Your Path to Certification Starts Here

Privacy Bootcamp Course Preview

IAPP certification is quickly becoming a "must have" for any professional working in privacy and data protection.

Advancing your career is just a few clicks away.

The Courses

Certified Information Privacy Professional / United States (CIPP/US)

CIPP/US Course Preview

Become a certified expert in U.S. privacy law.

The CIPP/US certification indicates that you know what laws exist and how they are applied in practice. This course will teach you about the United State's sectoral approach to privacy protection. It covers dozens of specific laws and how they are implemented.

CIPP/US Table of Contents


I. Introduction to the Privacy Landscape

Section A: General Introduction to Privacy Concepts

1. Introduction to Privacy Itself as a Concept

2. The Concept of Personal Information

a. Identified vs. Identifiable Individuals

b. Sensitive Personal Information

c. The Role of Encryption, Anonymization, and Pseudonymization

d. The Source of Information

e. Data Subjects, Controllers, and Processors

3. Fair Information Practices

a. FIPs in the United States

b. Examples of FIPs in International Frameworks

c. Common Themes

4. Sources of Privacy Protection and Privacy Protection Regimes

Section I.A Review

Section B: Structure of U.S. Law

1. Branches of U.S. Government

a. Three Branches: Legislative, Executive, and Judicial

b. Checks and Balances

2. Sources of Law

a. Constitutional Law

b. Statutory Law

c. Regulations and Administrative Rulemaking

d. Common Law (a/k/a Case Law)

e. Contractual Law

f. International Law

3. Legal Terms and Definitions

4. Regulatory Authorities

a. Federal Regulatory Authorities

b. State Regulatory Authorities

c. Self-Regulatory Authorities

5. Understanding and Interpreting Laws

Section I.B Review

Section C: Enforcement of Privacy and Data Security Laws

1. Criminal vs. Civil Enforcement

2. Theories of Legal Liability

a. Contract Liability

b. Tort Liability

c. Civil Enforcement of Statutory Law

d. The Concept of Negligence

3. Administrative Enforcement

a. Federal Enforcement Actions

b. State Enforcement Actions

4. Cross-Border Enforcement

5. Self-Regulatory Enforcement

Section I.C Review

Section D: The U.S. Perspective on Information Management

1. Introduction

2. Data Assessments

a. Data Inventory

b. Data Flow Maps

c. Data Classification

3. Developing a Privacy Program

a. Balancing Risks

b. Understanding Organizational Goals

c. Developing Policies

d. The Privacy Operational Life Cycle

4. Managing User Preferences

a. Types of User Consent

b. Managing User Consent

c. Consumer Access

5. Incident Response Programs

a. Information Privacy vs. Information Security

b. The CIA Triad

c. Security Controls

d. Causes of Data Breaches

e. Data Breach Incident Response

6. Workforce Training

a. The Importance of Workforce Training

b. Legal Requirements

7. The Accountability Principle

8. Data Retention and Disposal

9. Online Privacy

a. Introduction to Web-Based Concepts

b. Introduction to Web-Based Programming Languages

c. Online Data Collection

d. Third Party Website Interactions

e. Online Security and Cyber Threats

f. The Role of Human Error

g. Consumer Tracking and Online Advertising

h. Children’s Online Privacy

10. Privacy Notices

a. The Legal Implications of a Privacy Notice

b. Updating a Privacy Notice

c. Designing an Effective Privacy Notice

11. Vendor Management

a. Vendor Contracts

b. Vendor Selection

c. Vendor Incident Response

d. Cloud Computing Issues

e. Third-Party Data Sharing

12. International Data Transfers

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. Data Transfers from the E.U. to the U.S. Under the GDPR

13. Considerations for U.S.-Based Multinational Companies

a. Additional GDPR Requirements

b. The Asia-Pacific Economic Cooperation (APEC) Privacy Framework (2004)

c. Multinational Compliance Conflicts

Section I.D Review

Knowledge Review #1

II. Limits on the Private Sector Use of Personal Information


Section A: Cross-Sector FTC Privacy Regulation

1. Federal Trade Commission Act

a. FTC Authority

b. Enforcement Actions

c. Consent Decrees

2. FTC Privacy Enforcement Actions

a. Deceptive Trade Practices

b. Unfair Trade Practices

3. FTC Security Enforcement Actions

4. Children’s Online Privacy Protection Act of 1998 (COPPA)

a. Scope of COPPA

b. Notice Requirements

c. “Verifiable Parental Consent”

d. Parental Access

e. Internal Procedures

f. Safe Harbor

g. Enforcement

5. The Future of Federal Enforcement

Section II.A Review

Section B: Healthcare Privacy

1. Introduction

2. Health Insurance Portability and Accountability Act of 1996 (HIPAA)

a. Scope of HIPAA’s Privacy and Security Rules

b. HIPAA Privacy Rule

c. HIPAA Security Rule

d. Enforcement of the Privacy and Security Rules

e. 2021 HIPAA Safe Harbor Bill

f. Contact Tracing

3. Health Insurance Technology for Economic and Clinical Health Act of 2009 (HITECH)

a. What Constitutes a Data Breach?

b. Data Breach Notice Requirements

c. Additional Amendments to HIPAA

4. Genetic Information Nondiscrimination Act of 2008 (GINA)

5. The 21st Century Cures Act of 2016

a. Compassionate Sharing of Mental Health and Substance Abuse Information

b. Exemptions for Disclosure from Biomedical Research and “Certificates of Confidentiality”

c. Remote Viewing of PHI by Researchers

d. Prohibition on “Information Blocking”

6. Confidentiality of Substance Use Disorder Patient Records Rule

a. The Scope of Part 2

b. Disclosure Restrictions

c. Use Restrictions

d. Administrative Requirements

Section II.B Review

Section C: Financial Privacy

1. Introduction

2. Fair Credit Reporting Act of 1970 (FCRA)

a. Who and What the FCRA Applies To

b. Regulation of Consumer Reporting Agencies (CRAs)

c. Regulation of “Users” of Consumer Reports

d. Regulation of “Furnishers” of Information Used in Consumer Reports

e. Regulation of Companies Extending Credit

f. Investigative Consumer Reports

g. Enforcement and Rulemaking

3. Fair and Accurate Credit Transactions Act of 2009 (FACTA)

a. Disposal Rule

b. “Red Flags” Rule

4. Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act / GLBA)

a. Scope of the GLBA

b. GLBA Privacy Rule

c. GLBA Safeguard Rule

d. Enforcement and Rulemaking under the GLBA

e. Exemptions Under State Laws for Data Regulated Under the GLBA

5. Dodd-Frank and the Consumer Financial Protection Bureau (CFPB)

a. Specific CFPB “Authorities”

b. Enforcement Against Covered Persons and Service Providers

6. Online Banking

Section II.C Review

Section D: Education Privacy

1. Introduction

2. Family Education Rights and Privacy act of 1974 (FERPA)

a. Education Records and Exceptions

b. Substantive Policies Under FERPA

c. FERPA Enforcement; Student and Parent Complaints

d. Interplay Between FERPA and HIPAA’s Privacy Rule

3. Protection of Pupil Rights Amendment of 1978 (PPRA)

4. Education Technology

a. Application of FERPA

b. Application of COPPA

c. Self-Regulation of EdTech

Section II.D Review

Section E: Marketing and Telecommunications Privacy

1. Introduction

2. Telemarketing Sales Rule (TSR), Telephone Consumer Protection Act of 1991, and the Do-Not-Call Registry

a. To Whom and To What the TCPA and the TSR Applies

b. Who May Be Called?

c. How Calls Can Be Made

d. Record-Keeping Requirements

e. Enforcement of Telemarketing Rules

3. Junk Fax Protection Act of 2005 (JFPA)

4. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) and the Wireless Domain Registry

a. Scope of CAN-SPAM

b. Prohibitions Under CAN-SPAM

c. Enforcement

d. Wireless Message Rules

e. Wireless Domain Registry

5. Telecommunications Act of 1996 and Customer Proprietary Network Information (CPNI)

a. Limitations on the Use of CPNI

b. Administrative and Technical Safeguards

c. Data Breach Notification Rules

d. Enforcement

6. Cable Communications Policy Act of 1984

a. Privacy Notices

b. Prohibition on Collection

c. Prohibition on Disclosure

d. Subscriber Access

e. Data Destruction

f. Enforcement

7. Video Privacy Protection Act of 1998 (VPPA) and Video Privacy Protection Act Amendments of 2012 (H.R. 6671)

a. Prohibition on Disclosure

b. Data Destruction

c. Enforcement

8. Driver's Privacy Protection Act (DPPA)

a. Prohibition on Disclosure

b. Exceptions to Disclosure

c. Enforcement

9. Digital Advertising

a. Lack of Federal Regulation

b. Self-Regulation of Digital Advertising

10. Data Ethics

Section II.E Review

Knowledge Review #2

III. Government Access to Personal Information


Section A: Law Enforcement and Privacy

1. Introduction

2. Right to Financial Privacy Act of 1978

a. When Disclosure is Permitted

b. Obligations Imposed on Financial Institutions

c. Enforcement

3. Bank Secrecy Act of 1970 (BSA)

a. Record-Keeping Requirements

b. Reporting Requirements

c. The USA-PATRIOT Act Amendments and the Anti-Money Laundering Provisions

4. The Fourth Amendment

5. The Wiretap Act

a. Wire, Oral, and Electronic Communications

b. Court Order Requirement

c. One-Party vs. Two-Party Consent

d. Enforcement

6. Electronic Communications Privacy Act (ECPA)

a. The Stored Communications Act (SCA)

b. The Pen Register and Trap and Trace Statute

7. Communications Assistance to Law Enforcement Act of 1994 (CALEA)

a. Who It Applies To

b. Design Mandate

c. Enforcement

Section III.A Review

Section B: National Security and Privacy

1. Introduction

2. Foreign Intelligence Surveillance Act of 1978 (FISA)

a. The History of FISA and Its Amendments

b. FISA Orders and the Foreign Intelligence Surveillance Court (FISC)

c. Section 215 Orders: Production of “Any Tangible Thing”

d. Section 217: Computer Trespassers

e. Section 702: Persons Outside the United States Other Than United States Persons

f. Secrecy and Transparency Under FISA

3. National Security Letters (NSL)

4. Cybersecurity Information Sharing Act of 2015 (CISA)

Section III.B Review

Section C: Civil Litigation and Privacy

1. Introduction

2. Discovery and E-Discovery

a. Discovery Devices

b. Privileges

c. E-Discovery Rules

d. Discovery Conflicts and Foreign Discovery

e. Public Access to Court Records

3. Privacy Protection Act of 1980 (PPA)

Section III.C Review

Knowledge Review #3

IV. Privacy in the Workplace

Section A: Introduction to Workplace Privacy

1. Workplace Privacy Concepts

2. U.S. Agencies Regulating Workplace Privacy

a. Federal Trade Commission

b. Department of Labor

c. Occupational Safety and Health Administration

d. Equal Employment Opportunity Commission

e. National Labor Relations Board

3. Anti-Discrimination Laws

a. Title VII of the Civil Rights Act of 1964

b. Americans With Disabilities Act (ADA)

c. Genetic Information Nondiscrimination Act of 2008 (GINA)

Section IV.A Review

Section B: Privacy Before, During, and After Employment

1. Automated Employment Decision Tools

a. Regulation of Automated Employment Decision Tools

b. EEOC Guidance

2. Employee Background Screening

a. Restrictions Under the Fair Credit Reporting Act (FCRA)

b. Methods of Pre-Employment Screening

3. Employee Monitoring

a. Requirements Under the Wiretap Act and the Electronic Communications Privacy Act of 1996 (“ECPA”)

b. Technology and Specific Types of Monitoring Activity

c. Unionized Workforce Issues Concerning Monitoring in the U.S. Workplace

4. Investigating Employee Misconduct

a. The Importance of Written Policies

b. The Vail Letter and FACTA Amendments

5. Confidentiality of Employee Health Records


b. Family Medical Leave Act (“FMLA”)

6. Termination of Employment

Section IV.B Review

Knowledge Review #4

V. State Privacy Laws

Section A: State Laws

1. Federal vs. State Authority

a. State “Nexus”

b. State Law as a Compliment to Federal Law

c. Interaction Between State and Federal Law

2. State Marketing Laws

a. Telemarketing

b. Email Marketing

c. Do-Not-Track Mechanisms

3. Financial Data

a. Credit History

b. California Financial Information Privacy Act (California SB-1)

c. New York Department of Financial Services (“NYDFS”) Cybersecurity Regulations

4. Data Privacy and Security Laws

a. Overview of State Data Privacy and Security Laws

b. Minimum Security Standards

c. The Use of Social Security Numbers

d. Data Destruction Laws

e. Data Broker Laws

f. Cookie and Online Tracking Regulations

5. Data Breach Notification Laws

a. Introduction to State Data Breach Notification Laws

b. Key Definitions

c. Notification Requirements

d. Exceptions to Notification

e. Penalties, Enforcement, and Data Subject Rights

6. California Data Privacy and Security Laws

a. California’s Data Breach Notification Law (SB-1386)

b. California’s Data Security Law (AB-1950)

c. The California Consumer Privacy Act (“CCPA”)

d. The California Privacy Rights Act (“CPRA”)

7. Additional State Comprehensive Privacy Laws

a. Virginia Consumer Data Protection Act (“VCDPA”) (2021)

b. Colorado Privacy Act (2021)

c. Utah Consumer Privacy Act (2022)

d. Connecticut Personal Data Privacy and Online Monitoring Act (2022)

8. Recent Developments: State Privacy and Data Security Laws

a. California Electronic Communications Privacy Act (2015)

b. Delaware Online Personal Privacy Protection Act (2016)

c. Nevada Privacy of Information Collected on the Internet From Consumers Act – SB 538 (2017), SB 220 (2019), and SB 260 (2021)

d. Illinois Geolocation Privacy Protection Act and the Right to Know Act (2017)

e. New Jersey Personal Information and Privacy Protection Act (2017)

f. Washington Biometric Privacy Law (2017)

g. New York’s SHIELD Act

9. Recent Developments: State Data Breach Notification Laws

a. Tennessee SB 2005

b. Illinois HB 1260

c. New Mexico HB 15

d. South Dakota Data Breach Law

e. Massachusetts HB 4806

Section V.A Review

Knowledge Review #5


Full Exam #1

Full Exam #2

Certified Information Privacy Professional / Europe (CIPP/E)

CIPP/E Course Preview

Become a certified expert in European data protection law.

The CIPP/E certification indicates that you deep knowledge of the GDPR, the ePrivacy Directive, and other laws. This course will teach you about those laws, including their impact on employment, surveillance, online activity, and other areas.

CIPP/E Table of Contents


I. Introduction to European Data Protection

Section A: Historical Background to E.U. Data Regulation

1. Introduction

2. Human Rights Laws

a. The Universal Declaration of Human Rights

b. The European Convention on Human Rights

3. Early Data Protection Laws and Regulations

a. Early Attempts at a Cohesive Approach

b. OECD Guidelines

c. Convention 108

d. “Additional Protocol” to Convention 108

e. Convention 108+

4. The Need for a Harmonized European Approach

a. Directives vs. Regulations

b. The Data Protection Directive

c. Charter of Fundamental Rights

5. The Treaty of Lisbon

6. A Modern Framework

a. The General Data Protection Regulation (“GDPR”)

b. Convention 108+

c. The Law Enforcement Data Protection Directive

d. The ePrivacy Directive

e. Brexit

f. A Timeline of Data Protection in Europe

Section I.A Review

Section B: E.U. Institutions

1. Introduction

2. European Parliament

a. The Role of the Parliament

b. The Functioning of the Parliament

3. Council of the European Union

a. The Role of the Council

b. The Functioning of the Council

c. Distinction from the Council of Europe

4. European Council

5. European Commission

a. Role in Data Protection

b. Representation and Independence

6. Court of Justice of the European Union

a. The General Court

b. The European Court of Justice

c. Role in Data Protection

7. European Court of Human Rights

a. Jurisdiction of the Court

b. Data Protection Decisions by the Court

Section I.B Review

Section C: E.U. Legislative Framework

1. Introduction and Revisiting Convention 108

2. The Data Protection Directive

a. Overview

b. Scope

c. Key Principles

d. Article 29 Working Party

3. The ePrivacy Directive

a. Background of the ePrivacy Directive

b. Scope

c. Key Provisions

d. 2009 Amendments – “The Cookie Directive”

e. The “ePrivacy Regulation”

4. The E-Commerce Directive

a. “Information Society Services”

b. Key Principles

c. Relationship to Data Protection

d. The Data Services Act

5. European Data Retention Regimes

6. The General Data Protection Regulation (“GDPR”)

a. Background of the GDPR and the LEDP Directive

b. Structure of the GDPR

c. “Opening Clauses”

d. The European Data Protection Board

e. Relationship to Other Legislation

7. The Law Enforcement Data Protection Directive (“LEDP Directive”)

8. The Network and Information Security Directive (“NIS Directive”)

Section I.C Review

Knowledge Review #1

II. E.U. Data Protection Law and Regulation

Section A: Data Protection Concepts

1. Introduction

2. Personal Data

a. “Any Information”

b. “Relating To”

c. “An Identified or Identifiable”

d. “Natural Person”

3. Sensitive Personal Data

a. Special Categories of Personal Data

b. Prohibition on Processing and Exceptions

c. Criminal Convictions and Offenses

4. The Role of Encryption, Anonymization, and Pseudonymization

a. Pseudonymization of Data

b. Anonymous Data

5. Processing

6. Roles in Data Processing

a. Data Subject

b. Data Controller

c. Data Processor

d. Distinguishing a Controller from a Processor

Section II.A Review

Section B: Territorial and Material Scope of the GDPR

1. Introduction

2. Territorial Scope (Establishment in the E.U.)

a. How to Determine “Establishment”

b. How to Determine if “the Context of the Activities” is in the Establishment

c. Application to Data Processors

3. Territorial Scope (Non-Establishment in the E.U.)

a. Data Subjects in the Union

b. Targeting Criteria

c. Application to Data Processors

d. Application Due to Public International Law

4. Material Scope of the GDPR

a. National Security Exceptions

b. Household Activities

c. Prevention, Investigation, Detection, and Prosecution of Criminal Offenses

d. Processing by E.U. Institutions

Section II.B Review

Section C: Data Processing Principles

1. Introduction

2. Lawfulness, Fairness, and Transparency

a. Lawfulness

b. Fairness

c. Transparency

3. Purpose Limitation

4. Data Minimization (Proportionality)

5. Accuracy

6. Storage Limitation

7. Integrity and Confidentiality

Section II.C Review

Section D: Lawful Processing Criteria

1. Introduction

2. Consent

a. The Elements of Consent

b. Demonstrating Consent

c. Consent and Alternative Legal Bases

d. Obtaining Consent from Children

3. Contractual Necessity

4. Legal Obligations, Vital Interests, and Public Interest

a. Legal Obligations

b. Protecting Vital Interests

c. Public Interest

5. Legitimate Interests

a. What is a “Legitimate Interest”?

b. What are the Interests and Fundamental Rights of Data Subjects?

c. The Balancing Test

6. Special Categories of Processing

a. Sensitive Data Types

b. Prohibition and Derogations

7. Processing That Does Not Require Identification

Section II.D Review

Knowledge Review #2

Section E: Information Provision Obligations

1. Transparency Principle

2. When Information is Collected from the Data Subject

3. Information Collected from Third Parties

a. Timing of Information Provision

b. When Disclosures are Not Necessary

4. Disclosure Requirements Under the ePrivacy Directive

5. Privacy Notices

a. Designing an Effective Privacy Notice

b. Updating a Privacy Notice

Section II.E Review

Section F: Data Subject Rights

1. Introduction

2. Right to Access Information

3. Right to Rectification

4. Right to Erasure (“Right to be Forgotten”)

a. Search Engines and the Right to be Forgotten

5. Right to Restrict Processing

6. Right to Data Portability

7. Right to Object to Processing

8. Right to Not Be Subject to Automated Decision-Making and Profiling

9. Restrictions on Data Subject Rights

a. When Are Restrictions Permitted?

b. Additional Requirements

Section II.F Review

Section G: Security of Personal Data

1. Technical and Organizational Security Measures

a. The CIA Triad

b. Security Controls and Protection Mechanisms

c. Security Controls Under Article 32

d. Managing Employees

2. Privacy Incidents: Planning, Detection, and Response

a. Response Planning

b. Incident Detection

c. Incident Response

d. Incident Follow-Up

3. Breach Notification

a. What is a “Personal Data Breach”

b. Notifying Regulators (Article 33)

c. Notifying Data Subjects

d. Breach Notification Requirements Under Other E.U. Law

4. Vendor Management and Data Sharing

a. Choosing a Third-Party Data Vendor

b. Data Sharing Agreements

5. Cyber Security and the NIS Directive

a. CSIRTs and NIS Cooperation Group

b. Operators of Essential Services and Digital Service Providers

Section II.G Review

Knowledge Review #3

Section H: Accountability Requirements

1. Introduction to the Accountability Principle

a. Accountability Generally

b. Accountability Under the GDPR

2. Responsibilities of Controllers and Processors

a. Organizational Privacy Policies

b. The Privacy Policy Life Cycle

c. Key Components of a Privacy Policy

d. Implementing a Privacy Policy

e. Responsibilities of Joint Controllers and Article 26

3. Data Protection by Design and by Default

a. The Seven Principles of PbD

b. Data Protection by Design and Default Under the GDPR

4. Documentation and Cooperation with Regulators

a. Records of Processing Activities

b. Article 31 – Cooperation with DPAs

5. Data Protection Impact Assessment

a. Privacy Impact Assessments

b. Data Protection Impact Assessments

6. Data Protection Officers

a. When is Appointment of a DPO Required?

b. The Role of a DPO

7. Auditing a Privacy Program

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

Section II.H Review

Section I: International Data Transfers

1. Introduction

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. The Framework for Data Transfers to Third Countries Under the GDPR

d. What Constitutes a “Transfer”?

2. Adequacy Decisions

a. The Making of an Adequacy Decision

b. Adequacy Decisions and the United States

3. Binding Corporate Rules (BCRs)

4. Standard Contract Clauses

a. Schrems II and the Use of SCCs

b. New Standard Contract Clauses (2021)

c. Ad Hoc Contract Clauses

5. Codes of Conduct and Certifications

a. Codes of Conduct

b. Certification Mechanisms

6. Derogations

7. Transfer Impact Assessments

Section II.I Review

Section J: Supervision and Enforcement

1. Introduction

2. National Supervisory Authorities and Their Powers

a. DPA Tasks

b. DPA Powers

c. Activity Reports

d. Prior Consultation Under Article 34(4)

e. Competence of Supervisory Authorities

3. Cooperation Between Supervisory Authorities

a. Cooperation Procedure Under Article 60

b. Mutual Assistance

c. Joint Operations

4. The European Data Protection Board

a. Structure of the EDPB

b. Tasks of the EDPB

c. Consistency Mechanism

5. European Data Protection Supervisor

a. Independence and Secrecy

b. Tasks and Powers

6. Self-Regulation Under the GDPR

7. Regulation by Data Subjects

8. Infringements and Fines

a. Article 83(4)

b. Article 83(5)

c. Factors to Consider in Establishing a Fine

d. Additional Member State Penalties

e. What Constitutes an Undertaking for Article 83?

9. Liability to Data Subjects

a. Representative Actions

b. Collective Redress Directive

c. Data Subject Compensation

Section II.J Review

Knowledge Review #4

III. Compliance with the GDPR


Section A: Employment Relationships

1. Introduction

2. Legal Basis for Processing of Employee Data

a. Legal Basis for Processing

b. Special Categories of Employee Data

3. Storage of Personnel Records

4. Workplace Monitoring

a. Background Checks

b. Monitoring the Workplace

5. E.U. Work Councils

6. Whistleblowing Systems

a. Whistleblowing Policies

b. Sarbanes-Oxley Act

7. Bring Your Own Device (“BYOD”) Programs

Section III.A Review

Section B: Surveillance Activities

1. The Conflict Between Surveillance and Privacy

2. Interception of Communications

3. Video Surveillance

a. The Household Use Exception

b. Lawfulness of Processing

c. Conducting a DPIA

d. Video Surveillance as Biometric Data

e. Data Subject Rights

4. Geolocation Data

5. Biometric Data

Section III.B Review

Section C: Direct Marketing

1. Overview of Direct Marketing

a. WP29 Guidance on What Constitutes Direct Marketing

b. Digital vs. Non-Digital Direct Marketing

c. Direct Marketing Under the GDPR

d. Direct Marketing Under the ePrivacy Directive

e. Robinson Lists

2. Telemarketing

a. Person-to-Person vs. Automated Calls

b. Business-to-Business vs. Business-to-Consumer Calls

3. Email Marketing

a. “Electronic Mail” Defined

b. Consent Requirements

c. Restrictions and Information Provision Obligations

d. B2B vs. B2C Email Messages

4. Other Types of Direct Marketing

a. Postal Mail Marketing

b. Fax Marketing

c. Location-Based Marketing

5. Behavioral Advertising

a. Tracking Consumers Across the Internet

b. Parties Involved in Behavioral Advertising

c. Legal Framework

d. Compliance Challenges

Section III.C Review

Section D: Internet Technologies and Communications

1. Cloud Computing

a. Controllers and Processors in Cloud Computing

b. Cloud Computing Contracts

2. Web Cookies and Similar Technologies

a. Web Cookies

b. IP Addresses and the Internet “Phonebook”

3. Social Media Targeting

a. Who is the Data Controller?

b. Types of Data Used to Target

c. Compliance Challenges

4. Search Engine Targeting

a. Data Controllers

b. Compliance Challenges

5. Internet of Things (IoT), Artificial Intelligence (A.I.), Blockchains, and Data Ethics

a. Internet of Things (IoT)

b. Machine Learning and Big Data

c. Blockchains and Cryptocurrencies

d. Data Ethics

Section III.D Review

Knowledge Review #5


Full Exam #1

Full Exam #2

Certified Information Privacy Manager (CIPM)

CIPM Course Preview

Become a certified expert in privacy program management.

The CIPM certification indicates that you are a skilled and knowledgeable leader when it comes to the practical implementation of privacy principles. This course will teach you how to establish and maintain a privacy program throughout its entire life cycle.

CIPM Table of Contents


I. Developing a Privacy Program


Section A: The Overview of a Privacy Program

1. What is Privacy Program Management?

a. What is a Privacy Program?

b. What is a Privacy Program Manager?

2. Key Privacy Management Concepts and Definitions

a. Identified and Identifiable Personal Information

b. Data Subjects, Controllers, and Processors

3. The Role of Accountability and Fair Information Practices

a. The Accountability Principle

b. Additional Principles Governing Privacy Management

Section I.A Review

Section B: Implementing a Privacy Program at the Organizational Level

1. Leveraging the Entire Organization

2. Creating a Company Vision

3. Data Governance Models

a. Centralized Model

b. Distributed Model (a/k/a Local Model or Decentralized Model)

c. Hybrid Model

d. Advantages and Disadvantages

e. Choosing a Model and the Location for the Privacy Function

4. Defining the Scope of a Privacy Program

a. Identifying the Personal Information Processed by an Organization

b. Identifying Applicable Privacy Laws and Regulations

c. Additional Considerations and Organizational Objectives

5. Developing a Privacy Strategy

a. Making the Business Case for Privacy and Data Protection

b. Identifying the Stakeholders

c. Interfacing With the Organization

d. Accountability Over the Process

e. Taking Privacy Out of the Abstract

6. Structuring a Privacy Team

7. Communication and Awareness

a. Common Privacy Roles and Titles

b. Designated Privacy Leaders

c. Data Protection Officers (“DPO”) and the GDPR

d. Establishing the Professional Competency of Team Members

Section I.B Review

Knowledge Review #1

II. Privacy Program Framework


Section A: Developing a Privacy Program Framework

1. What is a Privacy Program Framework?

a. Principles and Standards

b. Laws, Regulations, and Self-Regulatory Programs

c. Privacy Program Management Solutions

2. Using Privacy Tech to Manage a Privacy Framework

3. Developing Organizational Privacy Policies, Standards, and Guidelines

a. The Privacy Policy Life Cycle

b. Key Components of a Privacy Policy

c. Rationalizing Privacy Requirements

4. Defining Privacy Program Activities

a. Education and Awareness

b. Internal Policy Compliance

c. Data Inventories, Data Flows, and Data Classification Schema

d. Risk Assessments

e. Incident Response Process

f. Monitoring Regulatory Environment

g. Internal Audit and Risk Management

Section II.A Review

Section B: Implementing a Privacy Program Framework

1. Introduction

2. Communicating the Privacy Framework to Internal and External Stakeholders

a. Internal Communication

b. External Communication

3. Ensure Continuous Alignment With Applicable Laws and Regulations

4. The General Data Protection Regulation

a. Scope of the GDPR

b. Data Processing Principles and Lawfulness

c. Individual Rights

d. Organizational Obligations

e. Regulatory Powers

5. Other Global Privacy Laws

6. United States Privacy Laws

a. Federal Laws

b. State Data Security Laws

c. State Data Breach Notification Laws

d. Comprehensive Privacy Legislation

7. Self-Regulatory Authorities

8. Cross-Border Data Sharing

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. International Data Transfers Under the GDPR

Section II.B Review

Section C: Using Privacy Metrics

1. Introduction

2. Identifying Your Intended Audience

3. Defining Privacy Metrics

a. Privacy Metric Development Template

b. Metric Owners

c. Identifying Collection Points

4. Analyzing Privacy Metrics

a. Compliance Metrics

b. Trend Analysis

c. Privacy Program ROI

d. Business Resiliency Metrics

e. Privacy Program Maturity

f. Resource Utilization

g. IAPP’s DPO Report Template

5. Section II.C Review

Knowledge Review #2

III. Privacy Operational Lifecycle


Section A: Assess Your Organization

1. Documenting a Baseline of Privacy Program Activities

2. Data Assessments

a. Data Inventory

b. Data Flow Maps

c. Data Classification

d. Developing Data Inventories, Maps, and Classification Schema

e. GDPR Records Processing Requirements

3. Risk Assessments

a. Privacy Assessments

b. Privacy Threshold Analysis and Privacy Impact Assessments

c. Data Protection Impact Assessments

4. Assessing Data Processors and Third-Party Vendors

a. Choosing a Third-Party Vendor

b. Vendor Contracts

c. Cloud Computing Issues and Data Residency

d. Restrictions on Third-Party Data Sharing

5. Physical Assessments

a. Physical and Environmental Aspects of Information Security

b. Bring Your Own Device and Data Loss Prevention

6. Mergers, Acquisitions, and Divestitures

Section III.A Review

Section B: Protect Your Organization

1. Data Governance

a. The Eleven Elements of DLM Policies

b. Data Retention and Data Destruction Policies

2. Information Privacy vs. Information Security

a. Where Privacy and Security Diverge

b. Where Privacy and Security Overlap

c. Privacy as a Compliment to Information Security

3. Information Security Practices

a. The CIA Triad

b. Security Controls

4. Privacy By Design and By Default

a. The Seven Principles of PbD

b. Data Protection by Design and Default Under the GDPR

c. Solove’s Privacy Risks

d. Privacy Design Strategies

e. Systems Development Life Cycle and Privacy Engineering

5. Aligning Privacy Policies Across the Organization

a. The Importance of Alignment

b. Communicating Across the Organization

c. Understanding the Costs and Tradeoffs

6. Organizational Measures: Effective Policies

a. Designing Effective Policies

b. Specific Policies That Impact Privacy

Section III.B Review

Knowledge Review #3

Section C: Sustain the Privacy Program

1. Monitoring the Privacy Program

2. Auditing the Privacy Program

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

3. Training and Awareness

a. Training vs. Awareness

b. Training and Awareness as a Communication Tool

c. Training and Awareness as a Cost-Saving Mechanism

Section III.C Review

Section D: Respond: Data Subject Requests

1. Introduction

2. Privacy Notices

a. Legal Consequences of a Privacy Notice

b. Updating a Privacy Notice

c. Designing an Effective Privacy Notice

3. Data Subject Consent

a. Methods of Obtaining Consent

b. Consent Under the GDPR

c. Obtaining Consent From Children

d. Responding to a Withdrawal of Consent

4. Handling Data Subject Requests and Complaints

5. Data Subject Rights: The GDPR

a. Right to be Informed

b. Right to Access and Information

c. Right to Rectification

d. Right to Erasure (“Right to be Forgotten”)

e. Right to Restrict Processing

f. Right to Data Portability

g. Right to Object to Processing

h. Right Not to Be Subject to Automated Decision-Making and Profiling

6. Data Subject Rights: U.S. Law

a. Federal Law

b. State Law

7. Additional Data Subject Rights Globally

a. Canada

b. Latin America

c. Asia

d. Australia and New Zealand

Section III.D Review

Section E: Respond: Privacy Incidents

1. The Costs of a Privacy Incident

2. Legal Compliance and Defining a “Data Breach”

3. Incident Response Planning

a. Developing a Plan

b. Training

c. Key Roles and Responsibilities

d. Insurance Coverage

e. Managing Vendors

4. Incident Detection

5. Incident Handling

a. Steps in an Incident Response

b. Leadership Response Team

c. Investigation of an Incident

d. Working With Insurers and Other Contracted Parties

6. Notification and Reporting a Data Breach

a. Internal Notifications and Progress Reporting

b. Notifying Affected Individuals

c. Notification to Regulatory Authorities

7. Incident Follow-Up

Section III.E Review

Knowledge Review #4


Full Exam #1

Full Exam #2

Flashcards and Study Tools

Each Privacy Bootcamp course comes with hundreds of digital flashcards.

But flashcards are just one of many of the practice tools you can access by enrolling today.

Others tools include quick reference "cheat sheets," charts summarizing important laws and regulations, and interactive digital exercises.

Preview some example flashcards below.



True or False: The U.S. Federal Trade Commission has stated that consumers should always be provided a choice before a company collects that consumer's personal data.

Click to Flip

False. While the FTC has encouraged increased and meaningful consumer choice, it has also recognized that consumer choice may not always be appropriate.


What is the term that is used to describe a "data processor" under the Health Insurance Portability and Accountability Act?

Click to Flip

A "business associate."


What is generally the primary objective of organizations participating in a Trust Mark program?

Click to Flip

To increase consumer confidence in a company's products and services.


What is a "layered" privacy notice?

Click to Flip

A type of privacy notice that includes a short notice at the top of the document that sets forth the key points, followed by an option for users to review a more detailed privacy notice.


According to the Article 29 Working Party (WP29), when monitoring the workplace, which is more important: prevention of harm or detection of harm?

Click to Flip

Prevention is more important than detection.


Appointing a Data Protection Officer and conducting a Data Protection Impact Assessment can be thought of as supporting what data processing principle?

Click to Flip

The Accountability Principle.


What is commonly considered the most flexible lawful basis to process personal data under the General Data Protection Regulation?

Click to Flip

The legitimate interest basis.


What is a centralized model of data governance?

Click to Flip

A model in which one person or one dedicated team is responsible for the privacy functions within an organization.


Does the PCI-DSS mandate specific compliance programs and policies that payment card industry members must implement?

Click to Flip

No. Even though the PCI Security Standards Council sets the standards, “each payment card brand has its own program for compliance, validation levels and enforcement."


What are the five steps in the privacy policy life cycle?

Click to Flip

(1) Drafting the policies; (2) Getting necessary approvals; (3) Communicating those policies throughout the organization; (4) Training the necessary stakeholders; and (5) Reviewing the policies to better refine them.


Practice Questions

All of Privacy Bootcamp's courses come with over 450 practice questions — that's more than five full-length practice exams!

Check out some of our example questions below.


Practice Questions

Each of the following is a building block to the definition of "personal data" under the General Data Protection Regulation, except:

What separates the United States' approach to data protection regulation from the approach taken by most other countries?

If Company X acquires personal information about Person A and an employee of Company X improperly uses that data for his own purposes, which accurately describes each person's role?

In passing FACTA, the U.S. Congress overturned what guidance originally provided by the Federal Trade Commission in the "Vail Letter"?

Company X intends to contact its customers via email, but first provides an opportunity to opt out. Under U.S. law, if Company X wants to start making phone calls to consumers, should it call consumers that have opted out?

You answered of 5 questions correctly.

Enroll today to access hundreds of additional questions, along with detailed explanations and citations to primary source materials.