The IAPP’s Certified Information Privacy Professional is the current industry go-to for privacy practitioner certifications. There are several flavors based on jurisdictions – CIPP/E (for Europe), CIPP/US (for US), etc.
CIPP/US was the first certification that I obtained from the IAPP. The exam was harder than I thought it would be but I still managed to pass on the first attempt. Below are my thoughts and tips on studying for the exam and how to approach the exam.
The primary textbook from IAPP is essential – U.S. Private-Sector Privacy, second edition.
The granularity of info you need to know from the various US sectoral privacy laws was shocking to me.
I was 30-ish questions into the exam when I thought “there goes $550 down the drain.” I made it with plenty of room to spare but it was worrisome there for a bit.
So, understand the laws from a high-level perspective and where things like Red Flags Rule come from, which federal laws preempt state laws, time periods for breach notice under various laws, exceptions to consent, safe harbors for particular laws and a variety of specific state laws.
Additionally, the amount of info surrounding more principled privacy actions was surprising. Understand the textbook versions of privacy program development and which things fit into which steps of the process. I was really uncomfortable with the amount of detail asked about FIPs, the APEC Privacy Framework and the 2012 privacy reports from the Obama White House and the FTC. I knew high-level stuff but I was really guessing at the particularity of the info they were seeking. There were even a couple of CCPA questions, which I was surprised to see already.
My worst area of performance was in workplace privacy, which I certainly felt during the exam. Depending on how much employment law you’ve done, that should give you an upper hand if you have some practical experience in this area.
The one good thing about the exam for fellow attorneys is that there are a bunch of softball questions about the branches of government and basic civil procedure topics that any lawyer will consider gimmes.
There’s a great textbook outline from a law student (available here), which is more helpful for a high-level understanding of the various laws but it’s far from a comprehensive outline of the book. I scribbled additional notes on mine to help me out for concepts where I was struggling to recall particulars.
I read the textbook twice in the month before the exam and used it for reference as I took practice tests. Again, it’s essential.
I also used some Quizlet flashcards that people had made available to flip through on my phone when I had a few minutes. I found this set pretty useful but not 100% the way I would’ve made them. (Of course, they were already made, so I can’t complain too much.)
I also dug up summaries of various state laws that were listed in the body of knowledge for the exam. And, that’s another thing. The textbook is not comprehensive. There were some specific COPPA notice requirements questions on the exam that I don’t recall seeing in the book.
I also bought the IAPP sample questions. There are only 30 of them. They give you a decent overview of the “form” of the questions but I felt like they were significantly tougher in the actual exam.
I also bought a full 90-question practice exam from an unofficial source as an Amazon ebook. It’s pretty good and gives you a flavor for what the exam feels like but I felt it was quite a bit easier than the exam. I’d suggest not attempting the practice questions until you feel like you have a solid handle on the material because there are really not many sources to get a feel for the exam.
In the end, a pass is a pass. And obviously, there’s enough info in these materials to pass the exam. I’d just spend more time in the details if I were doing it again. If you have hands-on experience in privacy and tech law, it will be beneficial in your studies.
Feel free to ask questions or offer additional advice in the comments below.