6-18-20 UPDATE: We have turned over the Google Drive resource project to the Privacy Law Student Organization at SCU Law. If you would like access to exam notes, outlines, and practice Q’s we’ve created, please send a quick request to join the drive to firstname.lastname@example.org. You can also join their CIPP mailing list here.
Fair warning, the following post is almost two years old.
For an exam so heavily focused on information sharing, there’s a surprising lack of it between privacy professionals regarding this certification. I aim to change that by starting a collaborative, open source resource for those attempting to tackle this privacy achievement. I am writing these reflections roughly two hours after passing the exam in an effort to bring a fresh perspective on studying and acing the cert.
Online study resources are slim to none if you don’t count the resources you can (must) purchase from IAPP. Googling “how difficult is the CIPP/US exam” or “CIPP/US exam tips” will lead you to:
(Full bias disclosure: I am an SCU law student but the “helpful tactics” are actually helpful, especially the point about mastering the minutiae)
- A slew of forums about how awful the test is and lawyers that claim to have 20+ years of privacy experience but still managed to fail the exam. I won’t link those here because I thoroughly advise you steer clear of those conversations. They’ll psych you out before you sit for the test. If you decide to venture down the forum path anyways, I can assure you I’ve read them and they are incredibly exaggerated and melodramatic. Tl;dr, take them with a grain of salt.
And that’s about it. Hence, my inspiration to start this conversation.
Studying for the CIPP/US
Time to Prepare:
IAPP recommends at least 30 hours of dedicated studying and prep time to pass. I studied for roughly 80 hours or 2 full weeks. Granted, I am what most consider a 0L having not started law school yet, so I was already at a disadvantage having to learn a lot of the legal basics (civ pro) that come naturally to most 1-3Ls and seasoned legal professionals. However, I still disagree with IAPP’s 30 hour recommendation. 80 hours is extreme, but in order to truly master the test, you have to master the 350+ page book. To most law students, 350 pages is a breeze, but the material is dense and some of the trickier chapters require extra attention. I would allot at least a full week (40 hours minimum) to full time, dedicated studying.
How to Prepare:
Read and master the book: Your sole priority for the next 40+ hours of time you’re willing to dedicate to this cert is to master the IAPP CIPP/US textbook. It’s not cheap but you most likely will not pass without it. The entire exam is regurgitated text from the book. My approach was to read the book in its entirety once while highlighting the crucial points. Then I went back to the denser chapters and re-read. Medical, Financial, and Workplace privacy make up the majority of the exam so I focused on those chapters specifically. After reading and re-reading, I watched the accompanying online training video from IAPP and took notes. The online training is not great and, looking back, I probably should have skipped it. It’s a watered down version of the text and, full warning, some of the material is flat out incorrect. It’s another available resource if you have time to kill and are looking for a primer to the textbook, but it’s definitely not a substitute for mastering the book.
Going back to the point about “mastering the minutia,” it is important to study what may seem like arbitrary details about each of the laws. Questions like, CALEA is also known as _____ are silly, but fair game (the answer is the Digital Telephony Act). Yes, you also need to know the little nuances of most of the major state breach notification laws too. Specifically, California, Texas, Illinois, Tennessee, New Mexico, Delaware, Massachusetts, and Maryland, as each of these states added their own interesting privacy flair to their breach laws. Pay attention to the minor details.
Make Flashcards: The IAPP website has a glossary for all the CIPP/US terms. Go through it and make note cards for each one. I ran through my entire note card stack once because that’s all I needed after spending half a day just writing out the definitions by hand. The goal here isn’t necessarily to memorize the key terms, but instead, to recognize and understand them. The exam won’t ask “what’s the definition of preemption?” rather, it will use preemption or consent decree or habeas data casually in the question or scenario and you’ll need to understand the context to properly answer. In addition to the glossary terms, I would add some cards for the steps you need to take for a proper data loss prevention plan or the key points in building a privacy framework. There were a couple questions that asked what happens in the discover or build phases of a privacy plan where having the steps committed to memory made it ten times easier to answer.
Outline the textbook: The last major part of my studying plan was to take every law mentioned in the book and formally outline them. A frustrating aspect of the book is that they scatter the laws throughout the chapters. For instance, you’ll read about FCRA in the Financial Privacy chapter, but then the chapter about Workplace privacy will add more provisions. I hunted down all of the scattered provisions and combined them to get a full and complete picture of the law. While I recommend writing your own outline because it will help commit these laws to memory, I have attached a copy of my complete outline as an extra resource to review.
Take the Sample Exam: Just buy it. $25 is steep for 30 questions but just do it. You’ll thank yourself later when you see five or six of those questions on the actual exam. I wish I could post the sample exam here but getting sued by IAPP is not exactly on my law school bucket list.
Develop an interest in Privacy Law: This one should be obvious because why else are you studying for this cert? This is an optional study step but one I highly recommend. Before even deciding to take this exam, my natural interest and curiosity about privacy and internet law drove me to consume tons of news articles and blog posts about these subjects. When you become an IAPP member, you’ll gain access to their dashboard. Read the daily resources that are available to you. Follow other privacy professionals on Twitter. Read law blogs. Stay informed on current privacy laws in your state. I read the entire 10,000 word California Consumer Privacy Act before taking the test (don’t do this if you value your sanity). The more interested you are in the subject matter, the less memorization you’ll need and the easier it will become to retain the textbook material. Though out of scope, there were a couple GDPR questions on my exam today that were never brought up in the textbook. I was able to answer those questions only because of the outside reading I had done on GDPR prior to the exam. I imagine these were the “experimental” questions but you never know. Be interested and get informed! I added a list of blogs at the end that I follow that help me stay informed with current privacy and technology issues and discussions.
Taking the CIPP/US Exam
This test was by far one of the strangest exams I’ve taken since my operating systems final in undergrad. The exam is difficult even after you’ve dedicated the time and energy to the aforementioned study tips. The difficulty, however, stems less from your understanding of the material and more from the structure of the test itself. To throw IAPP the proverbial bone, it is a relatively new exam and I imagine the test makers do not have an easy job. Be prepared for grammatical issues, typos, and bizarre attempts at asking the same question two or three different times. My best advice is to go slow and read the questions carefully. You have about 1.6 minutes per question given the 150 minute time limit so that’s plenty of time to take the exam at a relatively slow pace. Be on the watch for double negatives and the notorious EXCEPT questions (think LSAT). On that same note, I tackled the exam similarly to how I tackled the LSAT. Read the question, take an educated guess as to what the answer should be, pick the choice that best matches your guess. Some of the multiple choice options are identical down to one or two words (“and” switched out for an “or” for example) so you have to read the choices carefully too. The test structure is 90 standard multiple choice questions with five or so scenario type questions thrown in the mix. For the scenario based questions, I recommend the familiar issue spotting technique. The scenarios are riddled with obvious privacy issues that IAPP wants you to pick out. Spot them, mentally mark them, and fly through the questions.
The CIPP/US exam isn’t as difficult as people online make it out to be. It’s relatively tame compared to, you know, your state bar exam for example. It’s the test structure and the lack of online resources that make it seemingly daunting and unnecessarily mysterious. Put in the time and effort to master the book, get informed about privacy in the news, and ignore the negativity online and you’ll be golden. I attached my outline and some other study resources below:
Other Study Resources:
My outline: http://bit.ly/2zFCSC2
This awesome Quizlet set (not mine): https://quizlet.com/14976513/cippus-flash-cards/?x=1jqU&i=2cuyl
Privacy, Technology, and Internet law blogs I follow:
54 thoughts on “My Thoughts on Studying, Taking, and Passing the IAPP CIPP/U.S Exam”
Thank you for this. I am preparing to sit for the exam in early November and am noting all your good advice.
No problem at all! Let me know if you have any other questions! Happy to help. email@example.com
So happy I came across this blog! I’m in a similar boat that you were in approaching this. Do you have a form of contact or welcome questions? I just started studying.
Hey John! Happy to help in any way. Feel free to shoot me an email at firstname.lastname@example.org or tweet/DM me @jess_miers. I’m also on LinkedIn as Jess Miers.
Thanks for the quick response! I sent you over an email.
Just read this blog It was very helpful. Thank you for posting your outline. Do you have the flash cards you made too? My friend and I (both attorneys) are thinking of signing up for a course offered through IAPP and it’s not cheap. Is it worth taking the course or is this something that can be done through selstudy?
Thank you for all your help in advance.
Hey Anna! Glad the blog post is helpful! Thank you for the note. I don’t have the flashcards I made anymore because I wrote them manually. I just re-copied the IAPP glossary (highly recommend you do that too!). I did not sign up for the course. I did the online modules that came with the registration (are they still offering those?). Those were helpful but I think the best way to study was reading the entire textbook all the way through and focusing on trickier chapters. Building your own outline from scratch is also a great way to study (like you prob did in law school!). Since I’m not sure about the IAPP course, I can’t give great advice on it but if it’s anything like the practice questions they offer, I imagine it’s not very worth it. I did self-study for 2 weeks, 80 hours and passed with flying colors :). Feel free to shoot me an email if you want to discuss further: email@example.com
Thank you for your post. This is definitely very helpful. My friend and I both attorneys are thinking about getting certified and had a few questions. We both work for the feds. Is this certification also good for fed employees? Also, is it worth taking the training program which costs $$$$? or can we just do it on our own and take the test?
Thank you for your help in advance.
Hey Anna! See my reply to your last comment.
I used to work for DHS and I will say my privacy background was helpful but definitely not crucial. It depends on the work you’re doing. You may want to run it by your employer and see what they think first. Otherwise, the cert is fantastic in general, especially if you want to ever leave the federal sector.
Flexibility to be solid on both private and public sector is what I desire
LikeLiked by 1 person
I am very glad to have stumbled on this blog. Thank you so much. BTW, I am preping into the privacy career sector in and I plan to take the CIPP/US/E in two months. Please I need every support from you and anyone in this forum.
Thanks in advance
LikeLiked by 1 person
Congrats on taking the first step in your privacy career! Please let me know how else I can help! reach out at firstname.lastname@example.org
Thanks for writing this post! It has answered a lot of questions I had when I was begining my planning on how to prep for the test.
One question, did you outline from the first or second edition of the book?
LikeLiked by 1 person
Hey! Glad the post is helpful! I outlined from the second edition 🙂
feel free to reach out with any questions: email@example.com
I’m glad you’re doing this for prospective/aspiring privacy professionals! I’m a newly incoming 1L student to SCU from this fall and excited to get to know more about the privacy law and opportunities coming along with it! And I like your philosophy of sharing information with comrades! 🙂
Hey Veronica! Thanks for the awesome note and for reaching out. So excited to hear you’ll be attending SCU Law! If you haven’t had the chance yet, I did an FAQ about SCU and the Tech Edge program a week ago: https://ctrlaltdissent.com/2019/04/13/faqs-about-santa-clara-law-the-tech-edge-j-d/
Also, please feel free to reach out to me on Twitter, Facebook, LinkedIn or email (firstname.lastname@example.org) if you want to chat about law school or grab coffee/get a tour of Charney!
Thank you so much Jen. I appreciate all the tips and info regarding this exam.
Thank you for sharing your experience and tips! I’ve been (very slowly) studying but haven’t been getting very far. Reading this has motivated me to kick myself in the rear and get to studying, so I can pass the exam and move on with my life. 🙂
Hi Melissa, I’m in the same boat as you, studying very slowly and having a hard time motivating myself to bear down and study. I too would like to study, pass the CIPP/US exam and get on with my life. Do you want to keep in contact and use each other as motivators and to keep each other accountable? I took the training class last October and now it’s June and I’m still no where near ready to take the exam.
Thank you so much for doing this. I plan on taking the test in Dec or Jan, though I am working full time & a full time mom after my 9-5 career. How much time would you allot to prepare for this test, if you’re working full time & the only think you have to study is max 60 6o 90 mins a day?
Can you please post your outline? I am not able to get onto it from my computer. I got an error message- that the website was not properly configured and my computer is blocking access. Thank you again!!
I want to thank you for putting in the work and understanding the value of giving back once you’ve passed a milestone. The information you’ve provided is very accurate and helpful. I’m an attorney a year out of school and took the test last month, only to miss the mark by 3 questions. I prepared in the fashion of which I did for the bar and for any law school exam I’ve ever taken (very similar to what you seemed to have done in your preparation).
I was taken aback at how seemingly easy the practice questions were in comparison to the actual test itself. The practice questions (of which I accumulated maybe 50-60) had some difficult questions, but here and there some obvious answers. I believe the difficulty on the actual exam stemmed from the difference between what the questions were truly getting at compared to your average law school exams.
The questions seemed to focus on small and frivolous details, rather than get at the substance of a statute, which would actually recognize your ability to work as a professional in the field (I believe this is an unfair/needless testing method in comparison). I didn’t hit a streak in the text where I felt my preparation had truly paid off. Additionally, there wasn’t a single question on my version regarding any technical aspects (HTML, cookies, spyware etc) whatsoever which I found bizarre. The wording itself of the questions seemed very confusing at times – for example “which decision should a business owner make regarding privacy”, and all of the answers are relevant for different reasons.
Regardless, I’m curious if you have advice how to prepare for a test that seems to focus on the small details that attorneys seemed to be taught to ignore. I’d think flash cards and committing to memory are some of the only tools in our arsenal to combat this concept. If you have any thoughts on the matter, I’d love to hear them. Thanks again for creating some really useful material. I hope you continue to do so.
Thanks very much for this post Jess. I have avoided reading exam reviews since I wrote the CIPP/E because I found them overly dramatic and misleading. However, CIPP/US is my last exam and I was finding studying frustrating and slow compared to CIPP/C, CIPP/E and CIPM. Your outline has helped a lot as has your advice on what to focus on. I think my biggest problem is the lack of an overriding federal privacy law as compared to other jurisdictions and therefore the need to study various industry specific laws instead. As a Canadian trained lawyer this isn’t what I’m used to.
I just wanted to add a few things with regard to my experience with studying for and writting three CIPP exams to date. With regard to the exams I’ve done so far I’ve found every one of them frustrating, unclear and in general not anything like the practice questions. I was surprised at the typos, the lack of specificity in the questions relating to the case studies and the lack of technical questions. That said, I also acknowledge the fact that there are non-lawyers taking these exams so they need to make them accessible to a wider audience. If you are a lawyer by trade try and ignore the way you were taught to approach exam questions in law school. You’ll end up frustrated if you try and approach it like a law school exam question. I don’t think the IAPP is trying for “gotcha” questions but as others have noted I also don’t understand their exam philosophy because I didn’t feel that any of the exams truly tested my knowledge of the subject and my ability to apply it which presumably I would be doing working as a privacy professional.
For those asking about the online training I did it for the CIPP/E and found it a waste of time and extremely expensive for what you get which is essentially a recorded version of someone lecturing on a chapter of the text and some test questions which follow related to that chapter. The test questions gave me a false sense of security that I knew the material and weren’t reflective of the actual exam questions. In my opinion it didn’t help with the studying so I’ve avoided them for the remaining certifications and I managed to pass the CIPM and CIPP/C on the first try without it.
As Jess mentioned the best way I’ve found to prepare for any of these exams is slog through the books, make notes and memorize. Also keep an eye out for small details that you don’t think matter but which they will pull out and test you on. I set out a schedule to do all the exams within a year and I booked each exam on that schedule so that it forced me to concentrate on getting the studying done and the exam written.
Thank you, Jess! I just passed the bar exam out in Colorado and wanted to get CIPP certified as well, and – like you said – couldn’t find any great resources on the exam. Your message board was, by far, the best resource I found on this test in regards to what to expect and what resources are helpful to study and not to study. Thank you so much! If there is anything I can do to add to the resources, let me know (I’m just starting my studying routine, but would be happy to add to your sources when I have some more to add later). I’m a huge fan of open-sourcing information – love what you’re doing!
Dang, this is amazing! Thank you! I just started studying for this thing and it all seemed like a mystery of an exam! Thanks and I will reach out for material soon!
Jess, thank you so much for posting this information! It is the most well organized detailed advice I have seen for passing the exam. I have been studying off and on for the past year, while working full-time in regulatory compliance at a financial institution. I know I need to buckle down and get on with a formal study plan for passing the exam early next year. Your blog post has been a great encouragement and provided me with some great resources!
Wishing you the best in your studies!
Thank you so much for this post! It was very helpful, and like you mentioned, good info is hard to come by on this topic online! I will email you for access to the drive :). Thanks again!
Hi Jess, I came across your site a few weeks ago whilst in the midst of preparing for the CIPP/US exam. I was really struggling with how the information is laid out in the text book. Nothing was sinking in and I rescheduled the exam twice. It really isn’t the best IAPP book. I absolutely agree that a frustrating aspect is that they scatter the laws throughout the chapters but your outline saved me A LOT of time.
I sat it last week, the exam is difficult, no other way to describe it and I passed the CIPP/E CIPM & CIPT with ease but for anyone preparing for CIPP/US; familarise yourself with the book inside out. INSIDE OUT. Every chapter is called out but there are a lot of questions on workplace privacy, HIPAA and Financial so know those chapters off by heart. Don’t overlook those long lists on items when studying either because there are lots of questions where you have to pick the odd one out. Information Management comes up a few times as does breach notification laws; be aware of the laws in the knowledge of text.
There are a fair few long scenario questions, I left those until the end and went through the short questions, By the time I had finished those, I was able to read and reread the scenarios thoroughly before tackling the questions some of which were very tricky.
Unlike the other IAPP exams that I have sat, I honestly did not think I had passed and resigned myself to having to resit it, so you can imagine my absolute shock when I ended it and saw CONGRATULATIONS on the screen in front of me. I was given my scores where in all five domains I scored 70% and above. Again, I had no idea that I had done so well because those questions were very difficult. I floated out of the exam room and took me myself and I to dinner & cocktails to celebrate.
However, I wanted to come back and personally thank you for your advice and also your outline of the laws. Reading through that list all day before I sat the exam in the late afternoon, ensured that all the laws under each sector were at the front of my mind. Thank you ! Thank you ! Thank you ! You were a lifesaver.
Hi Gabriella, thank you so much for the very insightful information! I really can use all the help I can get haha. Would you please be kind enough to answer the following questions I have:
1. Do you recall if specific case studies were called upon (for example, “What happened with Gateway?”)
2. Do you recall if specific time frames were tested (“How long does a company have to notify of a breach?”)
3. Do you recall if specific violation amounts were tested?
4. I have read that the most important attributes are to know the pre emption status of laws, know the opt-in / opt-out requirements, private right of action or not, and who enforces laws. Would you say this is the most important information?
5. Were there any questions on the California Consumer Privacy Act
6. Roughly how many hours would you say you studied?
Gabriella, I’m a non-atty working on in privacy technology for a large internet firm here in Silicon Valley. If you had to take just 1 CIPP exam to improve your marketability, would you recommend CIPT or the CIPP/E (for GDPR) or the revised CIPP/US (when it comes out)? This blog seems to create the impression that the /US exam is the hardest too. Thanks in advance. Ben
Ben, everyone who comes to me for advice on where to start, I always tell them that anything you learn about data privacy will have had its grounding in European data privacy first and therefore although the CIPT seems like a good exam for your role, I would suggest the CIPP/E first. It means that if you do decide to study the CIPT later a lot of it will be easier to understand if you have the gist of the data privacy principles first.
Great Blog and Content. Could you please grant me access to google drive. I have already send you the mail
Whoa, this is amazingly helpful. Thank you for providing the additional resources at the bottom of the blog! You rock.
Happy to report, that I took the CIPP-US exam last week and passed. Jess’ outline provided to be incredibly helpful.
Thank you so much. I Just read you blog and It was very helpful. Thank you for posting your outline also and all the material. Is access to the google drive available for extra learning material?
Thank you, Jess. I took the CIPP/US yesterday and passed with good grades. It felt daunting when I started thinking about writing it in January, but your article helped bring sanity. I read the notes on the Drive before I read the textbook. Mostly because I find IAPP textbooks boring (CIPP/E & CIPM especially). The notes really helped me understand the textbook better. I read some chapters (for eg workplace privacy) twice. I purchased the US Privacy Professional Practice Exam by Jasper Jacobs. It mirrored the IAPP exam format. I was going to purchase the IAPP CIPP/US practice test but decided against it at the last minute because I was out of time. I studied for 1 week (roughly 40 hours).
Just wanted to add that my scores for the domains I – V were 82%, 50%, 100%, 90% & 57%. The questions are scattered but a lot were on HIPAA/HITECH, FACTA, FCRA & workplace privacy.
Could you please tell me the textbook he is referring to
Likewise, want to say thanks to Jess for having put this guide together. First spurred my decision to take the exam. I sat it this afternoon and passed, and found the following invaluable:
1. Jess’s overview regarding approx. amount of study time needed
2. The exam blueprint published by IAPP where they indicate how many questions to expect from each of the the five parts of the exam
3. Reading the IAPP text book cover to cover
4. Outlining chapters 6 – 11 of the book
5. Taking the CIPP and Jasper Jacobs exams
5. Understanding what each of the major privacy laws does and whether it involves preemption.
Total study time – approx. 30 hours
I got 93% (intro to US privacy), 83% (Limits on Private Sector Data Collection),100% (Government and Court Access to Private Sector Data),100% (Workplace Privacy), 86% (State Specific)
Probably found it easier than some as I’m a practicing attorney.
Thank you for sharing your outline for the CIPP/US exam. I have passed the exam and obtained the certificate. Your sharing of preparation suggestion and outline helps me a lot! Thank you again and gook luck!
Thank you so much for sharing your experience. I am starting my prep for the US one. I appreciate your advice.
I have two quick CCPA questions and was hoping someone can clarify:
1. If the last 4 digits of a credit card are breached, does that count as personal information and require reporting?
2. If a company is unable to determine how many California resident consumers were impacted, does it still need to report a breach (since the cut off point is 500 consumers)?
Thanks for the valuable information.
I’m looking forward for studying for this exam.
In addition to the resources above. There is a fairly cheap practice exam and study aids on the App Store called privacy test.
The link is below:
Thank you so much for this helpful tip.
I am so thankful I found this post as it is still (years later from the original post) hard to find much information sharing on these exams. Starting the process of studying here, and I cannot seem to located the actual CIPP/US textbook on the IAPP website. It feels like they are trying to trick me into purchasing a training course which comes with it “automatically” – can someone link the textbook to me here?
I am glad I came across this blog, thank you so much for sharing the reality. I have a question here:
Request you to please tell me the CIPP/US textbook you are referring to.
The book is titled: US Private-Sector Privacy: Law and Practice for Information Privacy Professionals
Authors: Peter Swire and DeBrae Kennedy-Mayo
this book is available on the iapp.org site. Here is the link where you may purchase it: https://iapp.org/store/books/#!?localProducts=swire
My edition of it is 3rd, which i downloaded in Jan 2021, there may be a more recent version, please check before you buy.
This is an excellent book, very well-written, informative and after having passed the CIPP/US exam, i use this frequently for reference in my practice.
I found the post very informative. Could you please share with me the textbook you sed to prepare for the CIPP/US exam?
Thank you so much Jess for this well prepared and informative blog post with great advice and extremely helpful materials needed for taking the CIPP/US exam. I was contemplating on whether this exam would be best suited for me to add to my qualifications and widen my horizon to get jobs in Privacy aspect. Reading this gave me a scene of relief, confidence and surety towards taking this exam. I also wanted to ask, do you know what textbook would be needed to prepare for the CIPP/US exam to be taken towards the end of the year or next ? When i do start studying fully, i’ll shoot you an email to ask more questions. Cheers!
can you please be kind enough to let me know the exact title of the book you are referring to on the site there are many I m not sure which one you used for exam prep. Thanks.
perhaps this https://iapp.org/store/books/a191P000003ngS9QAI/ ?