If you’re located in Canada and your job entails operationalizing privacy, or you are looking to gain a foothold in the burgeoning privacy and data protection industry, you’ve probably thought about becoming a Certified Information Privacy Professional / Canada (CIPP/C). Or, at least you’re interested in obtaining this certification, which is administered by the IAPP, formerly known as the International Association of Privacy Professionals. The best place to start is by reviewing a document that the IAPP refers to as the Body of Knowledge (BoK). The CIPP/C Body of Knowledge and Exam Blueprint is a high-level document that sets forth the topics and concepts that will be included on the CIPP/C exam.
For most of its certifications, the IAPP revisits the applicable BoK each year, publishing a new version that may be organized differently from the year prior or contain new topics and concepts. It’s been nearly two years, however, since the IAPP has revisited the CIPP/C Body of Knowledge. But the biggest and latest news is that this is going to change on September 1, 2025, when an updated CIPP/C BoK will become effective. Below, we break down everything you need to know about the relevant changes so that you are ready on exam day.
What is the Format for the New CIPP/C Body of Knowledge?
Beginning with the 2023-2024 Certified Information Privacy Manager (CIPM) Body of Knowledge, the IAPP started using a format that included a list of high-level “competencies,” which are matched with a set of “performance indicators.” It moved the CIPP/C Body of Knowledge over to this format in January of 2024.
Competencies represent “clusters of connected tasks and abilities that constitute a body of knowledge domain,” while performance indicators “are the discreet tasks and abilities that constitutes the broader competence group.”
Changes to the New CIPP/C Body of Knowledge
Yearly updates to the BoK contain no more than 10-15% new content, at least according to the IAPP. If you have already put a lot of effort into studying, don’t fret. There might be some new content that you will need to learn if you take the exam after the effective date, but in the bigger picture (and as we explain below), the new content is relatively minimal.
Did the Domains Change?
Last year’s CIPP/C Body of Knowledge contained four high-level “domains.” The good news is that those domains have not changed. They are:
- Domain I – Introduction to Privacy in Canada
- Domain II – Canadian Privacy Laws and Practices – Private Sector
- Domain III – Canadian Privacy Laws and Practices – Public Sector
- Domain IV – Canadian Privacy Laws and Practices – Health Sector
Are There Any New Topics or Concepts, and Was Anything Removed?
Just as the domains stayed the same compared to the last iteration of the CIPP/C Body of Knowledge, so too have all of the competencies. Moreover, the number of questions asked for each competency has also remained unchanged.
So, what did change, you ask? There have been several additions to the performance indicators in the most recent BoK. These include the following:
- Performance Indicator I.B – “Understand the common governance principles for responsible AI (e.g., the OECD AI Principles, NIST’s "AI RMF,” Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems).”
- Performance Indicator I.B – “Understand the significance of court and commissioner rulings and how they impact the relevant privacy laws and interpretation of those laws.”
- Performance Indicator I.B – “Identify the roles and responsibilities of the relevant stakeholders in supporting the organization’s compliance efforts, including the privacy officer when applicable.”
- Performance Indicator II.A – “Adhere to requirements respecting collection, use, disclosure, retention and deletion of personal information, including identifying situations that may benefit from a consent exception” (the “consent exception” aspect is new).
- Performance Indicator II.A – “Understand how to response to individuals seeking access to personal information, including what information can be provided or withheld, the timelines for response and identity verification requirements” (the “identity verification requirements” aspect is new).
- Performance Indicator II.C – “Understand the scope of and follow rules for consent, identification and unsubscribe mechanism (e.g., installation of computer programs, automatic downloads)” (new details were added to this).
- Performance Indicator II.C – “Understand the penalties for non-compliance with CASL.”
- Performance Indicator III.B – “Understand what should be included in a PIA report.”
- Performance Indicator IV.A – “Understand and implement practices that facilitate transparency and openness” (this change is more stylistic than substantive).
In addition, the previous performance indicator under Section I.D was divided into two separate performance indicators as set forth below:
- Performance Indicator I.D – “Understand the implications of international data transfers under relevant privacy laws, including mechanisms and protections for cross-border data flows.”
- Performance Indicator I.D – “Understand when and how international privacy laws and their adequacy standards may or may not impact Canadian organizations in specific sectors such as healthcare, education, or finance.”
The following performance indicators were removed:
- Performance indicator II.B – “Understand the scope of application of PIPEDA & Substantially similar laws.”
- Performance Indicator II.B – “Know what private sector industries fall under federal and provincial laws respectively.”
While the above changes may seem significant, in reality, they are relatively modest. Many of these changes provide greater context or specificity to areas already subject to testing on the CIPP/C exam.
Is Privacy Bootcamp’s CIPP/C Course Up to Date?
Yes, all Privacy Bootcamp courses are up to date.
At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to any changes made to the CIPP/C Body of Knowledge and Exam Blueprint. Our work begins, however, months ahead of when those updates are first released publicly. We have a general understanding of what changes can be expected based upon important events and changes in the data protection industry, as well as student feedback. We will release updated CIPP/C course content in the coming weeks and months – significantly ahead of the September 1, 2025 effective date for the changes discussed above. With Privacy Bootcamp, you can always rest assured that you will be prepared come test day, no matter what changes IAPP throws your way.
