Each year, generally in the late Spring or early Summer, the International Association of Privacy Professionals (IAPP) releases an annual update to the topics tested on each of the certification exams that it administers. According to the IAPP, these updates are implemented to ensure that content is current and that their exams are not “overexposed.”
In this article, we explain the 2022 updates to the Certified Information Privacy Professional / United States (CIPP/US) exam.
When Do These Changes Go into Effect?
The changes discussed below go into effect on October 3, 2022.
Where Can I Find the Topics Tested on the CIPP/US Exam?
The first question you might be asking yourself is, where do I find the list of topics covered on the CIPP/US exam? Well, these topics are found in what the IAPP refers to as its Body of Knowledge and Exam Blueprint.
The Body of Knowledge is the outline of all concepts and topics that candidates will need to know to obtain their certification. The IAPP considers the Body of Knowledge to be the core document setting forth its CIPP/US curriculum, stating: “it is each candidate’s responsibility to be prepared for exams by being familiar with all elements of the Bodies of Knowledge.”
The Exam Blueprint, on the other hand, tells students how heavily certain areas in the Body of Knowledge are tested. In other words, the Exam Blueprint gives the approximate number of questions on each topic area covered on the CIPP/US exam.
With each annual update, the IAPP releases a list of new topics added to the exam. However, this listing is merely a high-level overview. The only way to know the finer details of what has changed year over year is to compare the prior year’s documents with the updated version.
What Changes Were Made to the CIPP/US Body of Knowledge?
The CIPP/US Body of Knowledge has five primary topic areas: (1) Introduction to the U.S. Privacy Environment; (2) Limits on Privacy-Sector Collection and Use of Data; (3) Government and Court Access to Private-Sector Information; (4) Workplace Privacy; and (5) State Privacy Laws. We cover the changes made to each of these topics separately below. Keep in mind that, according to the IAPP, updates that include new content will at most account for only 15% of each exam.
Introduction to U.S. Privacy Enforcement
One additional topic is now covered under this section: “Schrems decisions, implications of.” Elsewhere, the IAPP has stated that this topic is intended to refer to the implications of the Schrems II decision on data transfers.
The Schrems II decision was a landmark case decided by the Court of Justice of the European Union (CJEU) that significantly impacts the transfer of personal data of European data subjects from Europe to third countries, including the United States.
Interestingly, the IAPP continues to identify “U.S. Safe Harbor and Privacy Shield” as a topic tested on the CIPP/US exam, despite the fact that the U.S. Safe Harbor Agreement and the Privacy Shield Framework were each ruled invalid in the Schrems I and Schrems II decisions, respectively. For this reason, those preparing for the CIPP/US exam should still be aware of the history surrounding these two invalidated agreements, as well as a strong general understanding of adequacy decisions under the E.U.’s General Data Protection Regulation.
Limits on Private-Sector Collection and Use of Data
There are five sub-categories under the primary topic area of “Limits on Private-Sector Collection and Use of Data.” Three of these categories—i.e., cross-sector FTC privacy protection, healthcare/medical, and education—saw no specific amendments this year. Two additional topics were added under the financial and telecommunications/marketing subcategories.
First, under the Financial Services Modernization Act of 1999, commonly called the Gramm-Leach-Bliley Act or GLBA, the Body of Knowledge now identifies “exemptions under state law.” With this amendment, the IAPP wants students to be aware that most comprehensive state privacy laws—such as the recently passed laws in California, Virginia, Colorado, and elsewhere—do not apply where personal data is subject to regulation under the GLBA. Students should also be aware that these same state laws contain exemptions for personal data regulated under other federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA). The scope of these carve-outs varies between jurisdictions.
Second, the Driver’s Privacy Protection Act (DPPA) is now listed as among the federal laws tested on the CIPP/US exam. This law, enacted in 1994, is not new, but its inclusion on the Body of Knowledge is.
Government and Court Access to Private-Sector Information
There were no amendments made to this primary subject area this year.
Workplace privacy is always a hot topic and fast evolving area in the data protection and privacy fields. This year, the IAPP now wants students to know about “Automated employment decision tools.” This topic covers an increasing trend by employers to use artificial intelligence and other techniques to screen applicants for employment. Legislatures and local governments across the country are starting to enact a patchwork of laws impacting the use of these technologies in the employment context. Some of the most high-profile new laws are those in Illinois and New York City.
State Privacy Laws
The past year saw new comprehensive privacy legislation enacted in a number of states, including Colorado, Utah and Connecticut. Other states are likely to follow this year. The updated Body of Knowledge identifies only the Colorado Privacy Act (CPA) and the Nevada Privacy Law and Amendments (SB260) as new topics subject to testing. The absence of Utah and Connecticut law from this list is likely due to the timing of when the IAPP develops the updated Body of Knowledge and when those changes go into effect. In short, students must be aware of any new comprehensive privacy legislation that is enacted across the United States. As noted further below, comprehensive legislation is likely going to be the primary focus of this section of the exam.
Beyond those laws that were added to this year’s Body of Knowledge, the IAPP also removed several specific laws. These include:
- California Electronic Communications Privacy Act (2015)
- Delaware Online Privacy and Protection Act (2016)
- Nevada SB 538 (2017)
- Illinois Right to Know Act (2017)
- New Jersey Personal Information and Privacy Protection Act (2017)
- Washington Biometric Privacy Law (H.B. 1491) (2017)
- NYDFS Cybersecurity Regulation (2017)
- Tennessee SB 2005
- Illinois HB 1260
- New Mexico HB 15
Despite the removal of these laws from the Body of Knowledge, the “Data Privacy and Security Laws” and “Data Breach Notification Laws” subsections both contain a catch-all provision for “other significant state acts and laws” or amendments. In other words, students must be aware of other significant laws, even if not specifically listed. For this reason, we believe that those studying for the CIPP/US exam should still have a general knowledge of each of the above-listed laws or regulations.
The removal of these provisions is intended, we believe, to reflect the fact that privacy law at the state level is moving towards more comprehensive regulation of personal data. The Body of Knowledge is therefore intended to reflect an increased emphasis on knowing and understanding those comprehensive laws. This implies a decreased emphasis on knowing and understanding more industry- or data-specific regulation. But as the continued inclusion of a catch-all provision indicates, a decreased emphasis does not mean that students can ignore these more specific laws entirely when preparing for their exam.
What Changes Were Made to the CIPP/US Exam Blueprint?
This year, the IAPP did not make any noticeable changes to its CIPP/US Exam Blueprint. Of course, the Exam Blueprint incorporates any changes to the Body of Knowledge, but the number of questions for each topic has remained the same compared to the year prior.
This follows significant changes that were implemented last year, in which the IAPP increased the number of questions that would cover State Privacy Laws. This re-weighting made sense in light of the fact that the California Consumer Privacy Act became effective on January 1, 2020, ushering in a new era in U.S.-based privacy regulation.
Is Privacy Bootcamp’s CIPP/US Course Up to Date?
Yes, all of our courses are up to date. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to the updated Body of Knowledge and Exam Blueprint. In addition, we provide smaller updates throughout the year in response to important events and student feedback. Our updates involve editing our text-based study modules, creating new flashcards, adding to our bank of exam questions, and other changes designed to make sure our students are always prepared on test day.