The topics tested on the Certified Information Privacy Professional / United States (CIPP/US) exam are laid out in a document known, prophetically, as the Body of Knowledge (BoK). The CIPP/US Body of Knowledge is a high-level document published directly by the International Association of Privacy Professionals (IAPP), the non-profit organization that administers the CIPP/US certification.
To ensure that the CIPP/US certification exam remains current and that it does not become “overexposed,” the IAPP updates the CIPP/US Body of Knowledge once annually. Most years this occurs in the late Spring or early Summer.
You can read about the updates from prior years here:
But we know you’re here because you want the latest updates. Let’s take a closer look and walk through what changes the IAPP made this year to the BoK that will be effective from Fall 2024 through Fall 2025.
When Do These Changes Go into Effect?
Before we get too in the weeds, let’s start with the basics. Because the IAPP does not want to surprise test-takers, it publishes updated BoKs several months in advance of when they become effective. In other words, the IAPP provides plenty of time—a minimum of 90 days—to learn new topics that it identifies before they appear on any exam.
The changes to the 2024-2025 Body of Knowledge for the CIPP/US exam go into effect on September 2, 2024.
What is the Format for the New CIPP/US Body of Knowledge?
If you’ve previously taken other certification exams administered by the IAPP, you probably know that the IAPP has slowly started to change the structure of the BoKs that it publishes. Moving away from a nested outline format to a list of high-level “competencies,” which are matched with a set of “performance indicators.”
These competencies are intended to be “clusters of connected tasks and abilities that constitute a body of knowledge domain.” Performance indicators, in contrast, “are the discreet tasks and abilities that constitutes the broader competence group.”
In addition, this new format combines the BoK with a document called the “Exam Blueprint,” which sets forth the number of questions (given as a range) that students should expect to see on each topic set forth in the BoK.
This new approach was first implemented with the 2023-2024 Certified Information Privacy Manager (CIPM) Body of Knowledge. The IAPP has followed a similar pattern with updated BoKs for the Certified Information Privacy Professional / Canada (CIPP/C) and the new Artificial Intelligence Governance Professional certifications. Last year, however, the IAPP maintained its traditional BoK format for both the CIPP/US and Certified Information Privacy Professional / Europe (CIPP/E) exams.
So, does this year’s CIPP/US Body of Knowledge move to the new format, or did the IAPP stick with its well-organized, nested outline?
Somewhat surprisingly, considering recent history, the IAPP has continued to maintain the nested outline structure for the CIPP/US Body of Knowledge.
Changes to the New CIPP/US Body of Knowledge
Now let’s dive into the details. IAPP has stated that its annual updates to its various certification exams include new content that will amount, at most, to just 10-15% of the exam. In other words, don’t go thinking that the entire test has been overhauled—it hasn’t. In fact, the changes this year are relatively minimal.
Did the Domains Change?
Let’s start with the good news, each of the five high-level “domains” included in this year’s CIPP/US BoK are the same as in the past few years. That is, the five domains are:
- Domain I – Introduction to the U.S. Privacy Environment
- Domain II – Limits on Private-Sector Collection and Use of Data
- Domain III – Government and Court Access to Private-Sector Information
- Domain IV – Workplace Privacy
- Domain V – State Privacy Laws
Did the Number of Questions Asked on Each Topic Change?
By maintaining its traditional nested outline format for the CIPP/US BoK, that means that another document, called the Exam Blueprint, is also kept as a separate document. The CIPP/US Exam Blueprint sets forth the number of questions that test takers can expect to see on each topic, given as a range.
This year, for the first time in several years, there is no change to the exam blueprint. That is, the number of questions asked on each topic remain the same as last year.
Are There Any New Topics or Concepts That Have Been Added?
The list of new topics and concepts added to the CIPP/US Body Knowledge this year are, much like last year, relatively modest. They include the following:
- Section I.C.j.i – Data Processing Agreements
- Section II.E.j – Web Scraping
- Section V.A.a – State Attorneys General under the concept of Federal vs. State Law
- Section V.C.c.i – Utah S.B. 127 Cybersecurity Amendments
- Section V.C.c.ii – Pennsylvania SB 696
In addition to the above, the entire section on State Data Privacy and Security Laws has been modified to include new topics and concepts. These include:
- Section V.B.a – Applicability, including Thresholds (e.g., number of state residents, annual revenue, etc.) and Available Exemptions
- Section V.B.b – Data Subject Rights
- Section V.B.c – Privacy Notice Requirements (e.g., California Online Privacy Protection Act and similar laws)
- Section V.B.d – Data Security Requirements
- Section V.B.e – Data Protection Agreements
- Section V.B.f – Data Protection Assessments / Risk Assessments
- Section V.B.g – Health Data Rules, including (i) Geofencing bands and restrictions; (ii) Washington My Health, My Data (MHMD) Act (2023); (iii) Nevada Consumer Health Data Privacy Law (SB 370) (2023); (iv) Privacy class actions based on the Illinois Genetic Information Privacy Act (GIPA) (2023)
- Section V.B.h – Data Retention and Destruction
- Section V.B.i – Selling and Sharing of Personal Information (PI)
- Section V.B.j – Enforcement, including Cure Periods and Penalties
- Section V.B.m.ii – Other biometric privacy laws (e.g., Washington, Texas), in addition to Illinois’ BIPA legislation
- Section V.B.n – AI Bias laws, including (i) Automated decision-making rules and regulations (e.g., California, Colorado); (ii) NYC Automated Employment Decision Tool law; (iii) Colorado’s Protecting Consumers from Unfair Discrimination in Insurance Practices law
- Section V.B.o – This section includes many laws already included in the BoK, but some were added, including California’s Delete Act (SB 362) and comprehensive laws in Florida, Oregon, Texas, and Montana
The above list may seem long, but in reality it represents only a small handful of new topics. The major new topic added is a detailed knowledge of state comprehensive privacy laws. These will account from anywhere from six (6) to eight (8) questions on the exam, according the exam blueprint.
It is also worth noting that the IAPP attempts to summarize these changes in discussing new content that can appear on its CIPP/US beta exam. The IAPP has summarized the new content as the following:
- Privacy torts
- Data processing agreements
- Data portability
- Web scraping
- Cookie deprecation
- Sale of Personal Information
- New topics on state privacy laws (with a cross-reference to the BoK)
As you will note, several of these topics are not expressly laid out in the BoK but are likely subsumed under pre-existing topics. These unlisted topics that students must know include privacy torts, data portability, cookie deprecation, and sale of PI.
Were Any Topics or Concepts Removed?
Just as it adds new topics, the IAPP also will occasionally remove topics from is BoKs. This year, the IAPP removed the following topics from the CIPP/US Body of Knowledge:
- Social Security Numbers under State data protection and security laws (formerly Section V.B.a)
- Illinois HB 1260 (formerly Section V.C.c.i)
- Massachusetts HB 4806 (formerly Section V.C.c.ii)
A word of caution is in order. While some topics may be removed, they could fall into broader topics that the IAPP has maintained. For example, both Illinois HB 1260 and Massachusetts HB 4806, still fall within the broader category of “Other significant state amendments” to data breach notification laws. Thus, while they are unlikely to be the focus of your CIPP/US exam, you may still see a question about these state laws.
At the same time, the IAPP removed the broad catch-all for “Other significant state acts and laws” under the state data privacy and security laws section.
Is Privacy Bootcamp’s CIPP/US Course Up to Date?
Yes, all Privacy Bootcamp courses are up to date.
When the IAPP releases an updated Body of Knowledge and Exam Blueprint, we set to work implementing changes to our courses. At Privacy Bootcamp, we comprehensively update our courses once a year to correspond to these changes. That is in addition to smaller updates that we release throughout the year.
We begin working on our comprehensive annual updates months ahead of time based upon changes that we know have occurred in the privacy and data protection industry, important events, and student feedback. In the coming days, weeks, and months, we will be releasing our comprehensive annual update for our CIPP/US course. This update will happen seamlessly for all enrolled students; there is no action needed on the part of our students. Any updated content will be available months ahead of the September 2, 2024 effective date for the changes discussed above.
