As it does annually around this time of year, the International Association of Privacy Professionals (IAPP) has now officially released updated Bodies of Knowledge (BoKs) for the Certified Information Privacy Professional / United States (CIPP/US), Certified Information Privacy Professional / Europe (CIPP/E), and Certified Information Privacy Manager (CIPM) exams.
You can find these updated documents at the following links:
- Updated CIPP/US Body of Knowledge – Version 2.5.1
- Updated CIPP/E Body of Knowledge – Version 1.3.1
- Updated CIPM Body of Knowledge – Version 4.0.0
Interestingly, the IAPP has not released updated BoKs for its Certified Information Privacy Technologist (CIPT) exams, nor its CIPP exams focused on Canadian (CIPP/C) and Asian (CIPP/A) privacy law. It remains to be seen whether these documents will be updated for 2023.
In this article, we explain what these updates mean for anyone seeking IAPP certification in the next year. We also provide a brief comparison of these documents to the updates from last year, providing a brief summary of what has changed in each.
What is a Body of Knowledge (BoK)?
In short, a Body of Knowledge is the document IAPP releases that sets forth all topics and areas of knowledge candidates are expected to know in order to become certified. In the words of the IAPP itself, “it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bodies of Knowledge” for whichever exam the candidate is sitting for. Each certification and exam administered by the IAPP has its own BoK.
The IAPP updates BoKs annually, in part to maintain its accreditations by the ANSI National Accreditation Board (ANAB) under the International Organization of Standardization (ISO) standard 17024:2012. These updates ensure that content is current and that IAPP exams are not “overexposed.”
In addition to the Body of Knowledge, another document that the IAPP calls the Exam Blueprint sets forth how heavily certain areas in the Body of Knowledge are tested—i.e., the Exam Blueprint provides the approximate number of questions on each topic area covered on the exam to which it relates. Unlike in years past, however, the IAPP did not release updated Exam Blueprints for its CIPP/US and CIPP/E exams—at least, not yet. This is likely a reflection of the relatively modest changes made to each BoK, which we discuss below.
With respect to the CIPM BoK, the IAPP this year has combined the Exam Blueprint and BoK into one document. This is just one of a host of changes the IAPP made to the CIPM exam for this coming Fall.
When Do These Changes Go into Effect?
The changes discussed below go into effect on Monday, October 2, 2023. Therefore, if you are taking either the CIPP/US, CIPP/E, or CIPM exam prior to that date, these changes should not affect you or your studying.
You can find links to the currently active BoK—i.e., the BoK applicable for candidates sitting for the exam prior to October 2, 2023—at the following links:
- 2022 CIPP/US Body of Knowledge – Version 2.5
- 2022 CIPP/E Body of Knowledge – Version 1.3
- 2022 CIPM Body of Knowledge – Version 3.0.0
What Changes Were Made to the CIPP/US Body of Knowledge?
This year, the changes made to the CIPP/US BoK are modest. The IAPP did not remove any topics from last year’s CIPP/US BoK. The following briefly summaries the new topics introduced in this year’s update. The sections of the BoK that have been updated are bolded and underlined below for ease of reference.
The California Privacy Protection Agency (CPPA)
In two separate places, the IAPP has updated its CIPP/US BoK to reflect the rising importance of the California Privacy Protection Agency (CPPA), which was created with the enactment of the California Privacy Rights Act (CPRA).
First, Section I.B.f was updated to indicate that candidates must be knowledgeable of the CPPA’s enforcement authority, in addition to the enforcement powers possessed by state attorneys general.
Second, under the topic of “Federal vs. State Authority” in the fifth knowledge domain that covers state privacy law, the CPPA was added as a separate topic covered by the CIPP/US exam in Section V.A.a.
The E.U.-U.S. Data Privacy Framework
Following the Schrems II decision, the U.S. and E.U. engaged in negotiations to replace the Privacy Shield Framework that was judged to be invalid. In 2022, the U.S. and E.U. finalized the text of an agreement to permit the cross-border transfer of personal data from the E.U. to the U.S. In December 2022, the European Commission released a draft of its adequacy decision with respect to this agreement. While this adequacy decision has not been adopted, the IAPP now expects students to know of this new E.U.-U.S. Transatlantic Data Privacy Framework, as set forth in Section I.C.k.i.
Online Tracking Under HIPAA
A new topic was added under the healthcare portion of the BoK in Section II.B..a.iii. The new topic is listed as “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” This topic is a natural outgrowth of IAPP’s changes last year that covered privacy protections in COVID contact-tracing applications. Primarily, however, this new topic is intended to cover guidance issued in December of 2022 by the Department of Health and Human Services, which can be found here.
Automated Employment Decision Tools
Last year, the IAPP added a topic for automated employment decision tools, under the Workplace Privacy domain. This year, the IAPP updated that topic (Section IV.B.a) to reflect that these tools have the “potential for bias.” This appears to refine this topic more closely, as the topic was first introduced only last year.
Changes to State Law
The biggest changes to the CIPP/US exam this year relate to legislation at the state level. This is unsurprising considering the shift in legal protections provided under state law in recent years.
Candidates must now possess knowledge of comprehensive privacy laws in Connecticut (Section V.B.g.vi) and Utah (Section V.B.g.vii), as well as the California Age-Appropriate Design Code Act (Section V.B.g.viii).
In addition, the IAPP also added topics for state laws that cover “facial recognition use restrictions” (Section V.B.e) and “Biometric Information privacy regulations” (Section V.B.f), which includes one specifically identified law, the Illinois Biometric Information Privacy Act (BIPA) (Section V.B.f.i).
What Changes Were Made to the CIPP/E Body of Knowledge?
As with the changes made to the CIPP/US exam for this coming Fall, the updates released for the CIPP/E BoK are relatively limited. As with the CIPP/US changes noted above, we have underlined and bolded the sections that have been updated for ease of reference. Below is a brief summary of the relevant changes.
Updated Introduction and History
The first major section of the CIPP/E BoK covers the origin and historical context of data protection law in Europe. Previously, the BoK contained a topic labeled “a modernized framework.” This has been removed and replaced with two new topics “Convention 108+” (Section I.A.6) and “Brexit” (Section I.A.7). Both topics were already implicitly covered by the CIPP/E exam. These changes therefore reflect mere stylistic changes to the BoK, not substantive additions.
European Legislative Framework
While many think of data protection in Europe as synonymous with the General Data Protection Regulation (GDPR), there are a litany of directives and regulations that impact privacy across Europe. The updated section covering this legislative framework contains a number of additional topics this year.
These new topics include:
- Section I.C.6.a - The relationship between the GDPR and other laws, specially including the Payment Services Directive 2, the Data Governance Act, and Regulation 2018/1725
- Section I.C.7 – The NIS Directive (2016) and the NIS 2 Directive (2022)
- Section I.C.8 -The EU Artificial Intelligence Act (2021)
Special Categories of Personal Data
The CIPP/E exam has always covered special categories of personal data under Article 6 of the GDPR. This year, the IAPP updated Section II.A.2, which covers “Sensitive Personal Data” to include a subsection, Section II.A.2.a, that specifically references “Special categories of personal data.” We believe that this change is merely stylistic as this topic was already implicitly covered by the BoK.
The E.U.-U.S. Data Privacy Framework
The CIPP/E BoK, like the CIPP/US BoK, has been updated to include specific reference to the E.U.-U.S. Transatlantic Data Privacy Framework (Section II.I.3) and the Schrems I and Schrems II decisions (Section II.I.3.a).
Additional EDPB Guidelines
The biggest change made last year by the IAPP to its CIPP/E BoK was that it started to specifically identify published guidelines from the European Data Protection Board (EDPB) that it requires candidates to know. This year, the IAPP has added four new guidelines that candidates must be aware of, which include:
- Guidelines 01/2022 on data subject rights – Right of Access (Section II.F.1.a)
- Guidelines 01/2021 on Examples regarding Personal Data Breach Notification (Section II.G.2.b)
- Guidelines 09/2022 on personal data breach notification under GDPR (Section II.G.2.c)
- Guidelines 08/2022 on identifying a controller or processor’s lead supervisory authority (Section II.J.1.a)
Social Media Platforms and Dark Patterns
The IAPP previously referred to social media platforms as “social networking services.” This year, the IAPP has finally changed how it references these entities, adopting the more commonly used name—i.e., “social media platforms” (Section II.D.4). This does not represent a substantive change. However, the IAPP did add one subsection to this topic in order to cover “dark patterns” (Section II.D.4.a).
What Changes Were Made to the CIPM Body of Knowledge?
This year, the IAPP took an entirely new approach to its CIPM BoK. It combines both the BoK and the Exam Blueprint into one document, and instead of providing a nested outline of topics, it highlights core “competencies” and “performance indicators” for each competency.
This is what the IAPP had to say about its new format:
“Instead of the former outline format we used for our bodies of knowledge, we now represent the content as a series of Competencies and Performance Indicators.
Competencies are clusters of connected tasks and abilities that constitute a broad knowledge domain.
Performance Indicators are the discrete tasks and abilities that constitute the broader competence group. Exam questions assess a privacy professional’s proficiency on the performance indicators.”
To demonstrate knowledge of the material tested on the exam, the IAPP has now set forth a taxonomy of the types of skills one needs. The IAPP represents this as a pyramid, with one skill building on top of another. These skills include from lowest- to highest-level: (1) Remember; (2) Understand; (3) Apply; (4) Analyze; (5) Evaluate; and (6) Create. The IAPP also provides helpful examples of the types of questions that would be asked that correspond to each of these skills.
There are now six primary domains of knowledge on the CIPM exam, which have been slightly modified from prior versions. The number of questions asked for each domain have also been changed. These new domains and the number of questions that will be asked for each include:
- Domain 1 – Privacy Program: Developing a Framework (14-18 Questions; previously was 13-17 Questions)
- Domain 2 – Privacy Program: Establishing Program Governance (12-16 Questions; previously was 9-11 Questions)
- Domain 3 – Privacy Program Operational Life Cycle: Assessing Data (12-16 Questions; previously was 13-17 Questions)
- Domain 4 – Privacy Program Operational Life Cycle: Protecting Personal Data (9-13 Questions; previously was 12-16 Questions)
- Domain 5 – Privacy Program Operational Life Cycle: Sustaining Program (7-9 Questions; previously was 5-7 Questions)
- Domain 6 – Privacy Program Operational Life Cycle: Responding to Requests and Incidents (10-14 Questions; previously was 9-11 Questions)
This new structure makes it impossible to have an apples-to-apples comparison between last year’s BoK and the newer updated version. Suffice it to say, there are A LOT of changes to the CIPM BoK this year. The good news is that the competencies and performance indicators appear to cover the same material, more or less, as was covered on prior BoKs. There do not appear to be any significantly new topics set forth within this new framework. Moreover, a new edition of the IAPP’s primary text was released just last year, which indicates that candidates should not expect significant new topics to be tested as a result of these changes.
Information About Changes Made Last Year to the Bodies of Knowledge
If you are interested in learning what changes were made to the IAPP’s Bodies of Knowledge last year, you can read our helpful summaries contained in the following articles:
- Update: New 2022 IAPP CIPP/US Body of Knowledge
- October 2022: CIPP/E Body of Knowledge
- Updated CIPM Body of Knowledge (Oct. 2022)
We will likely have more to say about the updated documents released today as we have more time to review these modifications and what they mean for students studying for these exams. It is important to reemphasize, however, that these changes do not take effect until October 2, 2023. So, if you are planning to sit for any IAPP exams before that date, the above changes should not impact your studying.
Are Privacy Bootcamp’s Courses Up to Date?
Yes, all of our courses are up to date. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to any updates in the IAPP’s Bodies of Knowledge and Exam Blueprints. In addition, we provide smaller updates throughout the year in response to important events and student feedback. Our updates involve editing our text-based study modules, creating new flashcards, adding to our bank of exam questions, and other changes designed to make sure our students are always prepared on test day.
The above-described changes were released by the IAPP today, the same day we are writing this article. We started working on our comprehensive annual update weeks ago in preparation for today, and we plan to release this material in the coming weeks and months—significantly ahead of the date in which the new Bodies of Knowledge become effective.
You can learn more about IAPP certification by visiting our Resources Page. If you are interested in learning more about how we’ve organized our courses, you can visit the Preview Page and click on the “Table of Contents” buttons under each course heading.
