal instrument a request requires by its standard of proof, and tie it to the statute and the side (criminal, national-security, or civil) it comes from.
In one sentenceHow the state and the courts compel private-sector data: law-enforcement instruments and ECPA, the national-security regime, and civil eDiscovery duties.
Recall check: answer these from memory first
Rank a subpoena, a court order, and a search warrant by the legal standard each requires, lowest to highest.
What did the USA PATRIOT Act expand, and what did the USA Freedom Act rein back?
When does the duty to preserve evidence (the litigation hold) attach in civil litigation?
What it tests. How the state and courts compel private-sector data: the law-enforcement authorities (subpoenas, court orders, search warrants, National Security Letters) and the statutes behind them such as ECPA and the Stored Communications Act, the national-security regime (FISA, USA PATRIOT Act, USA Freedom Act), and civil eDiscovery under the Federal Rules of Civil Procedure, including litigation holds and proportionality.
How to study it. Rank the legal instruments by the standard each requires, from a subpoena up to a warrant, and tie each to its governing statute. Keep the national-security acronyms straight by what each one changed: PATRIOT expanded authorities, USA Freedom reined some back. For the civil side, anchor on the duty to preserve once litigation is reasonably anticipated (the litigation hold) and on proportionality as the limit on discovery. Lower weight, but the Fourth Amendment and ECPA distinctions are worth nailing.
Easy to confuse
Subpoena versus search warrant. A subpoena compels production on a relevance standard and can be issued without prior judicial probable-cause review; a search warrant requires a judge to find probable cause first. The standard the scenario describes, mere relevance versus probable cause, tells you which instrument is in play.
National Security Letter versus FISA order. An NSL is issued administratively by the FBI without a court and reaches limited records such as subscriber and transaction data; a FISA order is issued by the FISA Court and can reach foreign-intelligence surveillance and, under Section 215, business records. The dividing line is the authoriser: an NSL needs no court, a FISA order requires the FISA Court.
PATRIOT Act versus USA Freedom Act. The PATRIOT Act broadened surveillance authorities after 2001; the USA Freedom Act of 2015 narrowed several of them, notably ending bulk telephony-metadata collection. If the scenario describes expansion of access, think PATRIOT; if it describes a curb or sunset on bulk collection, think USA Freedom.
Worked example from the CIPP-US bank
lock_openFree sampleGovernment and Court Access to Private-Sector Informationhard
An FBI agent serves a provider with a National Security Letter and includes a nondisclosure requirement barring the provider from telling anyone, including the affected customer, that it received the NSL. The provider's counsel wants to know how the USA FREEDOM Act altered the legal posture of that nondisclosure requirement. Which statement is correct?
AThe provider may seek judicial review of the nondisclosure requirement, and the government must periodically reassess whether continued secrecy remains justified.check_circle Correct
BThe nondisclosure requirement is now permanent once imposed, and the provider has no statutory mechanism to seek its removal at any later time.
CThe nondisclosure requirement was abolished entirely, so providers receiving NSLs may now freely publish the specific contents of any NSL they receive.
DThe provider may disclose the NSL only after first obtaining written authorisation from the Foreign Intelligence Surveillance Court for each individual customer affected.
USA FREEDOM added judicial review and periodic reassessment for National Security Letter nondisclosure requirements rather than abolishing them. The USA FREEDOM Act left NSL authority intact but reformed the gag provisions, giving recipients access to judicial review and obliging the government to reassess and terminate nondisclosure when secrecy is no longer needed.
Why A is correct: Correct: USA FREEDOM established judicial-review procedures for NSL gag orders and reciprocal notice requiring the government to revisit whether nondisclosure is still warranted.
Why B is wrong: Tempting because NSL gag orders were historically open-ended, but USA FREEDOM created review and termination mechanisms, so the gag is not permanent and unchallengeable.
Why C is wrong: Tempting because reforms increased transparency, but USA FREEDOM did not abolish NSL gags; it added procedures and reciprocal-notice rules rather than removing them.
Why D is wrong: Tempting because the FISC oversees national security matters, but NSL nondisclosure review runs through ordinary judicial-review procedures, not per-customer FISC authorisation.
What you must be able to do. Weigh the employee's reasonable expectation of privacy against the employer's interest, and apply the screening, monitoring, or post-employment rule that controls.
In one sentencePrivacy across the employment life cycle: FCRA-governed screening, ECPA-bounded monitoring, and the obligations that persist after an employee leaves.
Recall check: answer these from memory first
What FCRA steps must an employer follow before and after taking adverse action on a background check?
How does ECPA's consent exception let an employer monitor employee communications?
Name two privacy obligations that survive after an employee's departure.
What it tests. Privacy in the employment relationship across its whole life: pre-employment screening under FCRA and state law (background checks, consumer reports, automated hiring tools), monitoring of employee communications, location, and activity within ECPA consent exceptions and state wiretapping laws, and the obligations that persist after employment ends, such as retention limits and reference-disclosure liability.
How to study it. Frame each item around the employee's reasonable expectation of privacy and the employer's countervailing interest, because that balance decides most scenarios. For screening, reuse the FCRA adverse-action steps you learned in the private-sector domain. For monitoring, learn ECPA's consent exception and remember that some states require all-party consent, which changes the answer. This is a smaller domain and largely conceptual, so a focused pass plus practice secures the marks.
Easy to confuse
One-party consent versus all-party consent states. Under ECPA and many states, one party to a communication consenting is enough to record it; some states require every party to consent. The same monitoring is lawful in a one-party state and unlawful in an all-party state, so the state named in the scenario can flip the answer.
Background check via a third party versus an internal check. When an employer uses a third-party consumer reporting agency, FCRA's disclosure, authorisation, and adverse-action duties apply; a purely internal check the employer conducts itself generally falls outside FCRA. Whether a consumer reporting agency is involved decides if FCRA controls.
Worked example from the CIPP-US bank
lock_openFree sampleWorkplace Privacymedium
A staffing firm orders a report from a third-party agency that interviews a candidate's former neighbours and colleagues about the candidate's character, general reputation, and mode of living for a managerial role. Under the FCRA, how should this report be classified, and what extra duty does that classification trigger?
AIt is an ordinary consumer report, so the standard stand-alone disclosure and authorisation fully satisfy every FCRA obligation for this type of inquiry.
BIt is a credit report, which means the employer must certify a permissible purpose tied to the candidate's outstanding debts.
CIt is an investigative consumer report, which obliges the employer to notify the candidate that such a report may be obtained and to disclose the nature and scope on request.check_circle Correct
DIt is a public-record-only report, so the agency need not maintain procedures to ensure the interviewed information is accurate or current.
Reports gathering character or reputation data through personal interviews are investigative consumer reports, adding nature-and-scope disclosure duties under FCRA. The investigative consumer report category exists because interview-based opinions about a person are more subjective and intrusive than record data, so FCRA layers on a duty to disclose the inquiry's nature and scope when asked.
Why A is wrong: This is tempting because every investigative consumer report is also a consumer report, but the interview-based character information triggers the additional investigative disclosure duties that the ordinary process alone does not meet.
Why B is wrong: Candidates may assume any agency report is credit-based, but interviews about reputation are not credit data, so framing this as a credit report and a debt-related permissible purpose misreads the report type.
Why C is correct: When information about character, reputation, or mode of living is gathered through personal interviews, FCRA treats it as an investigative consumer report and adds a duty to give a clear and accurate disclosure of its nature and scope on request.
Why D is wrong: This sounds plausible because reputation feels like public knowledge, but interview-derived character information is not a public record and the agency still owes reasonable-procedure accuracy duties.
What you must be able to do. Default to California, then judge whether a higher state floor, a comprehensive state law, BIPA, or a breach-notification rule changes the obligation.
In one sentenceThe fastest-changing material: preemption and the state floor, California's CCPA/CPRA as anchor, the comprehensive state laws beyond it, BIPA, and breach notification.
Recall check: answer these from memory first
List the core consumer rights the CCPA as amended by the CPRA grants, including the opt-out of sale.
What makes BIPA distinctive among biometric laws, and why does its private right of action matter?
Name the four axes for comparing state breach-notification laws.
What it tests. The fastest-changing material: how federal preemption and state authority interact and when state law sets a higher floor, the CCPA as amended by the CPRA (consumer rights, business obligations, opt-out of sale), the wave of comprehensive state laws beyond California such as Virginia, Colorado, and Connecticut, biometric and AI laws including BIPA's written-policy and consent rules, and the patchwork of state data-breach notification requirements.
How to study it. Treat California as the anchor and learn the CCPA/CPRA rights and the opt-out of sale in detail, then learn the other comprehensive laws by how they differ from it (universal opt-out signals, data minimisation, consent for sensitive data) rather than from scratch. Hold BIPA's written-policy-and-consent requirement separately because it has a private right of action. For breach notification, compare laws along fixed axes: timing, covered data, who is notified, and the encryption safe harbour. Study from current sources, as this domain shifts year to year.
Easy to confuse
CCPA opt-out of sale versus an opt-in consent regime. The CCPA/CPRA lets a business sell or share personal data unless the consumer opts out, whereas an opt-in regime forbids the use until the consumer affirmatively agrees. A right to stop a sale already under way points to California's opt-out model; a requirement to get permission first points to opt-in.
BIPA versus a comprehensive state privacy law. BIPA is a narrow Illinois statute governing biometric identifiers, with a written-policy-and-consent requirement and a private right of action; a comprehensive state law such as Virginia's CDPA covers personal data broadly and is enforced by the attorney general. Biometric data plus individual lawsuits points to BIPA; broad consumer rights enforced by a regulator points to the comprehensive laws.
Federal preemption versus the state floor. Preemption is when a federal law displaces conflicting state law; the state floor is when state law sets a higher standard that survives because the federal law sets only a minimum. If the scenario describes federal law overriding the state, that is preemption; if state law adds stricter protection on top, that is the floor.
Worked example from the CIPP-US bank
lock_openFree sampleState Privacy Lawshard
A bank that does business in several states uses a fully automated model to approve or deny consumer credit-line increases with no human involvement. Counsel is mapping which state comprehensive privacy laws give the consumer a right to opt out of this kind of profiling. Under the leading state comprehensive privacy model, what is the threshold that determines whether the consumer has an opt-out right over this automated decision?
AWhether the automated model processes any personal data at all, since all automated processing triggers the profiling opt-out.
BWhether the consumer has previously exercised a separate right to delete their personal data held by the bank.
CWhether the profiling is carried out in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.check_circle Correct
DWhether the bank has annual revenue above a fixed dollar figure set by each state's profiling provision.
Recognise that state comprehensive privacy laws tie the profiling opt-out to automated decisions producing legal or similarly significant effects on the consumer. Under the Virginia, Colorado, and Connecticut comprehensive privacy models, the consumer's right to opt out of profiling is limited to profiling in furtherance of decisions that produce legal or similarly significant effects, such as credit, housing, or employment outcomes, rather than to all automated processing.
Why A is wrong: It is tempting to assume any automated processing triggers the right, but the opt-out is tied to significant-effect profiling, not to processing generally, so this overstates the scope.
Why B is wrong: Deletion and profiling opt-out are independent rights, so making one a precondition of the other confuses two distinct consumer entitlements under these statutes.
Why C is correct: State comprehensive laws such as the Colorado, Connecticut, and Virginia models grant an opt-out of profiling specifically when it is in furtherance of decisions producing legal or similarly significant effects, which a credit-line decision is.
Why D is wrong: Revenue thresholds appear in the applicability sections of some privacy laws, but the profiling opt-out is defined by the nature of the decision and its effect, not by a revenue figure inside the profiling provision.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official IAPP exam blueprint and the five sections with their weights. Book a provisional exam date now: a fixed date converts open-ended reading into a plan and is the strongest predictor of actually sitting. Note that two sections, the private-sector limits and the introduction's information-management chapter, carry most of the marks.
Lay the foundation (Introduction)
Week 1
Get the sources of US law, the enforcement roles, and the information-management discipline solid first, because every later domain assumes them. Be able to explain why there is no single federal privacy law and how FTC Act Section 5 fills the gap. Walk a data inventory through classification, flow mapping, and retention out loud without notes.
Go deep on the sector laws (Private-Sector Limits)
Weeks 2-3
This is the heaviest domain, so spend the bulk of your time here. Build a one-line trigger for each statute (FTC, COPPA, HIPAA, HITECH, GLBA, FCRA/FACTA, FERPA, TCPA, TSR, CAN-SPAM) and drill the easily confused pairs side by side until you can pick the governing law from the actor and data type alone.
Cover access, workplace, and the state patchwork
Weeks 3-4
Work through government and court access (rank the instruments by legal standard), workplace privacy (the expectation-of-privacy balance), and the state-law domain. Give California's CCPA/CPRA real time and learn the other comprehensive laws by how they diverge from it. Use current sources for state material because it changes year to year.
Practise on scenarios with worked explanations
Week 5
Move to full practice sets and read the explanation on every question, including the ones you got right. The exam tests which statute actually governs a fact pattern, so understanding why a plausible distractor is wrong is where the marks are. Track which laws you keep confusing.
Find and close your weak sections
Week 5
Use your per-domain accuracy to drill the two sections dragging your score down rather than re-reading what you already know. For most candidates the weak spots are the financial and health statutes or the newer state laws. Repeat until every domain clears the pass line with margin.
Sit a timed mock and review it
Week 6
Take at least one full timed mock to rehearse pacing and flag-and-return across 90 questions in 150 minutes. Treat the score as a readiness signal, not a guarantee, then review every missed item before booking or sitting.
Know when you're ready
Readiness for the CIPP/US is a score on questions you have not seen before, not a feeling that the statutes are familiar. Those are different things, and the gap between them is where candidates fail. Re-reading the body of knowledge builds fluency, and fluency feels like mastery, so confidence climbs while real recall lags. The test is whether you can take a fresh fact pattern, name the actor and the data, and pick the governing law while explaining why each near-miss option is wrong. If you can do that on unseen scenarios, you know it; if you can only nod along to an explanation after the fact, you do not yet.
Be especially wary of early confidence on the sector laws, where the wrong answers are built from adjacent regimes that are real law in a neighbouring situation. Trust your measured per-domain accuracy over your gut, and set the bar at clearing the heavy private-sector and state-law domains comfortably across more than one practice session, not scraping the pass line once. The financial and health statutes and the newer state laws are the usual weak spots, so prove you have closed them on questions you have not met before.
This guide gives you the map of the patchwork. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free CIPP-US questions with worked explanations. No sign-up.
Read the last line of the question first. It tells you whether you are being asked about the governing law, a required action, or an exception, so you can read the scenario looking for that.
Identify the actor and the data type before you choose. The same facts can fall under GLBA, FCRA, or HIPAA depending on who is processing what, and that single read usually decides the answer.
Watch for absolutes such as always, never, all, and no exceptions. US privacy law is full of carve-outs and consent exceptions, so a sweeping option is usually the wrong one.
When two answers both look correct, pick the one whose statute actually governs the actor in the scenario. The exam rewards the most specific applicable law, not a generally true statement.
Flag and move on. Do not burn time on one hard statute question when easier marks are waiting; cover every question first, then return to the flagged ones.
For state-law questions, default to California unless the scenario names another state, but check whether a higher state floor or a universal opt-out signal changes the obligation.
Frequently asked questions
How do I pass CIPP/US?
Master the breadth rather than the depth: build a one-line trigger for every statute, drill the easily confused pairs (GLBA versus FCRA, HIPAA Privacy versus Security Rule), and put most of your time into the private-sector limits domain and the information-management chapter, which carry the most marks. Then practise on scenario questions with worked explanations until every section clears the pass line with margin.
Is CIPP/US hard?
It is hard because of breadth, not technical depth. There is no coding and no single law to learn; instead you must hold many statutes in your head and tell apart instruments that sound alike. Candidates who study the laws in isolation struggle; those who learn each law by who it regulates and what data it covers do better.
What is the pass mark for CIPP/US?
The passing score is 300 out of 500 on IAPP's scaled scale, as shown in the facts panel above. Because the score is scaled, your raw percentage and the scaled score are not the same, so aim to clear every domain comfortably in practice rather than scraping a target percentage.
How long should I study for CIPP/US?
Most candidates need roughly four to eight weeks of focused study, more if US privacy law is new to you. The variable is how many statutes you already know; the breadth of material, not its difficulty, is what takes the time.
Do I need to be a lawyer to take CIPP/US?
No. The exam is aimed at privacy and compliance professionals, not only lawyers. You need to understand how the laws work and which one applies to a given situation, but you are not asked to argue case law or draft legal documents.
Which sections should I focus on?
The limits on private-sector collection and use of data is the single heaviest domain, and the information-management chapter inside the introduction is flagged by the official study guide as the highest-weighted chapter. State privacy laws are also a large share. Put your time there, and keep government access and workplace privacy as lighter, mostly conceptual passes.
How current does my study material need to be for the state-law section?
Very current. The comprehensive state privacy laws and breach-notification rules change year to year, so study from up-to-date sources. Learn the California CCPA/CPRA in detail as the anchor, then learn the newer state laws by how they differ from it.
How many practice questions should I do before booking?
Enough that every section clears the pass line with margin on questions you have not seen before, and that a full timed mock feels comfortable on pacing across 90 questions in 150 minutes. Quality of review matters more than raw volume: read the explanation on every question, especially the statutes you keep confusing.
Is the CIPP/US worth it?
It is well suited to privacy and compliance professionals working in or with US organisations, where the patchwork of sector and state privacy law demands exactly the kind of jurisdictional fluency the credential tests. Many US privacy officer and compliance roles list it as preferred or required, and it pairs naturally with the CIPP/E for those advising across US and European jurisdictions.
Examworthy is not affiliated with or endorsed by IAPP. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. CIPP-US and related marks belong to their respective owners.
