CertPrepNow
IAPPCIPP/US78 concepts

CIPP/US Cheat Sheet

Quick reference for the Certified Information Privacy Professional/United States exam.

U.S. Privacy Foundations — Structure and Philosophy

Sectoral vs. Comprehensive Privacy Model
The U.S. uses sector-specific laws (HIPAA for health, GLBA for finance, COPPA for children) rather than a single comprehensive law like GDPR — the sectoral approach is the defining feature of U.S. privacy law and explains why the CIPP/US requires knowledge of many statutes.
Constitutional Privacy Sources
First Amendment (freedom of association), Fourth Amendment (unreasonable search and seizure by government), Fifth Amendment (self-incrimination), Fourteenth Amendment (substantive due process, source of right to privacy per Griswold v. Connecticut) — Constitution restricts GOVERNMENT action only, not private companies.
Fair Information Practice Principles (FIPPs)
Five foundational principles underlying all U.S. privacy law: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, Enforcement/Redress — FIPPs are guiding principles, not independently enforceable law.
Notice-and-Choice Regulatory Model
The dominant U.S. regulatory approach: organizations disclose data practices in a privacy notice and give individuals a choice about collection and use — underpins both federal statutes and state comprehensive privacy laws.
Privacy Act of 1974
Governs collection, maintenance, use, and dissemination of personal information by FEDERAL GOVERNMENT agencies only — does NOT apply to private-sector organizations; establishes FIPPs-based individual access and amendment rights for government records.
Four Common Law Privacy Torts (Prosser 1960)
Intrusion upon seclusion (invading private space), public disclosure of private facts (publicizing private information), false light (distorting truth to portray someone inaccurately), and appropriation of name or likeness (commercial use without consent) — identify which tort applies to each scenario.
Self-Regulatory Frameworks
Industry self-regulation via codes of conduct, BBB Online, Digital Advertising Alliance (DAA) principles, and FTC-approved safe harbor programs — supplement statutory requirements and can be the basis for FTC deception enforcement if a company claims adherence but does not comply.

FTC Enforcement Authority — The Primary Federal Mechanism

FTC Section 5 — Unfairness Standard
A practice is unfair if it causes or is likely to cause substantial injury to consumers that is NOT reasonably avoidable and NOT outweighed by countervailing benefits — does NOT require any misrepresentation; a harmful data security practice qualifies without a false statement.
FTC Section 5 — Deception Standard
A practice is deceptive if it involves a material representation, omission, or practice likely to mislead a consumer acting reasonably under the circumstances — requires a misleading statement or omission; a privacy policy promising data security that the company does not implement is classic deception.
FTC Enforcement Tools
Consent decrees (binding agreements requiring compliance for up to 20 years), civil penalties for violations of prior orders, administrative orders, and the ability to compel regular compliance reporting — the FTC cannot impose civil penalties for initial violations, only for violations of prior orders.
State Attorney General Enforcement
Most state privacy laws give AGs authority to enforce violations, issue civil investigative demands, seek injunctive relief and civil penalties, and in some states bring parens patriae claims on behalf of residents — AGs can enforce both state and federal privacy laws.
Unfairness vs. Deception — Exam Trap
Unfairness = harmful practice without any false statement (e.g., inadequate data security causing harm); Deception = misleading statement or omission (e.g., privacy policy says 'we never sell data' but company does sell it) — identify which theory applies based on whether there is a misrepresentation.

Healthcare and Financial Privacy — HIPAA and GLBA

HIPAA — Covered Entities
Health plans, healthcare clearinghouses, and healthcare providers that conduct covered electronic transactions — HIPAA does NOT apply to consumer health apps, fitness wearables, or employer wellness programs unless linked to a covered entity.
HIPAA — Business Associates
Vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity — a Business Associate Agreement (BAA) must be executed BEFORE any PHI is shared; without a BAA the disclosure is a HIPAA violation.
HIPAA — PHI De-Identification Methods
Safe Harbor method (remove all 18 specified identifiers) or Expert Determination method (statistical expert certifies very small re-identification risk) — de-identified data is no longer PHI and not subject to HIPAA.
HIPAA — Breach Notification Timeline
Notify affected individuals within 60 days of discovery; for breaches of 500+ records, also notify prominent media in the affected state within 60 days and notify HHS simultaneously (posted to HHS wall of shame); breaches under 500 records reported to HHS annually — the 60-day clock starts at discovery, not at the breach itself.
HIPAA vs. GLBA — Consent Model (Exam Trap)
HIPAA uses an opt-IN authorization model (individual authorization required for most disclosures beyond treatment, payment, and healthcare operations); GLBA uses an opt-OUT model (sharing is permitted unless the consumer opts out) — this distinction appears in multiple exam questions.
GLBA — Broad Definition of Financial Institution
GLBA's definition of financial institution is much broader than just banks — includes tax preparers, check cashers, payday lenders, real estate settlement companies, mortgage brokers, and retailers offering credit — if it's financial in nature, GLBA likely applies.
GLBA — Safeguards Rule
Requires financial institutions to implement a written information security program with administrative, technical, and physical safeguards proportionate to the size and complexity of the organization and the sensitivity of the information — the FTC enforces the Safeguards Rule.
HIPAA — Minimum Necessary Rule and Individual Rights
Covered entities must limit PHI disclosures to the minimum necessary to accomplish the intended purpose (except for treatment uses); individuals have rights to access their PHI, request amendments, and receive an accounting of disclosures — minimum necessary does NOT apply to treatment communications between providers.

Consumer and Children's Privacy — FCRA, COPPA, FERPA

FCRA — Two-Step Adverse Action Process
Step 1 (BEFORE decision): provide pre-adverse action notice with copy of consumer report and summary of FCRA rights; Step 2 (AFTER decision): provide formal adverse action notice — many employers send only the post-decision notice and violate FCRA.
FCRA — Employment Background Check Requirements
Employer must provide a STANDALONE written disclosure and obtain WRITTEN AUTHORIZATION before obtaining a consumer report for employment — the disclosure cannot be buried in the employment application; this is a heavily tested specific requirement.
FCRA — Permissible Purposes
Consumer reports may only be accessed for permissible purposes: credit transactions, employment (with consent), insurance underwriting, tenant screening, licensing, and legitimate business need — accessing a report without a permissible purpose violates FCRA.
COPPA — Age Threshold and Scope
Applies to operators of websites and online services directed to children under 13 (not under 18) OR with actual knowledge of child users — verifiable parental consent (VPC) required BEFORE collecting personal information from children.
COPPA — Verifiable Parental Consent Methods
FTC-approved VPC methods include: signed consent form (print/scan), credit card transaction, call center confirmation, video conference, government ID check, and FTC-approved safe harbor programs — children's self-consent is never valid under COPPA.
FERPA — Education Records and Rights Transfer
Protects education records held by institutions receiving federal funds; parental rights transfer to the STUDENT (becomes eligible student) at age 18 or upon enrollment in a postsecondary institution — FERPA applies to the institution, not to commercial websites collecting from students.
COPPA vs. FERPA — Exam Trap
COPPA applies to commercial website operators collecting data from children under 13 (online activity); FERPA applies to educational institutions protecting student education records — a school's student portal could implicate both laws but they regulate different entities and data types.
FCRA — Accuracy Obligations and Consumer Disputes; FERPA — Directory Information
FCRA: consumer reporting agencies must follow reasonable procedures to ensure maximum possible accuracy; consumers may dispute inaccurate information and the CRA must investigate within 30 days (FACTA added free annual credit reports and the Red Flags Rule for identity theft). FERPA: schools may disclose directory information (name, address, phone, photo, enrollment status) unless the parent/student opts out.

Marketing and Telecommunications — TCPA and CAN-SPAM

TCPA — Consent Requirements for Marketing
Prior express WRITTEN consent required for autodialed or prerecorded marketing calls/texts; prior express consent (oral or written) required for informational autodialed calls — the written consent requirement is higher for marketing than for informational communications.
TCPA — National Do Not Call Registry
Consumers who register on the DNC Registry must not receive telemarketing calls more than 31 days after registration — established business relationship exception allows calls to existing customers for up to 18 months after last transaction.
CAN-SPAM — Key Requirements
Commercial email must include: functioning opt-out mechanism (honored within 10 business days), accurate from/subject lines, physical postal address of sender, and not contain false routing information — CAN-SPAM does NOT require opt-in consent, only an opt-out mechanism.
CAN-SPAM — Pre-emption Rule
CAN-SPAM pre-empts state laws specifically regulating commercial email but does NOT pre-empt state laws against fraud, computer crimes, or laws not specifically targeting email — this narrow pre-emption question appears frequently.
VPPA — Video Privacy Protection Act
Prohibits disclosure of personally identifiable video rental or streaming information without consumer consent — originally passed after Robert Bork's video rental records were published; applies to streaming services disclosing viewing history to third parties.
TCPA — Facebook v. Duguid (2021) and GLBA Sharing Exceptions
Facebook v. Duguid narrowed the autodialer definition: a system must use a random or sequential number generator to store or produce numbers to qualify — many modern systems that dial from stored lists may not meet this definition. GLBA key exceptions: affiliate sharing (no opt-out required for sharing within affiliated companies) and joint marketing (limited opt-out required for sharing with non-affiliated joint marketers).

Government Access to Data — Fourth Amendment and ECPA

Fourth Amendment — Government Action Only
The Fourth Amendment prohibits UNREASONABLE searches and seizures by GOVERNMENT actors — private companies can collect data without implicating the Fourth Amendment unless they are acting as government agents.
Third-Party Doctrine
Information voluntarily shared with third parties traditionally loses Fourth Amendment protection (bank records, phone records) — Carpenter v. United States (2018) created a narrow exception requiring a warrant for historical cell-site location information.
ECPA — Three Titles
Title I: Wiretap Act (real-time interception of content, requires Title III super-warrant with probable cause + necessity); Title II: Stored Communications Act (stored content/records, tiered process); Title III: Pen Register Act (metadata/dialing records, court order showing relevance) — choose the title based on whether data is content vs. metadata and whether it is in transit vs. at rest.
SCA — Tiered Legal Process
Basic subscriber information: subpoena; transactional records (non-content): court order under Section 2703(d) showing specific and articulable facts; content of stored communications: search warrant with probable cause — each tier requires a higher legal standard.
Wiretap Act vs. SCA — Exam Trap
Wiretap Act covers REAL-TIME interception of communications in transit (highest standard: super-warrant); SCA covers STORED data accessed from a service provider (lower standard depending on content vs. metadata) — apply the correct statute based on whether the data is moving or at rest.
FISA and National Security Letters
FISA authorizes surveillance of foreign powers and their agents; Section 702 allows collection of foreign intelligence from non-U.S. persons outside the U.S. through U.S. service providers; National Security Letters compel disclosure of certain subscriber records WITHOUT judicial approval but include a gag order.

Workplace Privacy — Employer Monitoring and Employee Data

Employer Electronic Monitoring — General Rule
Employers generally have broad rights to monitor activity on company-owned devices and networks — but must balance against state wiretapping statutes (some require all-party consent), ECPA consent provisions, and any applicable union collective bargaining agreements.
BYOD — Bring Your Own Device Privacy Issues
Employees using personal devices for work retain greater privacy expectations than on employer-owned devices — employers must establish clear policies on monitoring scope, data separation between personal/corporate data, and remote wipe capabilities.
Video Surveillance — Permissible vs. Prohibited Areas
Video surveillance generally permitted in common work areas, production floors, and parking lots — prohibited in areas with reasonable expectation of privacy such as restrooms and changing rooms; adding audio recording triggers state and federal wiretapping law requirements.
Illinois BIPA — Biometric Information Privacy Act
Requires informed written consent and a publicly available retention/destruction policy BEFORE collecting biometric identifiers (fingerprints, facial geometry, iris scans) — has a PRIVATE RIGHT OF ACTION with $1,000-$5,000 per violation; 2024 amendment clarified damages accrue per-person per-collection event (not per-scan); photographs alone are explicitly excluded from BIPA.
GINA — Genetic Information Nondiscrimination Act
Prohibits employers from requesting, requiring, or purchasing genetic information (including family medical history) of employees or applicants — even asking about family medical history in a job interview violates GINA regardless of intent.
Drug Testing — Federal vs. State Variation
Federal safety-sensitive positions and DOT-regulated industries require mandatory drug testing programs; state rules vary widely (some require reasonable suspicion, others allow random testing) — no single federal rule applies to all private employers.

California CCPA/CPRA — The Foundation of State Privacy Law

CCPA/CPRA — Applicability Thresholds (OR Logic)
Applies to for-profit businesses doing business in California meeting ANY ONE of: annual gross revenue exceeding ~$26.6M (CPI-adjusted 2025), OR data of 100,000+ consumers/households, OR 50%+ of annual revenue from selling/sharing personal information — satisfying ONE threshold triggers coverage.
CCPA/CPRA — Consumer Rights
Right to Know (what data is collected), Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing, Right to Limit Use of Sensitive Personal Information, Right to Non-Discrimination, Right to Data Portability — broadest consumer rights of any U.S. state law.
CCPA/CPRA — Private Right of Action (Exam Critical)
CCPA/CPRA is the ONLY state comprehensive privacy law with a private right of action — it is LIMITED to data breaches caused by a business's failure to implement reasonable security; statutory damages $100-$750 per consumer per incident; all other violations enforced by CPPA or AG only.
CCPA/CPRA — Service Providers vs. Contractors
Service providers process data on behalf of a business under a contract limiting use to specified purposes; contractors are entities receiving personal information from a business under a contract but not as service providers — both must delete data upon consumer deletion request directed to the business.
California Delete Act (SB 362) — Effective 2026
Requires data brokers to register with the CPPA and honor consumer deletion requests through a single centralized mechanism — significantly expands the reach of data deletion rights to the data broker ecosystem.
CCPA/CPRA — Sale vs. Sharing
CCPA/CPRA separately defines 'sale' (exchange for monetary or other valuable consideration) and 'sharing' (disclosure for cross-context behavioral advertising) — consumers can opt out of both; other state laws may define 'sale' more narrowly or combine these concepts.

State Privacy Laws — Comparison and Key Distinctions

Virginia VCDPA — Key Features
Controller/processor model; no private right of action (AG enforcement only); PERMANENT 30-day cure period (no sunset unlike Colorado/Connecticut); consumer rights include access, delete, correct, portability, opt-out of sale/targeted advertising/profiling — applicability: 100K consumers OR 25K consumers + 50% revenue from sale.
Colorado CPA — Key Features
60-day cure period SUNSETTED January 1, 2025 (AG can now enforce directly without cure opportunity); universal opt-out mechanism required (must honor Global Privacy Control); data protection assessments required for high-risk processing; AG and district attorneys enforce.
Connecticut CTDPA — Key Features
60-day cure period SUNSETTED January 1, 2025 (same as Colorado); no private right of action; consumer rights include access, delete, correct, portability, opt-out of sale/targeted advertising/profiling; children 13-15 require opt-in consent for targeted advertising.
Texas TDPSA — Key Features
Texas Data Privacy and Security Act; no revenue or data volume threshold (applies to any entity conducting business in Texas that processes personal data, with exceptions); permanent cure period; AG enforcement; no private right of action.
State Laws — Cure Periods Matrix (Exam Trap)
Permanent cure periods (no sunset): Virginia 30 days, Utah, Iowa, Indiana, Kentucky; Sunsetted (no cure): Colorado (sunsetted Jan 2025), Connecticut (sunsetted Jan 2025); No cure period: New Jersey, Minnesota, Rhode Island — Virginia cure is permanent, Colorado/Connecticut are not.
Private Right of Action — Which Laws Include One
CCPA/CPRA: YES (data breaches only); Virginia VCDPA: NO; Colorado CPA: NO; Connecticut CTDPA: NO; Texas TDPSA: NO; Illinois BIPA: YES (broad, per violation); TCPA: YES; VPPA: YES — most U.S. privacy laws rely on government enforcement, not private lawsuits.
Universal Opt-Out Mechanism (GPC)
Colorado, California, and several other states require businesses to honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale/sharing for targeted advertising — companies cannot require consumers to opt out through a separate form when GPC is signaled.
Data Breach Notification — All 50 States
All 50 U.S. states (plus DC and territories) have data breach notification laws — there is NO single federal breach notification law; common triggers include name + SSN, driver's license number, financial account + access code, or health/biometric data; notification timelines range from 30 to 90 days.

Opt-In vs. Opt-Out — Consent Models by Statute

Opt-In (Affirmative Consent) Laws
HIPAA authorization (most disclosures beyond TPO), COPPA verifiable parental consent, sensitive personal information under state laws (biometric, health, precise geolocation, financial, children's data), and Illinois BIPA — individual must affirmatively agree before data is collected or disclosed.
Opt-Out Laws
GLBA third-party sharing, CAN-SPAM commercial email, CCPA/CPRA sale/sharing (opt-out right), and most state law provisions for non-sensitive data — data processing proceeds by default unless the individual takes action to stop it.
Opt-In vs. Opt-Out — Why It Matters
Opt-in gives individuals more control (nothing happens without affirmative consent); opt-out gives organizations more operational latitude (processing occurs unless objected to) — misidentifying the applicable consent model leads to wrong answers on multiple exam questions.
Controller vs. Processor — State Law Model
Controllers determine the purposes and means of processing (primary compliance obligations); processors act on behalf of and at the direction of controllers (limited obligations: security, confidentiality, controller instructions) — California uses 'businesses/service providers/contractors' rather than controller/processor terminology.
Sensitive Personal Information — State Law Consistency
Across state laws, sensitive data categories requiring opt-in consent or stricter protections include: precise geolocation, racial/ethnic origin, health/medical data, financial account data, biometric data, data of children, sexual orientation, citizenship/immigration status — these categories are mostly consistent across states but not identical.

Emerging State Privacy Laws and Special Topics

Washington My Health My Data Act
Protects consumer health data NOT covered by HIPAA — broad definition of 'consumer health data' includes inferred health data; includes a private right of action (unusual for state privacy laws); applies to regulated entities collecting health data of Washington residents.
Illinois AI Video Interview Act
Requires employers using AI to analyze video interviews to notify applicants, obtain consent, and limit use of facial expression data — example of state-level AI-specific privacy regulation in the workplace context.
NYC Automated Employment Decision Tool (AEDT) Law
Requires employers and employment agencies using automated tools to screen candidates for NYC-based positions to conduct annual bias audits and provide candidates notice — first U.S. law specifically regulating AI hiring tools.
California Age-Appropriate Design Code Act (AADC)
Requires businesses offering online services likely accessed by children under 18 (higher age threshold than COPPA's under 13) to apply high privacy settings by default and conduct data protection impact assessments — broader scope than COPPA for online services.
State AI Laws — Colorado AI Act
Colorado's AI Act (2025) addresses high-risk AI systems' potential for algorithmic discrimination — developers and deployers of high-risk AI must use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination.
DPPA — Driver's Privacy Protection Act
Federal law restricting disclosure of personal information from state motor vehicle records — lists 14 permissible uses for DMV data; protects name, address, SSN, phone, and photo obtained from DMV records.

Key Exam Traps and Distinction Pairs

Fourth Amendment Applies to Government, NOT Private Companies
A private employer's employee monitoring does NOT implicate the Fourth Amendment regardless of how intrusive — Fourth Amendment claims require state action; employees on company devices have limited privacy rights under statutory law (ECPA, state wiretapping) but not constitutional law.
HIPAA Does Not Cover All Health Data
HIPAA covers PHI held by covered entities and business associates only — consumer health apps (MyFitnessPal), direct-to-consumer genetic testing (23andMe), and employer wellness programs outside the HIPAA ecosystem are NOT HIPAA-regulated (but may be covered by FTC Section 5 or state laws).
No Single Federal Breach Notification Law
There is no comprehensive federal data breach notification statute (as of 2026) — sector-specific requirements exist (HIPAA 60-day rule, GLBA Safeguards Rule), but breach notification for most companies is governed by the 50+ overlapping state laws.
FIPPs Are Principles, Not Enforceable Law
Fair Information Practice Principles inform legislation and can be used as a framework but are not independently enforceable — do not select FIPPs as the answer to 'what law requires X' questions; look for the specific statute.
Carpenter v. United States (2018) — Limited Holding
Carpenter did NOT eliminate the third-party doctrine — it created a narrow exception specifically for historical cell-site location information requiring a warrant; bank records, conventional phone records, and most other third-party data still have no Fourth Amendment protection.
CCPA Private Right of Action Is Narrow
California's private right of action covers ONLY data breaches from failure to implement reasonable security — it does NOT cover all CCPA/CPRA violations; a company that ignores access requests can only be sued by the CPPA or AG, not by individual consumers.
CAN-SPAM Does Not Require Opt-In Consent
CAN-SPAM only requires an opt-OUT mechanism for commercial email — unlike CASL (Canada), CAN-SPAM does not require prior express consent before sending commercial email; this is a common confusion with international email law standards.

Ready to test yourself?

Start a timed CIPP/US mock exam or review practice questions by domain.