6-18-20 UPDATE: We have turned over the Google Drive resource project to the Privacy Law Student Organization at SCU Law. If you would like access to exam notes, outlines, and practice Q’s we’ve created, please send a quick request to join the drive to firstname.lastname@example.org. You can also join their CIPP mailing list here.
Fair warning, the following post is almost two years old.
For an exam so heavily focused on information sharing, there’s a surprising lack of it between privacy professionals regarding this certification. I aim to change that by starting a collaborative, open source resource for those attempting to tackle this privacy achievement. I am writing these reflections roughly two hours after passing the exam in an effort to bring a fresh perspective on studying and acing the cert.
Online study resources are slim to none if you don’t count the resources you can (must) purchase from IAPP. Googling “how difficult is the CIPP/US exam” or “CIPP/US exam tips” will lead you to:
(Full bias disclosure: I am an SCU law student but the “helpful tactics” are actually helpful, especially the point about mastering the minutiae)
- A slew of forums about how awful the test is and lawyers that claim to have 20+ years of privacy experience but still managed to fail the exam. I won’t link those here because I thoroughly advise you steer clear of those conversations. They’ll psych you out before you sit for the test. If you decide to venture down the forum path anyways, I can assure you I’ve read them and they are incredibly exaggerated and melodramatic. Tl;dr, take them with a grain of salt.
And that’s about it. Hence, my inspiration to start this conversation.
Studying for the CIPP/US
Time to Prepare:
IAPP recommends at least 30 hours of dedicated studying and prep time to pass. I studied for roughly 80 hours or 2 full weeks. Granted, I am what most consider a 0L having not started law school yet, so I was already at a disadvantage having to learn a lot of the legal basics (civ pro) that come naturally to most 1-3Ls and seasoned legal professionals. However, I still disagree with IAPP’s 30 hour recommendation. 80 hours is extreme, but in order to truly master the test, you have to master the 350+ page book. To most law students, 350 pages is a breeze, but the material is dense and some of the trickier chapters require extra attention. I would allot at least a full week (40 hours minimum) to full time, dedicated studying.
How to Prepare:
Read and master the book: Your sole priority for the next 40+ hours of time you’re willing to dedicate to this cert is to master the IAPP CIPP/US textbook. It’s not cheap but you most likely will not pass without it. The entire exam is regurgitated text from the book. My approach was to read the book in its entirety once while highlighting the crucial points. Then I went back to the denser chapters and re-read. Medical, Financial, and Workplace privacy make up the majority of the exam so I focused on those chapters specifically. After reading and re-reading, I watched the accompanying online training video from IAPP and took notes. The online training is not great and, looking back, I probably should have skipped it. It’s a watered down version of the text and, full warning, some of the material is flat out incorrect. It’s another available resource if you have time to kill and are looking for a primer to the textbook, but it’s definitely not a substitute for mastering the book.
Going back to the point about “mastering the minutia,” it is important to study what may seem like arbitrary details about each of the laws. Questions like, CALEA is also known as _____ are silly, but fair game (the answer is the Digital Telephony Act). Yes, you also need to know the little nuances of most of the major state breach notification laws too. Specifically, California, Texas, Illinois, Tennessee, New Mexico, Delaware, Massachusetts, and Maryland, as each of these states added their own interesting privacy flair to their breach laws. Pay attention to the minor details.
Make Flashcards: The IAPP website has a glossary for all the CIPP/US terms. Go through it and make note cards for each one. I ran through my entire note card stack once because that’s all I needed after spending half a day just writing out the definitions by hand. The goal here isn’t necessarily to memorize the key terms, but instead, to recognize and understand them. The exam won’t ask “what’s the definition of preemption?” rather, it will use preemption or consent decree or habeas data casually in the question or scenario and you’ll need to understand the context to properly answer. In addition to the glossary terms, I would add some cards for the steps you need to take for a proper data loss prevention plan or the key points in building a privacy framework. There were a couple questions that asked what happens in the discover or build phases of a privacy plan where having the steps committed to memory made it ten times easier to answer.
Outline the textbook: The last major part of my studying plan was to take every law mentioned in the book and formally outline them. A frustrating aspect of the book is that they scatter the laws throughout the chapters. For instance, you’ll read about FCRA in the Financial Privacy chapter, but then the chapter about Workplace privacy will add more provisions. I hunted down all of the scattered provisions and combined them to get a full and complete picture of the law. While I recommend writing your own outline because it will help commit these laws to memory, I have attached a copy of my complete outline as an extra resource to review.
Take the Sample Exam: Just buy it. $25 is steep for 30 questions but just do it. You’ll thank yourself later when you see five or six of those questions on the actual exam. I wish I could post the sample exam here but getting sued by IAPP is not exactly on my law school bucket list.
Develop an interest in Privacy Law: This one should be obvious because why else are you studying for this cert? This is an optional study step but one I highly recommend. Before even deciding to take this exam, my natural interest and curiosity about privacy and internet law drove me to consume tons of news articles and blog posts about these subjects. When you become an IAPP member, you’ll gain access to their dashboard. Read the daily resources that are available to you. Follow other privacy professionals on Twitter. Read law blogs. Stay informed on current privacy laws in your state. I read the entire 10,000 word California Consumer Privacy Act before taking the test (don’t do this if you value your sanity). The more interested you are in the subject matter, the less memorization you’ll need and the easier it will become to retain the textbook material. Though out of scope, there were a couple GDPR questions on my exam today that were never brought up in the textbook. I was able to answer those questions only because of the outside reading I had done on GDPR prior to the exam. I imagine these were the “experimental” questions but you never know. Be interested and get informed! I added a list of blogs at the end that I follow that help me stay informed with current privacy and technology issues and discussions.
Taking the CIPP/US Exam
This test was by far one of the strangest exams I’ve taken since my operating systems final in undergrad. The exam is difficult even after you’ve dedicated the time and energy to the aforementioned study tips. The difficulty, however, stems less from your understanding of the material and more from the structure of the test itself. To throw IAPP the proverbial bone, it is a relatively new exam and I imagine the test makers do not have an easy job. Be prepared for grammatical issues, typos, and bizarre attempts at asking the same question two or three different times. My best advice is to go slow and read the questions carefully. You have about 1.6 minutes per question given the 150 minute time limit so that’s plenty of time to take the exam at a relatively slow pace. Be on the watch for double negatives and the notorious EXCEPT questions (think LSAT). On that same note, I tackled the exam similarly to how I tackled the LSAT. Read the question, take an educated guess as to what the answer should be, pick the choice that best matches your guess. Some of the multiple choice options are identical down to one or two words (“and” switched out for an “or” for example) so you have to read the choices carefully too. The test structure is 90 standard multiple choice questions with five or so scenario type questions thrown in the mix. For the scenario based questions, I recommend the familiar issue spotting technique. The scenarios are riddled with obvious privacy issues that IAPP wants you to pick out. Spot them, mentally mark them, and fly through the questions.
The CIPP/US exam isn’t as difficult as people online make it out to be. It’s relatively tame compared to, you know, your state bar exam for example. It’s the test structure and the lack of online resources that make it seemingly daunting and unnecessarily mysterious. Put in the time and effort to master the book, get informed about privacy in the news, and ignore the negativity online and you’ll be golden. I attached my outline and some other study resources below:
Other Study Resources:
My outline: http://bit.ly/2zFCSC2
This awesome Quizlet set (not mine): https://quizlet.com/14976513/cippus-flash-cards/?x=1jqU&i=2cuyl
Privacy, Technology, and Internet law blogs I follow: