CIPP/US Body of Knowledge (2024-2025)

CIPP/US | BoK | Exam Blueprint
Return to Resources Page

The topics tested on the Certified Information Privacy Professional / United States (CIPP/US) exam are laid out in a document known, prophetically, as the Body of Knowledge (BoK). The CIPP/US Body of Knowledge is a high-level document published directly by the International Association of Privacy Professionals (IAPP), the non-profit organization that administers the CIPP/US certification.

To ensure that the CIPP/US certification exam remains current and that it does not become “overexposed,” the IAPP updates the CIPP/US Body of Knowledge once annually. Most years this occurs in the late Spring or early Summer.

You can read about the updates from prior years here:

But we know you’re here because you want the latest updates. Let’s take a closer look and walk through what changes the IAPP made this year to the BoK that will be effective from Fall 2024 through Fall 2025.

When Do These Changes Go into Effect?

Before we get too in the weeds, let’s start with the basics. Because the IAPP does not want to surprise test-takers, it publishes updated BoKs several months in advance of when they become effective. In other words, the IAPP provides plenty of time—a minimum of 90 days—to learn new topics that it identifies before they appear on any exam.

The changes to the 2024-2025 Body of Knowledge for the CIPP/US exam go into effect on September 2, 2024.

What is the Format for the New CIPP/US Body of Knowledge?

If you’ve previously taken other certification exams administered by the IAPP, you probably know that the IAPP has slowly started to change the structure of the BoKs that it publishes. Moving away from a nested outline format to a list of high-level “competencies,” which are matched with a set of “performance indicators.”

These competencies are intended to be “clusters of connected tasks and abilities that constitute a body of knowledge domain.” Performance indicators, in contrast, “are the discreet tasks and abilities that constitutes the broader competence group.”

In addition, this new format combines the BoK with a document called the “Exam Blueprint,” which sets forth the number of questions (given as a range) that students should expect to see on each topic set forth in the BoK.

This new approach was first implemented with the 2023-2024 Certified Information Privacy Manager (CIPM) Body of Knowledge. The IAPP has followed a similar pattern with updated BoKs for the Certified Information Privacy Professional / Canada (CIPP/C) and the new Artificial Intelligence Governance Professional certifications. Last year, however, the IAPP maintained its traditional BoK format for both the CIPP/US and Certified Information Privacy Professional / Europe (CIPP/E) exams.

So, does this year’s CIPP/US Body of Knowledge move to the new format, or did the IAPP stick with its well-organized, nested outline?

Somewhat surprisingly, considering recent history, the IAPP has continued to maintain the nested outline structure for the CIPP/US Body of Knowledge.

Changes to the New CIPP/US Body of Knowledge

Now let’s dive into the details. IAPP has stated that its annual updates to its various certification exams include new content that will amount, at most, to just 10-15% of the exam. In other words, don’t go thinking that the entire test has been overhauled—it hasn’t. In fact, the changes this year are relatively minimal.

Did the Domains Change?

Let’s start with the good news, each of the five high-level “domains” included in this year’s CIPP/US BoK are the same as in the past few years. That is, the five domains are:

Did the Number of Questions Asked on Each Topic Change?

By maintaining its traditional nested outline format for the CIPP/US BoK, that means that another document, called the Exam Blueprint, is also kept as a separate document. The CIPP/US Exam Blueprint sets forth the number of questions that test takers can expect to see on each topic, given as a range.

This year, for the first time in several years, there is no change to the exam blueprint. That is, the number of questions asked on each topic remain the same as last year.

Are There Any New Topics or Concepts That Have Been Added?

The list of new topics and concepts added to the CIPP/US Body Knowledge this year are, much like last year, relatively modest. They include the following:

In addition to the above, the entire section on State Data Privacy and Security Laws has been modified to include new topics and concepts. These include:

The above list may seem long, but in reality it represents only a small handful of new topics. The major new topic added is a detailed knowledge of state comprehensive privacy laws. These will account from anywhere from six (6) to eight (8) questions on the exam, according the exam blueprint.

It is also worth noting that the IAPP attempts to summarize these changes in discussing new content that can appear on its CIPP/US beta exam. The IAPP has summarized the new content as the following:

As you will note, several of these topics are not expressly laid out in the BoK but are likely subsumed under pre-existing topics. These unlisted topics that students must know include privacy torts, data portability, cookie deprecation, and sale of PI.

Were Any Topics or Concepts Removed?

Just as it adds new topics, the IAPP also will occasionally remove topics from is BoKs. This year, the IAPP removed the following topics from the CIPP/US Body of Knowledge:

A word of caution is in order. While some topics may be removed, they could fall into broader topics that the IAPP has maintained. For example, both Illinois HB 1260 and Massachusetts HB 4806, still fall within the broader category of “Other significant state amendments” to data breach notification laws. Thus, while they are unlikely to be the focus of your CIPP/US exam, you may still see a question about these state laws.

At the same time, the IAPP removed the broad catch-all for “Other significant state acts and laws” under the state data privacy and security laws section.

Is Privacy Bootcamp’s CIPP/US Course Up to Date?

Yes, all Privacy Bootcamp courses are up to date.

When the IAPP releases an updated Body of Knowledge and Exam Blueprint, we set to work implementing changes to our courses. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to these changes. That is in addition to smaller updates that we release throughout the year.

We begin working on our comprehensive annual updates months ahead of time based upon changes that we know have occurred in the privacy and data protection industry, important events, and student feedback. In the coming days, weeks, and months, we will be releasing our comprehensive annual update for our CIPP/US course. This update will happen seamlessly for all enrolled students; there is no action needed on the part of our students. Any updated content will be available months ahead of the September 2, 2024 effective date for the changes discussed above.

Privacy Bootcamp Student

Study the Smart Way With Privacy Bootcamp

Privacy Bootcamp Student
  • Comprehensive, all-in-one training source
  • Pass on your first attempt — or your money back*
  • Gain real exam experience with a live testing environment