My Thoughts on Studying, Taking, and Passing the IAPP CIPP/U.S Exam

3-30-19 UPDATE: I started an Internet Law Student Org at SCU law and in partnership with the Privacy Law Student Org, we created a collaborative Google Drive where we’re storing the same study resources listed below + more. If you have recently taken the exam and want to contribute your thoughts, please let me know and I’ll store your notes on the drive. We are also working on a project to create a multiple choice practice bank for the CIPP/US. Please email if you would like access to the drive and want to help with any of these efforts. Feel free to email me at if you want to discuss exam advice!

For an exam so heavily focused on information sharing, there’s a surprising lack of it between privacy professionals regarding this certification. I aim to change that by starting a collaborative, open source resource for those attempting to tackle this privacy achievement. I am writing these reflections roughly two hours after passing the exam in an effort to bring a fresh perspective on studying and acing the cert.

Online study resources are slim to none if you don’t count the resources you can (must) purchase from IAPP. Googling “how difficult is the CIPP/US exam” or “CIPP/US exam tips” will lead you to:

(Full bias disclosure: I am an SCU law student but the “helpful tactics” are actually helpful, especially the point about mastering the minutiae)

  • A slew of forums about how awful the test is and lawyers that claim to have 20+ years of privacy experience but still managed to fail the exam. I won’t link those here because I thoroughly advise you steer clear of those conversations. They’ll psych you out before you sit for the test. If you decide to venture down the forum path anyways, I can assure you I’ve read them and they are incredibly exaggerated and melodramatic. Tl;dr, take them with a grain of salt.

And that’s about it. Hence, my inspiration to start this conversation.

Studying for the CIPP/US

Time to Prepare:

IAPP recommends at least 30 hours of dedicated studying and prep time to pass. I studied for roughly 80 hours or 2 full weeks. Granted, I am what most consider a 0L having not started law school yet, so I was already at a disadvantage having to learn a lot of the legal basics (civ pro) that come naturally to most 1-3Ls and seasoned legal professionals. However, I still disagree with IAPP’s 30 hour recommendation. 80 hours is extreme, but in order to truly master the test, you have to master the 350+ page book. To most law students, 350 pages is a breeze, but the material is dense and some of the trickier chapters require extra attention. I would allot at least a full week (40 hours minimum) to full time, dedicated studying.

How to Prepare:

Read and master the book: Your sole priority for the next 40+ hours of time you’re willing to dedicate to this cert is to master the IAPP CIPP/US textbook. It’s not cheap but you most likely will not pass without it. The entire exam is regurgitated text from the book. My approach was to read the book in its entirety once while highlighting the crucial points. Then I went back to the denser chapters and re-read. Medical, Financial, and Workplace privacy make up the majority of the exam so I focused on those chapters specifically. After reading and re-reading, I watched the accompanying online training video from IAPP and took notes. The online training is not great and, looking back, I probably should have skipped it. It’s a watered down version of the text and, full warning, some of the material is flat out incorrect. It’s another available resource if you have time to kill and are looking for a primer to the textbook, but it’s definitely not a substitute for mastering the book.

Going back to the point about “mastering the minutia,” it is important to study what may seem like arbitrary details about each of the laws. Questions like, CALEA is also known as _____ are silly, but fair game (the answer is the Digital Telephony Act). Yes, you also need to know the little nuances of most of the major state breach notification laws too. Specifically, California, Texas, Illinois, Tennessee, New Mexico, Delaware, Massachusetts, and Maryland, as each of these states added their own interesting privacy flair to their breach laws. Pay attention to the minor details.

Make Flashcards: The IAPP website has a glossary for all the CIPP/US terms. Go through it and make note cards for each one. I ran through my entire note card stack once because that’s all I needed after spending half a day just writing out the definitions by hand. The goal here isn’t necessarily to memorize the key terms, but instead, to recognize and understand them. The exam won’t ask “what’s the definition of preemption?” rather, it will use preemption or consent decree or habeas data casually in the question or scenario and you’ll need to understand the context to properly answer. In addition to the glossary terms, I would add some cards for the steps you need to take for a proper data loss prevention plan or the key points in building a privacy framework. There were a couple questions that asked what happens in the discover or build phases of a privacy plan where having the steps committed to memory made it ten times easier to answer.

Outline the textbook: The last major part of my studying plan was to take every law mentioned in the book and formally outline them. A frustrating aspect of the book is that they scatter the laws throughout the chapters. For instance, you’ll read about FCRA in the Financial Privacy chapter, but then the chapter about Workplace privacy will add more provisions. I hunted down all of the scattered provisions and combined them to get a full and complete picture of the law. While I recommend writing your own outline because it will help commit these laws to memory, I have attached a copy of my complete outline as an extra resource to review.

Take the Sample Exam: Just buy it. $25 is steep for 30 questions but just do it. You’ll thank yourself later when you see five or six of those questions on the actual exam. I wish I could post the sample exam here but getting sued by IAPP is not exactly on my law school bucket list.

Develop an interest in Privacy Law: This one should be obvious because why else are you studying for this cert? This is an optional study step but one I highly recommend. Before even deciding to take this exam, my natural interest and curiosity about privacy and internet law drove me to consume tons of news articles and blog posts about these subjects. When you become an IAPP member, you’ll gain access to their dashboard. Read the daily resources that are available to you. Follow other privacy professionals on Twitter. Read law blogs. Stay informed on current privacy laws in your state. I read the entire 10,000 word California Consumer Privacy Act before taking the test (don’t do this if you value your sanity). The more interested you are in the subject matter, the less memorization you’ll need and the easier it will become to retain the textbook material. Though out of scope, there were a couple GDPR questions on my exam today that were never brought up in the textbook. I was able to answer those questions only because of the outside reading I had done on GDPR prior to the exam. I imagine these were the “experimental” questions but you never know. Be interested and get informed! I added a list of blogs at the end that I follow that help me stay informed with current privacy and technology issues and discussions.

Taking the CIPP/US Exam

This test was by far one of the strangest exams I’ve taken since my operating systems final in undergrad. The exam is difficult even after you’ve dedicated the time and energy to the aforementioned study tips. The difficulty, however, stems less from your understanding of the material and more from the structure of the test itself. To throw IAPP the proverbial bone, it is a relatively new exam and I imagine the test makers do not have an easy job. Be prepared for grammatical issues, typos, and bizarre attempts at asking the same question two or three different times. My best advice is to go slow and read the questions carefully. You have about 1.6 minutes per question given the 150 minute time limit so that’s plenty of time to take the exam at a relatively slow pace. Be on the watch for double negatives and the notorious EXCEPT questions (think LSAT). On that same note, I tackled the exam similarly to how I tackled the LSAT. Read the question, take an educated guess as to what the answer should be, pick the choice that best matches your guess. Some of the multiple choice options are identical down to one or two words (“and” switched out for an “or” for example) so you have to read the choices carefully too. The test structure is 90 standard multiple choice questions with five or so scenario type questions thrown in the mix. For the scenario based questions, I recommend the familiar issue spotting technique. The scenarios are riddled with obvious privacy issues that IAPP wants you to pick out. Spot them, mentally mark them, and fly through the questions.


The CIPP/US exam isn’t as difficult as people online make it out to be. It’s relatively tame compared to, you know, your state bar exam for example. It’s the test structure and the lack of online resources that make it seemingly daunting and unnecessarily mysterious. Put in the time and effort to master the book, get informed about privacy in the news, and ignore the negativity online and you’ll be golden. I attached my outline and some other study resources below:

Other Study Resources:

My outline:

This awesome Quizlet set (not mine):

Privacy, Technology, and Internet law blogs I follow:

26 thoughts on “My Thoughts on Studying, Taking, and Passing the IAPP CIPP/U.S Exam

  1. So happy I came across this blog! I’m in a similar boat that you were in approaching this. Do you have a form of contact or welcome questions? I just started studying.


  2. Just read this blog It was very helpful. Thank you for posting your outline. Do you have the flash cards you made too? My friend and I (both attorneys) are thinking of signing up for a course offered through IAPP and it’s not cheap. Is it worth taking the course or is this something that can be done through selstudy?

    Thank you for all your help in advance.



    1. Hey Anna! Glad the blog post is helpful! Thank you for the note. I don’t have the flashcards I made anymore because I wrote them manually. I just re-copied the IAPP glossary (highly recommend you do that too!). I did not sign up for the course. I did the online modules that came with the registration (are they still offering those?). Those were helpful but I think the best way to study was reading the entire textbook all the way through and focusing on trickier chapters. Building your own outline from scratch is also a great way to study (like you prob did in law school!). Since I’m not sure about the IAPP course, I can’t give great advice on it but if it’s anything like the practice questions they offer, I imagine it’s not very worth it. I did self-study for 2 weeks, 80 hours and passed with flying colors :). Feel free to shoot me an email if you want to discuss further:


  3. Hello Jess,

    Thank you for your post. This is definitely very helpful. My friend and I both attorneys are thinking about getting certified and had a few questions. We both work for the feds. Is this certification also good for fed employees? Also, is it worth taking the training program which costs $$$$? or can we just do it on our own and take the test?

    Thank you for your help in advance.



    1. Hey Anna! See my reply to your last comment.

      I used to work for DHS and I will say my privacy background was helpful but definitely not crucial. It depends on the work you’re doing. You may want to run it by your employer and see what they think first. Otherwise, the cert is fantastic in general, especially if you want to ever leave the federal sector.


  4. Hello All,
    I am very glad to have stumbled on this blog. Thank you so much. BTW, I am preping into the privacy career sector in and I plan to take the CIPP/US/E in two months. Please I need every support from you and anyone in this forum.

    Thanks in advance

    Liked by 1 person

  5. Thanks for writing this post! It has answered a lot of questions I had when I was begining my planning on how to prep for the test.

    One question, did you outline from the first or second edition of the book?

    Liked by 1 person

  6. I’m glad you’re doing this for prospective/aspiring privacy professionals! I’m a newly incoming 1L student to SCU from this fall and excited to get to know more about the privacy law and opportunities coming along with it! And I like your philosophy of sharing information with comrades! 🙂


    1. Hey Veronica! Thanks for the awesome note and for reaching out. So excited to hear you’ll be attending SCU Law! If you haven’t had the chance yet, I did an FAQ about SCU and the Tech Edge program a week ago:

      Also, please feel free to reach out to me on Twitter, Facebook, LinkedIn or email ( if you want to chat about law school or grab coffee/get a tour of Charney!


  7. Thank you for sharing your experience and tips! I’ve been (very slowly) studying but haven’t been getting very far. Reading this has motivated me to kick myself in the rear and get to studying, so I can pass the exam and move on with my life. 🙂


    1. Hi Melissa, I’m in the same boat as you, studying very slowly and having a hard time motivating myself to bear down and study. I too would like to study, pass the CIPP/US exam and get on with my life. Do you want to keep in contact and use each other as motivators and to keep each other accountable? I took the training class last October and now it’s June and I’m still no where near ready to take the exam.


  8. Thank you so much for doing this. I plan on taking the test in Dec or Jan, though I am working full time & a full time mom after my 9-5 career. How much time would you allot to prepare for this test, if you’re working full time & the only think you have to study is max 60 6o 90 mins a day?

    Can you please post your outline? I am not able to get onto it from my computer. I got an error message- that the website was not properly configured and my computer is blocking access. Thank you again!!


  9. Jess,

    I want to thank you for putting in the work and understanding the value of giving back once you’ve passed a milestone. The information you’ve provided is very accurate and helpful. I’m an attorney a year out of school and took the test last month, only to miss the mark by 3 questions. I prepared in the fashion of which I did for the bar and for any law school exam I’ve ever taken (very similar to what you seemed to have done in your preparation).

    I was taken aback at how seemingly easy the practice questions were in comparison to the actual test itself. The practice questions (of which I accumulated maybe 50-60) had some difficult questions, but here and there some obvious answers. I believe the difficulty on the actual exam stemmed from the difference between what the questions were truly getting at compared to your average law school exams.

    The questions seemed to focus on small and frivolous details, rather than get at the substance of a statute, which would actually recognize your ability to work as a professional in the field (I believe this is an unfair/needless testing method in comparison). I didn’t hit a streak in the text where I felt my preparation had truly paid off. Additionally, there wasn’t a single question on my version regarding any technical aspects (HTML, cookies, spyware etc) whatsoever which I found bizarre. The wording itself of the questions seemed very confusing at times – for example “which decision should a business owner make regarding privacy”, and all of the answers are relevant for different reasons.

    Regardless, I’m curious if you have advice how to prepare for a test that seems to focus on the small details that attorneys seemed to be taught to ignore. I’d think flash cards and committing to memory are some of the only tools in our arsenal to combat this concept. If you have any thoughts on the matter, I’d love to hear them. Thanks again for creating some really useful material. I hope you continue to do so.


  10. Thanks very much for this post Jess. I have avoided reading exam reviews since I wrote the CIPP/E because I found them overly dramatic and misleading. However, CIPP/US is my last exam and I was finding studying frustrating and slow compared to CIPP/C, CIPP/E and CIPM. Your outline has helped a lot as has your advice on what to focus on. I think my biggest problem is the lack of an overriding federal privacy law as compared to other jurisdictions and therefore the need to study various industry specific laws instead. As a Canadian trained lawyer this isn’t what I’m used to.

    I just wanted to add a few things with regard to my experience with studying for and writting three CIPP exams to date. With regard to the exams I’ve done so far I’ve found every one of them frustrating, unclear and in general not anything like the practice questions. I was surprised at the typos, the lack of specificity in the questions relating to the case studies and the lack of technical questions. That said, I also acknowledge the fact that there are non-lawyers taking these exams so they need to make them accessible to a wider audience. If you are a lawyer by trade try and ignore the way you were taught to approach exam questions in law school. You’ll end up frustrated if you try and approach it like a law school exam question. I don’t think the IAPP is trying for “gotcha” questions but as others have noted I also don’t understand their exam philosophy because I didn’t feel that any of the exams truly tested my knowledge of the subject and my ability to apply it which presumably I would be doing working as a privacy professional.

    For those asking about the online training I did it for the CIPP/E and found it a waste of time and extremely expensive for what you get which is essentially a recorded version of someone lecturing on a chapter of the text and some test questions which follow related to that chapter. The test questions gave me a false sense of security that I knew the material and weren’t reflective of the actual exam questions. In my opinion it didn’t help with the studying so I’ve avoided them for the remaining certifications and I managed to pass the CIPM and CIPP/C on the first try without it.

    As Jess mentioned the best way I’ve found to prepare for any of these exams is slog through the books, make notes and memorize. Also keep an eye out for small details that you don’t think matter but which they will pull out and test you on. I set out a schedule to do all the exams within a year and I booked each exam on that schedule so that it forced me to concentrate on getting the studying done and the exam written.


  11. Thank you, Jess! I just passed the bar exam out in Colorado and wanted to get CIPP certified as well, and – like you said – couldn’t find any great resources on the exam. Your message board was, by far, the best resource I found on this test in regards to what to expect and what resources are helpful to study and not to study. Thank you so much! If there is anything I can do to add to the resources, let me know (I’m just starting my studying routine, but would be happy to add to your sources when I have some more to add later). I’m a huge fan of open-sourcing information – love what you’re doing!


  12. Dang, this is amazing! Thank you! I just started studying for this thing and it all seemed like a mystery of an exam! Thanks and I will reach out for material soon!

    Thanks again,



  13. Jess, thank you so much for posting this information! It is the most well organized detailed advice I have seen for passing the exam. I have been studying off and on for the past year, while working full-time in regulatory compliance at a financial institution. I know I need to buckle down and get on with a formal study plan for passing the exam early next year. Your blog post has been a great encouragement and provided me with some great resources!

    Wishing you the best in your studies!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s