Each year, the IAPP updates the topics tested on the Certified Information Privacy Professional / United States (CIPP/US) exam, which are laid out in a document called the Body of Knowledge (BoK). The CIPP/US Body of Knowledge is a high-level document published directly by the IAPP, formerly known as the International Association of Privacy Professionals, the non-profit organization that administers the CIPP/US certification.
To ensure that the CIPP/US certification exam remains current and to reflect changes in the industry, the IAPP updates the CIPP/US Body of Knowledge once annually. It does the same with its other “core” certifications, the CIPP/E, CIPP/C, CIPM, and CIPT certifications. Most years this occurs in the late Spring or early Summer.
But enough chit chat, let’s get to the nitty-gritty and walk through what changes the IAPP made this year to the BoK that will be effective starting September 1, 2026.
What is the Format for the New CIPP/US Body of Knowledge?
For the other certification exams that the IAPP administers, the IAPP has slowly started to transition the BoKs to a structure that provides a list of high-level “competencies,” which are matched with a set of “performance indicators.” Not so with the CIPP/US Body of Knowledge. The IAPP has continued to utilize the nested outline structure for the CIPP/US Body of Knowledge.
This means that another form, called the Exam Blueprint, continues to exist as a separate document. The CIPP/US Exam Blueprint sets forth the number of questions (given as a range) that students should expect to see on each topic set forth in the BoK.
Changes to the New CIPP/US Body of Knowledge
The IAPP has historically stated that its annual updates to its various certification exams include new content that will amount, at most, to just 10-15% of the exam. In other words, don’t go thinking that the entire test has been overhauled—it hasn’t.
Last year, the IAPP overhauled the CIPP/US somewhat substantially, especially the domain covering state privacy laws. This year, however, the changes are relatively small in comparison.
Did the Domains Change?
Let’s start our review of what changed by looking from a 10,000-foot view. There are five high-level “domains” included in this year’s CIPP/US BoK. These are unchanged from last year’s BoK. Those five domains are:
- Domain I – Introduction to the U.S. Privacy Environment
- Domain II – Limits on Private-Sector Collection and Use of Data
- Domain III – Government and Court Access to Private-Sector Information
- Domain IV – Workplace Privacy
- Domain V – State Privacy Laws
Are There Any New Topics or Concepts That Have Been Added?
The list of new topics and concepts added to the CIPP/US Body Knowledge this year is relatively modest. They include the following:
- Section I.A.d.vii – Departments of Insurance
- Section I.B.c – Fiduciary Duty
- Section I.C.l.3 – Intersection between U.S. and non-U.S. privacy laws (e.g., GDPR, FADP)
- Section II.C.h – Mergers, Acquisitions, & Divestitures
- Section V.B.b – Consent and verifiable parental consent (as part of state data subject rights)
- Section V.B.n.1 – NAIC AIS Governance Guidelines
In addition to the above, the IAPP has also identified another topic that is incorporated into the updated Body of Knowledge:
- Data leaks (in terms of “Workforce Training”)
This topic is not separately listed anywhere in the BoK itself. It can therefore perhaps be thought of as a subtopic under Section I.C.e - “Workforce Training.”
Were Any Topics or Concepts Removed?
Just as it adds new topics, the IAPP also will occasionally remove topics from is BoKs. This year, the IAPP removed only a single topic from the CIPP/US Body of Knowledge:
- Big Data (formerly included in Section II.A.e, “Future of Federal Enforcement”)
Did the Number of Questions Asked on Each Topic Change?
As we noted above, the specific number of questions asked on each topic is included in a separate document called the Exam Blueprint. For the past two years, the IAPP has not implemented any changes to the CIPP/US Exam Blueprint. That streak, however, has come to an end.
Those areas that will be de-emphasized (sometimes only slightly), include:
- Section I.A. - Structure of U.S. Law (from 4-6 questions, to 3-5 questions)
- Section II.A. – Cross-sector FTC Privacy Protection (from 5-7 questions, to 3-5 questions)
- Section II.B – Healthcare/Medical Privacy (from 4-6 questions, to 3-5 questions)
- Section II.C – Financial Privacy (from 4-6 questions, to 3-5 questions)
- Section III.A – Law Enforcement and Privacy (from 1-3 questions, to 1-2 questions)
- Section IV.A – Introduction to Workplace Privacy (from 2-4 questions, to 1-3 questions)
- Section IV.B – Privacy Before, During and After Employment (from 3-5 questions, to 2-4 questions)
- Section V.A – Federal vs. State Authority (from 1-3 questions, to 1-2 questions)
In contrast, those areas that will receive greater emphasis include the following:
- Section II.E – Telecommunications and Marketing (from 1-3 questions, to 2-4 questions)
- Section III.B – National Security and Privacy (from 1-2 questions, to 1-3 questions)
- Section V.B – State Data Privacy and Security Laws (from 6-8 questions, to 13-17 questions)
As you can see from the above, the IAPP is re-focusing the CIPP/US certification exam heavily on state comprehensive privacy laws. This reflects the explosion of comprehensive state legislation that has occurred in the past few years.
Bringing Beta Exams Back
Last year, the IAPP did not administer beta exams for any of its certifications. This year, however, the IAPP has brought back beta exams for the CIPP/US and CIPT certification exams.
You can learn more about beta exams in this article: IAPP Beta Exams Explained
In order to sit for a beta exam, you must register between June 1, 2025 and July 26, 2025. The exam itself must be taken in the test window, which is from July 21st through 27th. Beta exams test all of the new material that will be incorporated into the updated BoK, which become effective for everyone just one month after the beta exam window closes.
Is Privacy Bootcamp’s CIPP/US Course Up to Date?
Yes, all Privacy Bootcamp courses are up to date.
When the IAPP releases an updated Body of Knowledge and Exam Blueprint, we set to work implementing changes to our courses. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to these changes. That is in addition to smaller updates that we release throughout the year.
We begin working on our comprehensive annual updates months ahead of time based upon changes that we know have occurred in the privacy and data protection industry, important events, and student feedback. In the coming weeks and months, we will be releasing our comprehensive annual update for our CIPP/US course. This update will happen seamlessly for all enrolled students; there is no action needed on the part of our students. Any updated content will be available months ahead of the September 1, 2025 effective date for the changes discussed above.
