CertPrepNow
IAPPCIPP/US5 domains

CIPP/US Exam Notes

Last-minute traps, must-know facts, and scenario tips for the Certified Information Privacy Professional/United States exam.

General Exam Tips

  • 1.Read every question for qualifiers: 'always,' 'may,' 'before,' 'after,' and 'EXCEPT' completely change the correct answer — the exam is written to exploit fast reading.
  • 2.Never leave a question blank. There is no penalty for wrong answers. Educated guessing on hard questions is always correct strategy.
  • 3.Time math: 90 questions in 150 minutes = 100 seconds per question. Mark hard questions and return — do not stall on one question.
  • 4.For scenario questions, identify the regulated entity first (Who is subject to this law?), then the data type, then the action. The answer usually follows from those three facts.
  • 5.When two answers both seem correct, pick the more specific and precise one over the broad general principle.
  • 6.On multi-select questions (select all that apply), verify each option independently — partial credit does not exist.
  • 7.The 15 unscored field-test questions are indistinguishable from scored questions. Treat all 90 equally.
  • 8.Pace check: if you have answered 45 questions and 75 minutes have passed, you are on pace. If you are behind, skip long scenario questions and return.
  • 9.Identify the consent model first in any question involving data sharing: opt-in (HIPAA, COPPA, state sensitive data) or opt-out (GLBA, CAN-SPAM, most state sale/sharing) — this eliminates wrong choices immediately.
Domain 137% of exam

Introduction to the U.S. Privacy Environment

Must-Know Facts

  • The Fourth Amendment restricts GOVERNMENT action only — it has zero direct application to private-sector data collection. This is tested repeatedly.
  • FTC Section 5 has two completely separate theories: (1) Deception = material misrepresentation or omission likely to mislead reasonable consumers. (2) Unfairness = practice causing substantial injury not reasonably avoidable and not outweighed by benefits. Deception requires a false statement or omission; unfairness does not.
  • FIPPs are the five foundational principles: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, Enforcement/Redress. They are guiding principles — NOT independently enforceable law.
  • The U.S. sectoral model means no single comprehensive federal privacy law exists. Congress addressed privacy reactively, sector by sector (health = HIPAA, finance = GLBA, children online = COPPA). This is the core reason so many different statutes must be memorized.
  • FTC enforcement tools: consent decrees (binding agreements), civil penalties, administrative orders, and 20-year compliance monitoring. The FTC cannot impose criminal penalties on its own — DOJ handles criminal enforcement.
  • Privacy Act of 1974: applies ONLY to federal government agencies maintaining systems of records. It does not regulate private companies at all.
  • Four common law privacy torts: (1) Intrusion upon seclusion, (2) Public disclosure of private facts, (3) False light, (4) Appropriation of name or likeness.
  • State AGs have dual enforcement authority — they can bring actions under both state privacy laws AND some federal statutes (e.g., COPPA, CAN-SPAM). Federal enforcement is not always exclusively federal.
  • The notice-and-choice model is the dominant U.S. regulatory philosophy: tell consumers what you collect and give them options. Self-regulatory frameworks (DAA, BBB Online) operate under this same model.
  • Fiduciary duty is a newly emphasized BoK 2.6.1 topic — some proposals treat privacy professionals and data holders as having fiduciary obligations to data subjects.

Common Traps

TrapThe Fourth Amendment protects individuals against corporate surveillance and private data collection
RealityThe Fourth Amendment is a constraint on government action only. A private company scanning your emails, building behavioral profiles, or sharing your data does not violate the Fourth Amendment. Only state action triggers constitutional analysis.
TrapWhen a company fails to secure data and a breach occurs, the FTC pursues deception theory
RealityFailure to secure data (without a specific promise about security) is an UNFAIRNESS theory — the harm is real and not reasonably avoidable, but no misrepresentation was made. If the company promised 'bank-level security' and then failed, THEN deception applies because of the misrepresentation.
TrapFIPPs are federal law that companies must comply with
RealityFIPPs are a framework — principles that inform legislation. They have no direct enforcement mechanism. The Privacy Act of 1974 codified FIPPs for federal agencies; specific statutes codify them for private sectors. FIPPs themselves are not a standalone cause of action.
TrapThe Privacy Act of 1974 gives individuals rights against companies that hold their personal data
RealityThe Privacy Act of 1974 applies exclusively to federal government agencies and their systems of records. It gives individuals rights to access and amend their records held by government agencies — not by private companies.
TrapFTC enforcement requires that the FTC first identify specific statutory violations
RealityThe FTC's Section 5 authority is a standalone basis for enforcement — it does not require a separate privacy statute to be violated. The FTC can (and frequently does) bring actions solely under Section 5 against companies engaged in unfair or deceptive data practices, even in sectors with no sector-specific privacy law.
TrapA company that claims to follow a self-regulatory code (like DAA or BBB Online) cannot be pursued by the FTC for deception
RealityIf a company publicly claims to adhere to a self-regulatory framework and then violates that framework's standards, the FTC can bring a DECEPTION action — the public claim is the material representation that consumers reasonably rely on. Self-regulatory participation does not create immunity from FTC enforcement; it creates a higher bar to clear.
TrapA consent decree from the FTC is just a warning — it has no binding force
RealityFTC consent decrees are binding legal orders. Violations of an existing consent decree expose companies to civil penalties of up to $50,120 per day per violation (2024 adjusted). The FTC monitors compliance for up to 20 years. A company that entered a consent decree and then re-offends faces far more severe consequences than a first-time violator.

Confusing Pairs

FTC DeceptionFTC Unfairness

Deception = company said something false or misleading (a promise, a policy statement, a representation). Unfairness = company's practice itself caused harm, regardless of what they said. Example: posting a privacy policy promising not to share data, then sharing it = Deception. Collecting data insecurely without making any security promises and a breach occurs = Unfairness.

Privacy Act of 1974FTC Section 5

Privacy Act = government agencies only, codifies FIPPs for federal records systems. FTC Section 5 = private-sector enforcement, broad authority over unfair/deceptive practices. Questions about government databases point to the Privacy Act; questions about corporate practices point to Section 5.

Public disclosure of private facts (tort)False light (tort)

Public disclosure = true private information revealed without consent (medical records published). False light = false or misleading impression created about someone (true facts twisted to imply something untrue). The key word is whether the disclosed information is TRUE (public disclosure) or creates a FALSE impression (false light).

Intrusion upon seclusion (tort)Public disclosure of private facts (tort)

Intrusion = the act of prying into private affairs (hacking, eavesdropping, peering through windows) — the harm is the intrusion itself, not publication. Public disclosure = the act of publishing true private information — the harm is the publication. Intrusion can occur without any disclosure.

Opt-in (affirmative consent) modelOpt-out (notice-and-choice) model

Opt-in = data collection or sharing does NOT happen unless the individual affirmatively agrees first (HIPAA authorization, COPPA VPC, sensitive data under state laws). Opt-out = data collection or sharing HAPPENS by default unless the individual takes action to stop it (GLBA, CAN-SPAM, CCPA sale). The U.S. regulatory default is opt-out; opt-in is the exception. Getting this wrong eliminates the right answer immediately.

Scenario Tips

If the question asks about:

A company's privacy policy says 'We do not share your data with third parties.' The company then sells user data to advertisers.

Answer:

FTC Deception theory applies. The privacy policy is a material representation that misleads consumers reasonably relying on it.

Distractor to avoid:

Unfairness (wrong) — unfairness does not require a representation. The explicit promise in the privacy policy makes this a deception case, not a pure unfairness case.

If the question asks about:

A company collects sensitive medical information via a health app and stores it with no encryption. A breach exposes millions of records. The company never made specific security promises.

Answer:

FTC Unfairness theory applies. The failure to implement basic security measures causes substantial injury not reasonably avoidable by consumers.

Distractor to avoid:

Deception (wrong) — the company made no misrepresentation. Without a specific false security promise, this is unfairness, not deception.

If the question asks about:

Law enforcement subpoenas a bank for 6 months of account records on a suspect. The bank asks if a Fourth Amendment warrant is needed.

Answer:

Under the third-party doctrine, bank records voluntarily shared with the bank generally do not require a warrant. A subpoena may suffice for financial records.

Distractor to avoid:

Fourth Amendment warrant required (usually wrong for third-party records) — Carpenter created a narrow exception for CSLI, not bank records.

If the question asks about:

A tabloid publishes accurate information about a private citizen's addiction treatment obtained from a clinic source.

Answer:

Public disclosure of private facts — the information is true (no false light), the harm is the publication of true private medical facts.

Distractor to avoid:

Defamation (wrong) — defamation requires false statements. The information here is accurate.

If the question asks about:

A company has an existing FTC consent decree requiring it to implement specific security controls. It later suffers a breach because it stopped following those controls. How does this differ from a first-time FTC enforcement action?

Answer:

Violating a consent decree is a separate violation that triggers civil penalties (up to ~$50,000 per day per violation). Unlike a first-time Section 5 action where the FTC's primary remedy is a prospective order, a consent decree violation allows the FTC to immediately seek civil penalties in federal court. The prior decree is the predicate.

Distractor to avoid:

Same consequences as a first violation (wrong) — the existence of the consent decree dramatically increases the penalty exposure and changes the procedural path. This is a test of whether you know FTC enforcement escalates.

If the question asks about:

A technology company publicly advertises that it participates in the DAA self-regulatory program for online behavioral advertising. An investigation finds it does not follow the DAA's opt-out standards. What is the most direct FTC theory?

Answer:

FTC Deception. The public claim of DAA participation is a material representation that consumers and competitors reasonably rely on. Failing to follow the advertised standards makes that representation deceptive under Section 5.

Distractor to avoid:

Unfairness (wrong) — this is a textbook deception case because of the affirmative false representation about self-regulatory compliance. Unfairness would apply if there were no representation and only the harmful practice.

Last-Minute Facts

1FTC unfairness test: 3 elements — (1) substantial injury, (2) not reasonably avoidable, (3) not outweighed by countervailing benefits.
2FIPPs: 5 principles — Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, Enforcement/Redress. Each has a paired name; exams may use either half.
34 privacy torts: intrusion upon seclusion, public disclosure of private facts, false light, appropriation of name or likeness.
4Privacy Act of 1974 = federal agencies only. FTC Act Section 5 = private sector.
5FTC cannot impose criminal penalties directly — refers criminal matters to DOJ.
6FTC consent decree: binding for up to 20 years. Violations = civil penalties up to ~$50,000/day/violation. Very different from a first-time order.
7Sectoral model = reactive, sector-by-sector legislation (HIPAA, GLBA, COPPA). Comprehensive model = one law for all sectors (GDPR). The U.S. is sectoral; the EU is comprehensive.
8Self-regulatory frameworks (DAA, BBB Online): voluntary. False claims of adherence = FTC deception theory. Actual compliance does not equal full legal compliance.
9New in BoK 2.6.1: fiduciary duty, Departments of Insurance, M&A/divestiture scenarios, intersection with GDPR/FADP.
Domain 224% of exam

Limits on Private-Sector Collection and Use of Data

Must-Know Facts

  • HIPAA consent model: OPT-IN. Individual authorization required before most disclosures of PHI beyond Treatment, Payment, and Healthcare Operations (the three TPO exceptions).
  • GLBA consent model: OPT-OUT. Financial institutions can share NPI with nonaffiliated third parties UNLESS the consumer opts out. Sharing with affiliates and joint marketing partners has different (more permissive) rules.
  • FCRA two-step adverse action process: (1) PRE-adverse action — send the consumer a copy of the report plus a Summary of Rights BEFORE making the final decision. (2) Adverse action notice — send AFTER the final adverse decision with name of CRA, right to dispute.
  • COPPA age threshold: UNDER 13 (not under 18). Applies to operators of websites or online services directed to children OR with actual knowledge of child users. Requires verifiable parental consent (VPC) before ANY personal information collection.
  • HIPAA covered entities: Health plans, healthcare clearinghouses, healthcare providers who transmit PHI electronically. Business associates must have a BAA before receiving PHI.
  • HIPAA PHI de-identification: Two methods — Safe Harbor (remove all 18 identifiers) or Expert Determination (expert certifies re-identification risk is very small).
  • HIPAA breach notification: Notify affected individuals within 60 days. Notify HHS simultaneously for breaches of 500+ records in a single state; annual report for smaller breaches. Notify media for 500+ records in same state.
  • GLBA financial institution definition is VERY broad: includes payday lenders, tax preparers, check cashers, real estate settlement companies, mortgage brokers, auto dealers offering financing. Not limited to banks.
  • FCRA: Employers must obtain a STANDALONE written disclosure AND written authorization before pulling a consumer report for employment. Cannot be buried in a job application.
  • CAN-SPAM opt-out processing: Businesses have 10 BUSINESS DAYS to honor an opt-out request. CAN-SPAM PREEMPTS state email laws (but not state fraud/computer crime laws).
  • TCPA: Prior EXPRESS WRITTEN consent required for marketing autodialed calls and texts. Prior express consent (non-written) may suffice for informational messages. National Do Not Call Registry applies to residential numbers.
  • FERPA: Rights transfer from parents to the student (eligible student) at age 18 OR when they enroll in a postsecondary institution, whichever comes first.
  • COPPA personal information includes persistent identifiers (cookies, device IDs) — not just name and email. Geolocation data and photos/video of children also covered.
  • VPPA: Prohibits disclosing personally identifiable video rental/streaming records without written consent. Original 2 U.S.C. § 2710 context: Robert Bork's video rentals were published.

Common Traps

TrapHIPAA protects all health data
RealityHIPAA only protects PHI held by covered entities and their business associates. Health data from a fitness app (Fitbit, Apple Health), consumer genetic testing (23andMe), or an employer wellness program run in-house is typically NOT HIPAA-covered. The FTC Act and state laws may apply instead.
TrapGLBA only applies to banks and credit card companies
RealityGLBA defines 'financial institution' broadly to include any company significantly engaged in financial activities: tax preparers, check cashers, debt collectors, car dealerships offering financing, mortgage brokers, real estate settlement companies, and payday lenders. If a question mentions any of these, GLBA likely applies.
TrapThe FCRA adverse action notice is the only notice required in employment background checks
RealityThere are TWO separate notices: (1) Pre-adverse action notice (with report copy + Summary of Rights) BEFORE any decision. (2) Final adverse action notice AFTER the decision. Getting the order wrong is the most common FCRA mistake on the exam.
TrapCOPPA requires consent before collecting data from anyone under 18
RealityCOPPA applies to children UNDER 13. The threshold is not 16 or 18 — it is specifically under 13. Some state laws (California AADC) use under 18 or under 16, but the federal COPPA threshold is under 13.
TrapCAN-SPAM gives consumers the right to opt-out permanently by registering somewhere
RealityThere is no CAN-SPAM registry. CAN-SPAM requires senders to include an opt-out mechanism in every commercial email and honor opt-out requests within 10 business days. The Do Not Call Registry is a TCPA concept for phone calls, not email.
TrapHIPAA's minimum necessary rule applies to all uses and disclosures of PHI
RealityThe minimum necessary rule has exceptions: it does NOT apply to disclosures to the individual themselves, to healthcare providers for treatment purposes, or to disclosures made pursuant to an individual's authorization. These exceptions are tested.

Confusing Pairs

HIPAA (opt-in/authorization)GLBA (opt-out)

HIPAA = affirmative consent (authorization) required before most PHI disclosures outside TPO. GLBA = sharing allowed by default with opt-out right for nonaffiliated third parties. Sector determines which model applies. Health = opt-in; financial services = opt-out.

COPPA (children under 13)FERPA (student education records)

COPPA = commercial websites, children under 13, verifiable parental consent, FTC enforcement. FERPA = educational institutions receiving federal funds, student education records at any age, restricts disclosure. A school app for 10-year-olds could implicate BOTH, but they regulate different entities and information types.

FCRA Pre-Adverse Action NoticeFCRA Adverse Action Notice

Pre-adverse = comes FIRST, BEFORE the decision is made, includes copy of report and Summary of FCRA Rights, gives applicant time to dispute. Adverse = comes AFTER the final decision, includes CRA name and contact, right to free copy within 60 days. Wrong order on the exam = wrong answer.

HIPAA Safe Harbor de-identificationHIPAA Expert Determination de-identification

Safe Harbor = remove all 18 specific identifiers (name, address, dates except year, phone, SSN, etc.) — no statistical expertise required. Expert Determination = qualified expert applies statistical methods and certifies re-identification risk is very small — can retain more detail. Safe Harbor is mechanical; Expert Determination is analytical.

TCPA (phone/text marketing)CAN-SPAM (commercial email)

TCPA = prior express written consent for marketing autodialed calls/texts, covers National Do Not Call Registry. CAN-SPAM = opt-out mechanism in every commercial email, 10 business days to process, preempts state email laws. TCPA = phones/texts; CAN-SPAM = email only.

COPPA 'directed to children' testCOPPA 'actual knowledge' standard

Directed to children = site or service meets the multi-factor test (subject matter, visual/audio content, age of models, advertising content). Actual knowledge = the operator actually knows a specific user is under 13 even if the site is not directed to children. Both trigger COPPA obligations but arise from different facts.

Scenario Tips

If the question asks about:

A hospital hires a cloud vendor to store medical records. When must the hospital act before sharing PHI?

Answer:

A Business Associate Agreement (BAA) must be executed BEFORE any PHI is transferred. The vendor becomes a Business Associate the moment they receive PHI.

Distractor to avoid:

Patient authorization (wrong) — individual patient authorization is not required for business associate relationships serving treatment, payment, or operations purposes.

If the question asks about:

An employer wants to use a background check report to reject a job applicant. What is the correct sequence?

Answer:

(1) Provide standalone written disclosure and obtain written authorization BEFORE pulling the report. (2) After receiving the report, send pre-adverse action notice with the report copy and Summary of Rights. (3) Wait a reasonable time. (4) Send formal adverse action notice with CRA details.

Distractor to avoid:

Sending only one notice after the decision (wrong) — two notices are required, and the pre-adverse notice must come BEFORE the final decision.

If the question asks about:

A children's gaming app notices that a user who signed up as 18 years old is actually 10. What must the operator do under COPPA?

Answer:

Once the operator has actual knowledge the user is under 13, COPPA obligations immediately apply regardless of the stated age. The operator must obtain verifiable parental consent or delete the child's information.

Distractor to avoid:

Relying on the stated age as a valid defense (wrong) — actual knowledge triggers COPPA regardless of the self-reported age.

If the question asks about:

A company sends commercial marketing emails. A recipient opts out. When must the opt-out be honored?

Answer:

Within 10 BUSINESS DAYS of receiving the opt-out request under CAN-SPAM.

Distractor to avoid:

30 days (wrong) — 30 days is a CCPA/state law response timeline. CAN-SPAM uses 10 business days.

If the question asks about:

A health data startup collects step counts and sleep data through a smartphone app. Is HIPAA the primary law the startup must comply with?

Answer:

Likely NOT HIPAA. Consumer health apps are typically not HIPAA covered entities unless they operate under a business associate relationship with a covered entity. The FTC Health Breach Notification Rule or state health data laws (Washington My Health My Data Act) likely apply.

Distractor to avoid:

HIPAA always covers health data (wrong) — HIPAA only applies to covered entities and business associates. Consumer apps collecting health data outside that ecosystem are regulated by other frameworks.

Last-Minute Facts

1HIPAA breach notification: 60 days to individuals; simultaneously to HHS if 500+ records in a state.
2COPPA: under 13. FERPA: under 18 OR college enrollment for parent-to-student rights transfer.
3FCRA: 2 separate notices — pre-adverse BEFORE decision, adverse action AFTER decision.
4CAN-SPAM opt-out: must be honored within 10 BUSINESS DAYS.
5HIPAA minimum necessary exceptions: (1) disclosure to the individual, (2) treatment by providers, (3) pursuant to authorization.
6GLBA broad financial institution: tax preparers, mortgage brokers, payday lenders, check cashers — not just banks.
7HIPAA Safe Harbor: remove all 18 identifiers. Expert Determination: expert certifies re-identification risk is very small.
8VPPA: requires written consent to disclose video rental/streaming records — still actively litigated for streaming services.
Domain 35% of exam

Government and Court Access to Private-Sector Information

Must-Know Facts

  • Fourth Amendment restricts government searches and seizures — requires probable cause and a warrant for most searches. Does NOT apply to private-sector actions.
  • Third-party doctrine: information voluntarily shared with third parties (banks, phone companies) traditionally loses Fourth Amendment protection. BUT Carpenter v. United States (2018) created a narrow exception for cell-site location information (CSLI), requiring a warrant.
  • Carpenter did NOT eliminate the third-party doctrine — it created a limited exception for CSLI because of its pervasive, detailed nature. Bank records, phone records, and most third-party data still fall under the traditional doctrine.
  • ECPA Title I (Wiretap Act): governs REAL-TIME interception of electronic communications. Requires a Title III super-warrant — probable cause, necessity (other methods exhausted), minimization procedures.
  • ECPA Title II (Stored Communications Act): governs STORED data at service providers. Tiered legal process: subpoena for basic subscriber info, Section 2703(d) court order for non-content records, warrant for content of stored communications.
  • ECPA Title III (Pen Register Act): governs metadata collection (numbers dialed, addresses). Requires a court order showing relevance — lower standard than a warrant.
  • Law enforcement access hierarchy (lowest to highest): subpoena < Section 2703(d) court order < search warrant (probable cause).
  • FISA: Foreign Intelligence Surveillance Act. Authorizes surveillance of foreign powers and their agents. Section 702 allows collection from non-U.S. persons outside the U.S. through U.S. providers without individual warrants. Overseen by the FISA Court.
  • National Security Letters (NSLs): compel disclosure of certain records (subscriber info, financial records) WITHOUT judicial approval. Come with a gag order — recipient generally cannot disclose receipt of an NSL.
  • Civil discovery (e-discovery): parties to litigation can subpoena electronic records from companies. Different rules from law enforcement access — governed by Federal Rules of Civil Procedure.

Common Traps

TrapCarpenter v. United States eliminated the third-party doctrine
RealityCarpenter created a NARROW exception for cell-site location information only, due to its comprehensive, detailed nature. The Court explicitly declined to extend the ruling broadly. Bank records, utility records, and most other third-party data still fall under the traditional third-party doctrine and may be obtained with a subpoena.
TrapThe Wiretap Act and Stored Communications Act cover the same situations
RealityThe Wiretap Act covers REAL-TIME interception (data in transit). The Stored Communications Act covers STORED data (data at rest held by a provider). Intercepting an email as it is sent = Wiretap Act (super-warrant needed). Accessing saved emails on a server = SCA (tiered process with warrant for content).
TrapNational Security Letters require a FISA Court order
RealityNSLs are issued by FBI field office supervisors without any court approval. This is one of their most controversial features. FISA surveillance (wiretapping foreign agents) requires a FISA Court order; NSLs (specific record demands with gag orders) do not.
TrapA private employer violates the Fourth Amendment by monitoring employee emails on company devices
RealityA private employer is not a government actor. The Fourth Amendment does not apply to private employer monitoring. Other laws may apply (state wiretapping statutes, ECPA consent exceptions), but the Fourth Amendment claim fails because there is no state action.

Confusing Pairs

Wiretap Act (Title I of ECPA)Stored Communications Act (Title II of ECPA)

Wiretap Act = real-time interception while data is in transit. Requires a Title III super-warrant. SCA = access to stored data held by a provider. Uses a tiered system: subpoena for subscriber info, court order for non-content, warrant for content. The dividing line is: is the data moving (Wiretap) or sitting in storage (SCA)?

FISA surveillanceNational Security Letter (NSL)

FISA = electronic surveillance and physical searches for foreign intelligence, requires FISA Court order, targets foreign powers/agents. NSL = compels specific categories of records (subscriber info, financial), issued by FBI without court order, includes mandatory gag order. FISA is court-supervised; NSLs bypass courts entirely.

Third-party doctrine (general)Carpenter exception (CSLI)

Third-party doctrine = sharing information with a third party removes Fourth Amendment protection; subpoena typically sufficient. Carpenter exception = cell-site location information requires a warrant despite being held by a carrier, because CSLI is pervasive, detailed, and reveals the privacies of life. Exception is narrow and limited to CSLI.

Scenario Tips

If the question asks about:

FBI wants to access 14 months of a suspect's cell tower location data from a carrier. What process is required after Carpenter?

Answer:

A search warrant based on probable cause is required. Carpenter held that accessing historical CSLI constitutes a Fourth Amendment search, taking it outside the third-party doctrine.

Distractor to avoid:

A Section 2703(d) court order (wrong) — that was the standard before Carpenter. Carpenter elevated the requirement to a full warrant for CSLI.

If the question asks about:

Law enforcement wants to intercept emails in real-time as they are transmitted over the internet.

Answer:

The Wiretap Act (Title I of ECPA) applies. A Title III super-warrant is required: probable cause, showing that normal investigative procedures have failed or are unlikely to succeed, and minimization procedures.

Distractor to avoid:

Stored Communications Act (wrong) — the SCA covers stored data, not real-time interception. The operative fact is 'in real-time as they are transmitted.'

If the question asks about:

The FBI issues a National Security Letter to a telecom company demanding subscriber information and billing records. Does this require court approval?

Answer:

No. NSLs do not require judicial approval. They are issued by FBI supervisors and compel disclosure of specific categories of records. The recipient is also subject to a gag order prohibiting disclosure.

Distractor to avoid:

FISA Court order required (wrong) — FISA Court orders authorize ongoing surveillance. NSLs are a different instrument requiring no court involvement.

Last-Minute Facts

1ECPA three titles: Wiretap Act (real-time, super-warrant), SCA (stored data, tiered process), Pen Register Act (metadata, court order).
2SCA tiered process: subpoena (subscriber info) < 2703(d) order (non-content records) < warrant (content).
3Carpenter (2018): CSLI requires a warrant. Bank records and phone records still subject to third-party doctrine.
4NSL: no court approval, gag order on recipient, issued by FBI field supervisors.
5FISA Section 702: collection from non-U.S. persons outside U.S. through U.S. providers, no individual warrant required.
Domain 48% of exam

Workplace Privacy

Must-Know Facts

  • Employer monitoring: Employers generally have broad authority to monitor activity on employer-owned devices, networks, and communications systems. The key defense is business purpose + advance notice to employees.
  • FCRA in employment: Employers MUST (1) provide a standalone written disclosure AND (2) obtain written authorization BEFORE pulling a consumer report. These are separate requirements — one form, no buried disclosures in employment applications.
  • FCRA adverse action in employment: Two-step process — (1) pre-adverse action notice with copy of report and Summary of FCRA Rights BEFORE the decision, (2) formal adverse action notice AFTER the final decision.
  • Illinois BIPA requirements: Written informed consent before collection, publicly available written policy on retention schedule and destruction guidelines, and private right of action for violations. The 2024 amendment (SB 2979) limits each plaintiff to a single recovery per person per method of collection — replacing the prior per-scan accrual that created runaway liability.
  • BIPA biometric identifiers: fingerprints, voiceprints, hand/finger geometry scans, iris/retina scans, facial geometry. Photographs alone are EXPRESSLY EXCLUDED from BIPA.
  • GINA prohibits: employers requesting, requiring, or purchasing genetic information, including family medical history. Narrow exceptions for inadvertent acquisition (overhearing), voluntary wellness programs with safeguards, and FMLA certification.
  • Video surveillance in the workplace: Generally allowed in common work areas (lobbies, production floors, parking lots). Prohibited in areas with reasonable expectation of privacy (restrooms, changing rooms, private offices if reasonable expectation exists). Adding audio recording adds wiretapping law analysis.
  • BYOD policies must address: scope of monitoring (work vs. personal data), data separation (containers), and remote wipe capabilities and the privacy implications for personal data.
  • Drug testing: varies by state. Federal government and DOT-regulated industries (aviation, trucking, rail) have mandatory testing. Many states require reasonable suspicion; others allow random testing. Positive tests may be reported under certain frameworks.

Common Traps

TrapFCRA requires only one notice for employment background checks
RealityFCRA requires TWO separate notices for employment: (1) Pre-adverse action notice with the report copy and Summary of Rights BEFORE the employer makes any final decision, giving the applicant time to review and dispute. (2) Formal adverse action notice AFTER the decision is finalized. Both are mandatory — missing either violates FCRA.
TrapBIPA applies to any photograph taken of employees
RealityPhotographs are EXPRESSLY EXCLUDED from BIPA's definition of biometric identifiers. BIPA specifically covers fingerprints, voiceprints, hand scans, iris/retina scans, and facial geometry scans. A photograph of a face is not a 'facial geometry scan' for BIPA purposes.
TrapGINA only prohibits using genetic information to discriminate — collection is fine
RealityGINA prohibits both discrimination AND the collection/request of genetic information. Even asking about family medical history is a GINA violation, not just discriminating based on the answer received. Collection itself is the trigger.
TrapEmployers can freely monitor personal emails on company devices without restriction
RealityWhile the Fourth Amendment does not protect employees from private employer monitoring, state wiretapping laws may require consent (one-party or all-party depending on state). ECPA also has implications. Employers should establish clear written policies and obtain employee acknowledgment to reduce legal risk.

Confusing Pairs

Illinois BIPAOther state biometric laws

Illinois BIPA = private right of action (individuals can sue), statutory damages per violation ($1,000-$5,000), informed written consent before collection, publicly available retention policy. Other states (Texas, Washington) have biometric laws but NO private right of action — enforcement is by AG only. Illinois BIPA litigation risk is uniquely severe.

FCRA pre-adverse action noticeFCRA adverse action notice

Pre-adverse = sent BEFORE the final employment decision with a copy of the consumer report and Summary of FCRA Rights — gives the applicant opportunity to dispute errors. Adverse action = sent AFTER the final decision with the CRA's name and contact information and the consumer's right to a free report copy. Order matters: pre-adverse FIRST, adverse action SECOND.

GINA (genetic information)ADA (disability discrimination)

GINA = prohibits collecting/using genetic information or family medical history in employment and health insurance. ADA = prohibits discrimination based on a current, past, or perceived disability. A genetic predisposition to a disease is not a disability under ADA but IS genetic information under GINA. Both may apply to medical inquiries but are separate statutes.

Scenario Tips

If the question asks about:

An employer plans to reject a job applicant based on a credit report and wants to know what notice is required.

Answer:

Two-step process: (1) Before the final decision, send a pre-adverse action notice that includes the credit report and Summary of FCRA Rights, giving the applicant time to dispute. (2) After the final decision, send the formal adverse action notice with the CRA's identity and contact information.

Distractor to avoid:

Only sending the final rejection letter (wrong) — the pre-adverse action notice is mandatory before the decision and is the more heavily tested requirement.

If the question asks about:

An Illinois employer requires employees to use fingerprint scanners to clock in and out. What must the employer do before collecting fingerprints?

Answer:

Under BIPA: (1) Obtain written informed consent from each employee before collecting fingerprints. (2) Publish a written policy on retention schedule and destruction guidelines for biometric data.

Distractor to avoid:

Simply encrypting the fingerprint data and storing it securely (wrong) — BIPA requires informed written consent and a public destruction policy, not just security measures.

If the question asks about:

During a job interview, an HR manager asks: 'Does anyone in your family have a history of heart disease?' What law may be violated?

Answer:

GINA (Genetic Information Nondiscrimination Act). Family medical history is genetic information under GINA. Requesting it, even casually in an interview, violates GINA's prohibition on collecting genetic information.

Distractor to avoid:

ADA (wrong) — ADA prohibits disability discrimination and generally limits pre-offer medical inquiries, but family medical history is specifically a GINA issue because it constitutes genetic information.

Last-Minute Facts

1BIPA private right of action: $1,000 per negligent violation, $5,000 per intentional/reckless violation. 2024 amendment limits recovery to one violation per person per method of collection (not per scan). 7th Circuit held amendment applies retroactively (2026).
2BIPA biometric: fingerprints, voiceprints, iris/retina, facial geometry, hand/finger scans. Photographs = NOT covered.
3GINA covers: requesting genetic info including family medical history. Exceptions: inadvertent, voluntary wellness with safeguards, FMLA certification.
4FCRA employment: standalone disclosure + written authorization BEFORE the report. Pre-adverse notice (with report) BEFORE the decision. Adverse notice AFTER the decision.
5Video surveillance: allowed in common areas, prohibited in restrooms/changing rooms. Audio = adds ECPA/state wiretap analysis.
Domain 526% of exam

State Privacy Laws

Must-Know Facts

  • CCPA/CPRA applicability: For-profit businesses meeting ANY ONE of: (1) Annual gross revenue over $25M (adjusted to ~$26.6M for 2025 per CPI). (2) Buy/sell/receive/share personal data of 100,000+ consumers or households. (3) Derive 50%+ of annual revenue from selling/sharing consumers' personal data.
  • CCPA/CPRA consumer rights: right to know, right to delete, right to correct, right to opt-out of sale/sharing, right to limit use of sensitive personal information, right to non-discrimination for exercising rights.
  • CCPA/CPRA private right of action: LIMITED to data breaches caused by failure to maintain reasonable security. Statutory damages $100-$750 per consumer per incident (or actual damages if higher). This is the ONLY comprehensive state privacy law with a private right of action.
  • Virginia VCDPA applicability: Control/process personal data of 100,000+ Virginia consumers per year, OR 25,000+ consumers while deriving 50%+ revenue from sale of personal data. NO revenue threshold (unlike California).
  • Virginia VCDPA cure period: PERMANENT 30-day cure period (no sunset date). AG sends a written notice; business has 30 days to cure. Virginia's cure period did NOT sunset — unlike Colorado and Connecticut.
  • Colorado CPA and Connecticut CTDPA cure periods: SUNSETTED on January 1, 2025. Colorado and Connecticut AGs can now bring enforcement actions directly without giving businesses an opportunity to cure.
  • Texas TDPSA: No revenue or data volume thresholds — applies to any entity conducting business in Texas or targeting Texas residents that processes personal data AND does not meet the small business exemption. The broadest applicability of major state laws.
  • Florida Digital Bill of Rights (FDBR): Applies to controllers with annual global revenues over $1 billion. Very high threshold limits applicability to major tech companies and platforms. Modeled on Virginia VCDPA with some variations.
  • Washington My Health My Data Act: Protects consumer health data NOT covered by HIPAA. Includes location data that could reveal health conditions. Has a private right of action (unlike most state comprehensive laws). AG enforcement also available.
  • California Delete Act (SB 362): Effective 2026 — requires data brokers to register with CPPA and allows consumers to delete their data from all registered data brokers through a single centralized deletion request.
  • Universal opt-out mechanisms: Colorado CPA requires businesses to honor browser-based opt-out signals (Global Privacy Control). Several other states have adopted similar requirements.
  • Data breach notification: ALL 50 states have laws. No single federal breach notification law exists. Common trigger: name + SSN, driver's license, financial account, or health/biometric data. Timelines vary (typically 30-90 days). Many states require AG notification for large-scale breaches.
  • State law comparison framework: For each state law, know (1) applicability threshold, (2) consumer rights granted, (3) consent model for sensitive data (opt-in) vs. sale/sharing (opt-out), (4) cure period (if any), (5) enforcement body, (6) private right of action (yes/no).
  • NYC Automated Employment Decision Tools (AEDT) Law: Requires bias audits and notice before using AI tools to screen job applicants or employees. Local NYC law — narrow scope but tested as new AI privacy regulation.
  • Colorado AI Act: Prohibits algorithmic discrimination in high-risk AI systems. Requires impact assessments. First comprehensive state AI law of its kind — effective June 30, 2026 (original February 2026 date was postponed by SB 25B-004).

Common Traps

TrapAll major state comprehensive privacy laws have a private right of action
RealityCalifornia CCPA/CPRA is the ONLY state comprehensive privacy law with a private right of action, and it is LIMITED to data breach scenarios. Virginia, Colorado, Connecticut, Texas, Florida, and all other state comprehensive privacy laws rely exclusively on AG (or CPPA in California) enforcement. No private citizen can sue under VCDPA, CPA, or CTDPA.
TrapVirginia's cure period expired like Colorado and Connecticut
RealityVirginia VCDPA has a PERMANENT 30-day cure period with no sunset date. Colorado CPA (60-day) and Connecticut CTDPA (60-day) cure periods both sunsetted on January 1, 2025. After that date, Colorado and Connecticut AGs can bring direct enforcement actions without a cure opportunity. Virginia's cure period remains in effect indefinitely — this distinction is heavily tested.
TrapCalifornia's $25M revenue threshold is the baseline across state privacy laws
RealityOnly California uses a revenue threshold as part of its applicability criteria. Virginia VCDPA has NO revenue threshold — it uses data volume thresholds (100K consumers or 25K with 50%+ revenue from sale). Texas TDPSA has NO revenue or data volume thresholds. Florida FDBR uses a very HIGH $1 billion threshold. Each state has its own distinct applicability criteria.
TrapThe CPRA/CCPA 'sale' of data covers only transactions for money
RealityUnder CCPA/CPRA, 'sale' means any exchange for 'monetary OR OTHER valuable consideration.' This broad definition covers data exchanges for non-cash benefits. CPRA separately defines 'sharing' for cross-context behavioral advertising (even without consideration). Some other state laws define 'sale' more narrowly, limited to monetary exchanges.
TrapThere is a federal data breach notification law that sets the standard
RealityAs of 2026, there is NO comprehensive federal data breach notification law. HIPAA has its breach notification rule (sector-specific) and GLBA has its safeguards requirements, but no omnibus federal law. Each of the 50 states, D.C., Puerto Rico, and U.S. territories has its own breach notification statute with different triggers, timelines, and requirements.
TrapThe Washington My Health My Data Act is just a health data law with only AG enforcement
RealityWashington My Health My Data Act has BOTH AG enforcement AND a private right of action — unusual among state laws. It protects consumer health data that falls outside HIPAA (consumer wellness apps, period tracking apps, location data that could reveal health information). Its scope is broader than HIPAA and its enforcement is stronger than most state privacy laws.

Confusing Pairs

CCPA/CPRA (California)VCDPA (Virginia)

California: applies if ANY threshold met ($25M revenue OR 100K consumers OR 50% data sale revenue). Has CPPA enforcement AND AG enforcement. Private right of action for data breaches. 'Sharing' and 'sale' are defined separately. Virginia: 100K consumers OR 25K consumers + 50% revenue from sale. AG-only enforcement. No private right of action. Permanent 30-day cure period. No revenue threshold.

Colorado CPA cure period (expired)Virginia VCDPA cure period (permanent)

Colorado CPA had a 60-day cure period that SUNSETTED January 1, 2025 — Colorado AG can now proceed directly to enforcement. Virginia VCDPA has a PERMANENT 30-day cure period with no sunset — Virginia AG must give 30 days to cure before enforcement. Connecticut CTDPA also sunsetted on January 1, 2025. The exam tests whether you know which cure periods are still active.

CCPA/CPRA (California) private right of actionWashington My Health My Data Act private right of action

CCPA/CPRA private right of action: limited to data breaches from failure to maintain reasonable security; $100-$750 per consumer per incident. Washington MHMD private right of action: broader — covers violations of the Act's consumer health data protections, not just breaches. Two different states, two different scopes. Both are exceptions to the general rule that state privacy laws lack private rights of action.

Texas TDPSA applicabilityFlorida FDBR applicability

Texas TDPSA: Applies to any entity doing business in Texas or targeting Texas residents AND processing personal data — no minimum revenue or data volume threshold (except small business exemption). Very broad reach. Florida FDBR: Applies only to controllers with annual global revenues exceeding $1 BILLION — very narrow reach, targeting large tech companies. Opposite ends of the applicability spectrum.

State comprehensive privacy laws (general)State biometric privacy laws (BIPA etc.)

State comprehensive laws (CCPA, VCDPA, CPA, etc.) = broad consumer privacy rights covering all personal data categories, typically AG-only enforcement. State biometric laws (Illinois BIPA, Texas CUBI, Washington HBBA) = narrow focus on biometric identifiers. Illinois BIPA uniquely has a private right of action and has generated billions in class action liability. The two frameworks can overlap but are distinct statutes with different requirements.

Scenario Tips

If the question asks about:

A Virginia resident submits a data access request to a company covered by VCDPA. The company refuses. The resident wants to sue. Can they?

Answer:

No. Virginia VCDPA has NO private right of action. The resident's only recourse is to file a complaint with the Virginia AG. The AG can bring enforcement actions but individuals cannot sue directly.

Distractor to avoid:

Yes, because privacy violations allow lawsuits (wrong) — private rights of action in state privacy law are rare. California CCPA for data breaches and Illinois BIPA are the main exceptions.

If the question asks about:

A Colorado AG discovers a company violated CPA in January 2025. The AG wants to bring an enforcement action. Must the AG give the company a cure period?

Answer:

No. Colorado's 60-day cure period sunsetted on January 1, 2025. The Colorado AG can now pursue direct enforcement without providing a cure opportunity.

Distractor to avoid:

Yes, the AG must give 60 days to cure (wrong) — the Colorado cure period expired. Only Virginia's permanent 30-day cure period is still in effect.

If the question asks about:

A company with $30M in annual revenue and 50,000 California customer records asks whether CCPA/CPRA applies.

Answer:

Yes. The company exceeds the $25M annual revenue threshold (the first applicability criterion). Only ONE of the three thresholds needs to be met. The 100K consumer volume threshold (criterion 2) and 50% data sale revenue threshold (criterion 3) are not relevant because threshold 1 is already satisfied.

Distractor to avoid:

No, because the company has fewer than 100,000 consumers (wrong) — the three CCPA/CPRA criteria are connected with OR logic. Meeting ANY ONE triggers applicability.

If the question asks about:

A small startup runs a consumer health app tracking menstrual cycles for Washington state users. What law most specifically covers their data practices beyond HIPAA?

Answer:

Washington My Health My Data Act. It covers consumer health data NOT covered by HIPAA, including reproductive and menstrual health data. It includes both AG enforcement and a private right of action.

Distractor to avoid:

HIPAA (wrong) — the app developer is not a covered entity or business associate. HIPAA does not apply to consumer health apps that operate outside the healthcare provider ecosystem.

If the question asks about:

A national retailer with $500M in revenue wants to know if Florida's Digital Bill of Rights applies to its data practices.

Answer:

No. Florida FDBR applies only to controllers with annual global revenues exceeding $1 billion. The retailer at $500M does not meet the threshold.

Distractor to avoid:

Yes, because the company is processing Florida consumer data (wrong) — FDBR has an extremely high revenue threshold that excludes most businesses.

Last-Minute Facts

1CCPA/CPRA thresholds (OR logic): $25M revenue OR 100K consumers/households OR 50% revenue from selling/sharing data.
2Virginia VCDPA: 100K consumers OR 25K consumers + 50% revenue from data sale. NO revenue threshold.
3Texas TDPSA: No revenue or data volume threshold (broadest state law). Florida FDBR: $1 billion revenue threshold (narrowest).
4Cure periods still active as of 2026: Virginia (30 days, permanent). Expired: Colorado (January 1, 2025), Connecticut (January 1, 2025).
5States with private right of action for privacy: California CCPA (data breaches only), Illinois BIPA (any violation), Washington MHMD (consumer health data violations).
6No federal data breach notification law — all 50 states have their own laws with varying triggers and timelines.
7Washington My Health My Data Act: protects consumer health data outside HIPAA, has private right of action, covers location data revealing health conditions.
8California Delete Act (SB 362): Data brokers must register with CPPA; centralized consumer deletion request mechanism, effective 2026.
9Universal opt-out: Colorado requires businesses to honor Global Privacy Control (GPC) browser signal.
10NYC AEDT Law: Bias audits + notice required before using AI tools to screen NYC job applicants or employees.

Feeling confident?

Put your knowledge to the test with a timed CIPP/US mock exam.