CertPrepNow
IAPPCIPP/USUpdated 2026-06-15

CIPP/US Study Guide

Everything you need to pass the Certified Information Privacy Professional/United States exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CIPP/US exam is passable with free resources alone if you study consistently for 6-10 weeks depending on your background in law, compliance, or privacy:

  • IAPP CIPP/US Body of Knowledge and Exam Blueprint (free download from iapp.org/certify/cipp)
  • IAPP Free CIPP/US Study Guide with exam format overview and sample questions (iapp.org/l/cippus-study-guide-request)
  • FTC enforcement actions and consent decrees (ftc.gov/legal-library/browse/cases-proceedings)
  • Full text of major federal statutes: HIPAA, GLBA, COPPA, FCRA, FERPA, ECPA (govinfo.gov)
  • State comprehensive privacy law comparison charts (iapp.org/resources/article/us-state-privacy-legislation-tracker)
  • CCPA/CPRA full text and CPPA regulations (oag.ca.gov/privacy/ccpa)
  • OECD Privacy Guidelines and Fair Information Practice Principles (FIPPs) documentation
  • Free CIPP/US practice questions on this site

The CIPP/US is a law-heavy exam that tests your knowledge of U.S. privacy statutes, enforcement mechanisms, and the rapidly expanding landscape of state comprehensive privacy laws. The Body of Knowledge and Exam Blueprint are your most critical free resources. Pair them with primary source legal texts and FTC enforcement case summaries to master the exam content.

Choose Your Study Path

You have limited experience with privacy law or regulatory compliance. You may come from IT, business, or a non-legal background and need to build foundational knowledge of the U.S. legal system, sectoral privacy statutes, and enforcement mechanisms before tackling exam scenarios.

Week 1Read the CIPP/US Body of Knowledge and Exam Blueprint end-to-end. Understand the five domains and their question weights. Learn the structure of U.S. law: constitutional sources of privacy (First, Fourth, Fifth, Fourteenth Amendments), the difference between federal and state regulation, and why the U.S. uses a sectoral approach rather than a comprehensive privacy law.
Week 2Study Domain I fundamentals: Fair Information Practice Principles (FIPPs) -- notice, choice, access, security, enforcement. Learn FTC Section 5 authority over unfair or deceptive practices, FTC enforcement tools (consent decrees, civil penalties), and state attorney general enforcement powers. Understand the notice-and-choice regulatory model.
Week 3Begin Domain II -- federal privacy statutes Part 1: Study HIPAA (PHI, covered entities, business associates, minimum necessary rule, breach notification). Study GLBA (financial institutions, privacy notices, safeguards rule, opt-out rights). Create comparison tables for each law covering scope, regulated entities, key provisions, and enforcement.
Week 4Domain II federal statutes Part 2: Study COPPA (children under 13, verifiable parental consent, operator obligations), FCRA (consumer reports, permissible purposes, adverse action notices, accuracy obligations), and FERPA (education records, directory information, parental rights). Study CAN-SPAM, TCPA, and VPPA. Build your comparison table.
Week 5Study Domain III -- Government and Court Access: Fourth Amendment warrant requirements vs third-party doctrine, ECPA and Stored Communications Act provisions, FISA and national security surveillance, law enforcement access to data, and e-discovery principles. This domain is small but has tricky constitutional law questions.
Week 6Study Domain IV -- Workplace Privacy: employer monitoring rights and limitations, background checks (FCRA intersection), BYOD policies, video surveillance, drug testing, biometric data (Illinois BIPA), genetic information (GINA), email and internet monitoring, and the limited expectation of privacy in the workplace.
Week 7Begin Domain V -- State Privacy Laws Part 1: Deep dive into CCPA/CPRA as the foundational state law. Study applicability thresholds, consumer rights (know, delete, correct, opt-out of sale/sharing, limit sensitive data use), CPPA enforcement, private right of action for data breaches, and service provider/contractor distinctions.
Week 8Domain V Part 2: Study other state comprehensive privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, plus emerging state laws). Learn common elements across state laws, key differences (cure periods, private right of action, universal opt-out mechanisms), and data breach notification requirements across all 50 states.
Week 9Take full-length practice exams. Review all incorrect answers with emphasis on Domain V (state laws now represent the largest question block). Create flashcards for commonly confused statutes. Study biometric privacy laws (BIPA) and newer topics like AI-related privacy regulations at the state level.
Week 10Final review: focus on confusable concepts (opt-in vs opt-out across laws, covered entities across statutes, enforcement mechanisms). Review FTC consent decrees and recent enforcement actions. Take another mock exam aiming for 80%+. Schedule your real exam when consistently scoring above 70%.

Exam Overview

Format

90 multiple-choice questions (75 scored + 15 unscored field test items) in 150 minutes (2 hours 30 minutes). Includes scenario-based questions testing application of privacy laws to real-world situations. No penalty for wrong answers -- always answer every question.

Scoring

Scaled score 100-500. Passing threshold: 300 out of 500. The scaled scoring accounts for question difficulty across exam forms. Typically requires 65-80% of scored questions answered correctly. No penalty for incorrect answers.

Domains & Weights

  • Introduction to the U.S. Privacy Environment37%
  • Limits on Private-Sector Collection and Use of Data24%
  • Government and Court Access to Private-Sector Information5%
  • Workplace Privacy8%
  • State Privacy Laws26%

Registration

$550 USD. Register through the IAPP website (iapp.org) and schedule at Pearson VUE testing centers worldwide or remotely via OnVUE online proctoring. Exam fee is $550 USD. Retake fee is $375 USD. Certification requires 20 CPE credits per 2-year cycle.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these laws deeply, know their scope, regulated entities, key provisions, and enforcement mechanisms. These appear across multiple questions and form the foundation of Domain I and Domain II.
Tier 2: Should KnowUnderstand these laws and concepts well. Each may appear in 2-5 questions. Know their scope, key provisions, and how they differ from similar laws.
Tier 3: Recognize OnlyKnow what these are at a high level. Each is unlikely to appear in more than 1-2 questions, but they can be the difference between passing and failing.
Domain 137% of exam

Introduction to the U.S. Privacy Environment

The largest domain by weight, covering the foundational structure of U.S. privacy law. This includes constitutional origins of privacy rights, the sectoral regulatory model, FTC enforcement authority and mechanisms, state attorney general enforcement, common law privacy torts, Fair Information Practice Principles (FIPPs), and the notice-and-choice framework that underpins most U.S. privacy regulation.

Key Topics

U.S. Constitution (1st, 4th, 5th, 14th Amendments)FTC Section 5 AuthorityFair Information Practice Principles (FIPPs)State Attorney General EnforcementCommon Law Privacy TortsNotice-and-Choice FrameworkSectoral Privacy ModelPrivacy Act of 1974

Must-Know Concepts

  • Constitutional sources of privacy: First Amendment (freedom of association), Fourth Amendment (unreasonable search and seizure), Fifth Amendment (self-incrimination), Fourteenth Amendment (due process and substantive privacy rights from Griswold v. Connecticut)
  • FTC Section 5 enforcement: the unfairness standard (substantial injury, not reasonably avoidable, not outweighed by benefits) and deception standard (material misrepresentation likely to mislead reasonable consumers) are the two legal theories the FTC uses
  • FTC enforcement tools: consent decrees, civil penalties, administrative orders, and the ability to require 20-year compliance monitoring programs
  • Fair Information Practice Principles (FIPPs): notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress -- the foundational framework underlying most U.S. privacy regulation
  • The U.S. sectoral approach: no single comprehensive federal privacy law -- instead, sector-specific statutes (HIPAA for health, GLBA for finance, COPPA for children) supplemented by state laws
  • State attorney general enforcement powers: most state privacy laws give AGs authority to enforce violations, issue civil investigative demands, and seek injunctive relief and penalties
  • Common law privacy torts: intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness
  • The notice-and-choice model: organizations provide notice of data practices and give individuals choices about collection and use -- the dominant U.S. regulatory approach
  • Self-regulatory frameworks: industry self-regulation through codes of conduct, BBB Online, DAA (Digital Advertising Alliance) principles, and safe harbor programs

Common Exam Traps

The Fourth Amendment protects against GOVERNMENT searches, not private-sector data collection. The exam tests whether you correctly limit constitutional protections to state action
FTC unfairness does NOT require the company to have said anything false. Deception requires a misleading statement or omission. Many candidates confuse these two standards
The Privacy Act of 1974 applies ONLY to federal government agencies, not the private sector. Do not select it as the answer for private-sector privacy questions
FIPPs are principles, not enforceable law. They inform legislation but are not independently enforceable. The exam tests whether you understand FIPPs as a framework vs. a statute
State AGs can enforce BOTH state and federal privacy laws in many cases. Do not assume enforcement is exclusively federal for federal statutes
Quick Check: Introduction to the U.S. Privacy Environment

Question 1 of 3

A mobile app company publishes a privacy policy promising it will never share user data with third parties. An investigation reveals the company has been sharing user location data with advertising networks. Under FTC Section 5, which enforcement theory would MOST likely apply?

Domain 224% of exam

Limits on Private-Sector Collection and Use of Data

This domain covers the major federal privacy statutes that regulate how private-sector organizations collect, use, and share personal information. You need deep knowledge of sector-specific laws including healthcare (HIPAA), financial (GLBA), consumer reporting (FCRA), children's online privacy (COPPA), education (FERPA), and telecommunications/marketing (TCPA, CAN-SPAM). The exam tests both broad understanding and specific statutory details.

Key Topics

HIPAA Privacy and Security RulesGLBA Financial Privacy and Safeguards RulesFCRA and FACTACOPPAFERPATCPACAN-SPAM ActVPPA

Must-Know Concepts

  • HIPAA: covered entities (health plans, clearinghouses, providers conducting electronic transactions), business associates, PHI definition, minimum necessary rule, individual rights (access, amendment, accounting of disclosures), breach notification (60 days to individuals, immediate to HHS for 500+ records), de-identification methods (Safe Harbor with 18 identifiers, Expert Determination)
  • GLBA: broad definition of financial institution (includes tax preparers, check cashers, debt collectors), Financial Privacy Rule (annual notices, opt-out for third-party sharing), Safeguards Rule (written information security program), and exceptions for joint marketing and affiliate sharing
  • FCRA: consumer reporting agencies, permissible purposes for accessing reports (credit, employment with consent, insurance, legitimate business need), adverse action notice requirements (pre-adverse and adverse), accuracy obligations, and consumer dispute rights. FACTA amendments added red flags rule and free annual credit reports
  • COPPA: applies to operators of websites/online services directed to children under 13 or with actual knowledge of child users, verifiable parental consent (VPC) required before collection, FTC-approved safe harbor programs, and the broad definition of personal information (includes persistent identifiers, geolocation, photos/videos)
  • FERPA: applies to educational institutions receiving federal funding, protects education records, parents' rights transfer to students at age 18 or college enrollment, directory information exception (schools can share unless parent opts out), and exceptions for health/safety emergencies
  • TCPA: restrictions on autodialed calls and texts, prior express written consent required for marketing, National Do Not Call Registry, exemptions for emergency calls and debt collection, and the evolving definition of autodialer after Facebook v. Duguid (2021)
  • CAN-SPAM: applies to commercial electronic messages, requires functioning opt-out mechanism (10 business days to process), accurate header and subject lines, physical postal address, and pre-empts state email laws
  • FTC cross-sector enforcement: Section 5 actions against unfair or deceptive data practices, Children's Online Privacy consent decrees, data security enforcement through unfairness theory

Common Exam Traps

HIPAA does NOT apply to all health data. It only covers PHI held by covered entities and business associates. Health data from fitness apps, consumer genetic testing, or employer wellness programs may NOT be HIPAA-regulated
GLBA's definition of 'financial institution' is much broader than banks -- it includes payday lenders, tax preparers, real estate settlement companies, and even some retailers offering credit
FCRA requires employer-specific consent BEFORE pulling a background check for employment purposes. General credit checks for other purposes have different requirements. The exam tests this employment-specific consent rule
COPPA's age threshold is under 13, not under 18. Some state laws use different age thresholds (California AADC uses under 16). Do not confuse federal and state children's privacy ages
CAN-SPAM pre-empts state laws regulating commercial email but does NOT pre-empt state laws against fraud or computer crimes. This pre-emption question appears frequently
Quick Check: Limits on Private-Sector Collection and Use of Data

Question 1 of 3

A hospital hires a cloud storage vendor to store patient medical records. Which HIPAA requirement must be in place BEFORE the hospital transfers any Protected Health Information to the vendor?

Domain 35% of exam

Government and Court Access to Private-Sector Information

This is the smallest domain by weight but covers complex constitutional and statutory material on how the government accesses private-sector data. Topics include Fourth Amendment protections, the Electronic Communications Privacy Act (ECPA), FISA and national security surveillance, law enforcement access mechanisms (warrants, subpoenas, court orders), and civil litigation discovery. Despite the low weight, questions tend to be challenging.

Key Topics

Fourth AmendmentECPA (Wiretap Act, SCA, Pen Register Act)FISA and Section 702National Security LettersThird-Party DoctrineCarpenter v. United States

Must-Know Concepts

  • Fourth Amendment: protects against unreasonable government searches and seizures -- requires probable cause and a warrant for most searches. Does NOT apply to private-sector actors
  • Third-party doctrine: information voluntarily shared with third parties traditionally loses Fourth Amendment protection. Carpenter v. United States (2018) created an exception for cell-site location information, requiring a warrant
  • ECPA three titles: Wiretap Act (Title I -- real-time interception, requires super-warrant), Stored Communications Act (Title II -- stored data access, tiered system of legal process), Pen Register Act (Title III -- metadata collection, requires court order showing relevance)
  • Law enforcement access hierarchy: subpoena (lowest standard, basic subscriber info), court order under Section 2703(d) (specific and articulable facts), search warrant (probable cause, required for content of stored communications)
  • FISA: Foreign Intelligence Surveillance Act authorizes surveillance of foreign powers and agents. Section 702 allows collection of foreign intelligence from non-U.S. persons outside the U.S. through U.S. service providers. National Security Letters compel disclosure of certain records without judicial approval

Common Exam Traps

The Fourth Amendment restricts GOVERNMENT action only. Private companies can collect data without implicating the Fourth Amendment unless acting as government agents
Carpenter did NOT eliminate the third-party doctrine -- it created a narrow exception for cell-site location information. The doctrine still applies to bank records, phone records, and most other third-party data
ECPA's Wiretap Act covers REAL-TIME interception. The Stored Communications Act covers STORED data. The exam tests whether you apply the correct statute based on whether data is in transit or at rest
National Security Letters do NOT require judicial approval, but they do include a gag order provision. The recipient generally cannot disclose that an NSL was received
Quick Check: Government and Court Access to Private-Sector Information

Question 1 of 3

Law enforcement wants to obtain 180 days of a suspect's cell-site location information from a wireless carrier. Based on Carpenter v. United States, what legal process is required?

Domain 48% of exam

Workplace Privacy

This domain covers the privacy rights and limitations in the employment context. Topics include employer monitoring of electronic communications and internet usage, background checks and FCRA requirements, BYOD policies, video surveillance, drug testing, biometric data collection (BIPA), genetic information protections (GINA), and the generally limited expectation of privacy employees have when using employer-owned systems and facilities.

Key Topics

Employee MonitoringFCRA (Employment Background Checks)BYOD PoliciesBiometric Privacy (BIPA)GINAVideo SurveillanceDrug Testing

Must-Know Concepts

  • Employee monitoring: employers generally have broad rights to monitor employee activity on company-owned devices and networks, but must balance against state wiretapping laws, ECPA consent provisions, and union collective bargaining agreements
  • FCRA employment provisions: employers must provide standalone written disclosure and obtain written authorization BEFORE obtaining consumer reports, must provide pre-adverse action notice with copy of report and summary of rights, and then a formal adverse action notice
  • BYOD (Bring Your Own Device): employers must address privacy expectations for personal devices used for work, establish clear policies on monitoring scope, data separation, and remote wipe capabilities
  • Illinois BIPA: strictest biometric privacy law with informed written consent required before collection, private right of action, and the 2024 amendment limiting per-scan damages. Other states have biometric laws but without private right of action
  • GINA: prohibits employers from requesting, requiring, or purchasing genetic information of employees or their family members, with narrow exceptions (inadvertent acquisition, voluntary wellness programs, FMLA certification)
  • Video surveillance: generally permitted in common work areas but prohibited in areas with reasonable expectation of privacy (restrooms, changing rooms). Some states require notice. Audio recording adds wiretapping law considerations
  • Drug testing: varies significantly by state. Some states require reasonable suspicion, others allow random testing. Federal positions and safety-sensitive industries (DOT-regulated) have mandatory testing requirements

Common Exam Traps

FCRA requires a STANDALONE disclosure document for employment background checks -- it cannot be buried within an employment application. This specific requirement is heavily tested
Employer monitoring rights on company devices are NOT unlimited. State wiretapping laws may require one-party or all-party consent even on employer networks. The exam tests jurisdiction-specific rules
BIPA applies to biometric IDENTIFIERS (fingerprints, facial geometry, iris scans) and biometric INFORMATION (data derived from identifiers). Photographs alone are explicitly excluded from BIPA's definition
GINA prohibits collecting genetic information, not just discriminating based on it. Even inadvertent collection can be problematic unless it falls under a recognized exception
Quick Check: Workplace Privacy

Question 1 of 3

An employer decides not to hire an applicant based on information found in a consumer credit report. Under the FCRA, what notice must the employer provide BEFORE making this final decision?

Domain 526% of exam

State Privacy Laws

The second-heaviest domain and the fastest-growing area on the exam. Covers the rapidly expanding landscape of state comprehensive consumer privacy laws led by California's CCPA/CPRA, followed by Virginia, Colorado, Connecticut, Texas, and 15+ additional states. Also covers state data breach notification laws, biometric privacy laws, and emerging state-level AI and children's privacy regulations. This domain has seen the largest increase in question allocation, with 13-17 questions as of the 2025-2026 exam blueprint.

Key Topics

CCPA/CPRA (California)Virginia VCDPAColorado CPAConnecticut CTDPATexas TDPSAState Data Breach Notification LawsIllinois BIPACalifornia Age-Appropriate Design Code Act

Must-Know Concepts

  • CCPA/CPRA in depth: applicability thresholds (annual gross revenue of $25M statutory base, CPI-adjusted to $26,625,000 effective January 1, 2025, OR 100K consumers/households OR 50% revenue from selling/sharing data), full consumer rights suite (know, delete, correct, opt-out of sale/sharing, limit sensitive data use), service provider vs contractor distinctions, CPPA enforcement, private right of action limited to data breaches ($100-$750 per consumer per incident)
  • State law comparison framework: know how to compare applicability thresholds, consumer rights, consent models (opt-in for sensitive data vs opt-out for sale/targeted advertising), cure periods (30-60 days in most states, some sunsetting), enforcement mechanisms, and unique provisions across states
  • Virginia VCDPA: controller/processor model, no private right of action, AG exclusive enforcement, permanent 30-day cure period (no sunset -- Virginia's cure period remains in force unlike Colorado and Connecticut which sunsetted theirs January 2025), consumer rights (access, delete, correct, portability, opt-out of targeted advertising/sale/profiling)
  • Colorado CPA: universal opt-out mechanism required, no cure period after January 1, 2025 (sunsetted), consumer rights similar to Virginia, AG and district attorney enforcement, data protection assessments required for high-risk processing
  • Data breach notification: all 50 states require notification, common triggers include name + SSN, driver's license, financial account number, or health/biometric data. Notification timelines vary (30-90 days in most states, some shorter). Many states require AG notification for large breaches
  • California Delete Act (SB 362): requires data brokers to register with CPPA and delete consumer data upon request through a centralized mechanism, effective 2026
  • Washington My Health My Data Act: protects consumer health data outside of HIPAA, includes private right of action, broad definition of health data, applies to regulated entities processing consumer health data
  • Emerging state AI laws: Colorado AI Act (algorithmic discrimination), NYC Automated Employment Decision Tools (AEDT) Law, Illinois AI Video Interview Act -- know these exist and their basic requirements
  • Universal opt-out mechanisms: Colorado and other states requiring businesses to honor browser-based opt-out signals (Global Privacy Control) for sale/targeted advertising

Common Exam Traps

California CCPA/CPRA is the ONLY state comprehensive privacy law with a private right of action, and it is LIMITED to data breaches. Do not assume other states allow consumers to sue companies directly
State cure periods vary significantly. Colorado (60-day) and Connecticut (60-day) cure periods sunsetted on January 1, 2025, meaning those AGs can now pursue enforcement directly. Virginia's 30-day cure period is permanent (no sunset date). Do not conflate Virginia with Colorado/Connecticut on this point -- it is a frequent exam trap
Applicability thresholds vary significantly. California uses revenue ($25M), data volume (100K consumers), or data sale revenue (50%) with OR logic. Virginia uses data volume (100K consumers OR 25K consumers + 50% revenue from sale) with different numbers. Do not mix up state-specific thresholds
The term 'sale' of data varies by state. California defines 'sale' broadly (any exchange for monetary or valuable consideration) and separately defines 'sharing' (for cross-context behavioral advertising). Other states may define sale more narrowly
Data breach notification laws are state-specific. There is NO single federal data breach notification law (as of 2026). Each state has its own trigger definition, timeline, and notification requirements
Quick Check: State Privacy Laws

Question 1 of 3

A California resident submits a request to a business to delete their personal information. The business also shares data with three service providers. Under the CCPA/CPRA, what must the business do?

Laws and Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

HIPAA vs GLBA

Use HIPAA when…

Protects Protected Health Information (PHI) held by covered entities (health plans, clearinghouses, healthcare providers) and their business associates. Requires individual authorization for most uses beyond treatment, payment, and healthcare operations.

Use GLBA when…

Protects nonpublic personal information (NPI) held by financial institutions. Requires privacy notices and provides opt-out rights for third-party sharing. Uses an opt-out model rather than opt-in.

Exam trap

HIPAA uses an opt-IN model (authorization required for most disclosures). GLBA uses an opt-OUT model (sharing is allowed unless consumers opt out). The exam frequently tests whether you know which consent model applies to which sector.

COPPA vs FERPA

Use COPPA when…

Protects children under 13 online. Requires verifiable parental consent before collecting personal information. Applies to operators of websites and online services directed to children or with actual knowledge of child users.

Use FERPA when…

Protects student education records. Gives parents (or eligible students) rights to access and amend records. Restricts disclosure by educational institutions receiving federal funding.

Exam trap

COPPA applies to commercial websites collecting data from children under 13. FERPA applies to educational institutions receiving federal funds, protecting student records. A school website could implicate both laws, but they regulate different entities and different types of information.

CCPA/CPRA (California) vs Virginia VCDPA

Use CCPA/CPRA (California) when…

Applies to for-profit businesses meeting revenue ($25M), data volume (100K consumers), or revenue-from-sale (50%+) thresholds. Consumers have rights to know, delete, correct, opt-out of sale/sharing, and limit sensitive data use. Enforced by CPPA and AG with private right of action for data breaches.

Use Virginia VCDPA when…

Applies to entities conducting business in Virginia controlling/processing data of 100K+ consumers or 25K+ consumers while deriving 50%+ revenue from sale. Consumer rights include access, delete, correct, portability, and opt-out of targeted advertising. Enforced exclusively by AG.

Exam trap

California CCPA/CPRA is the ONLY state comprehensive privacy law with a private right of action (limited to data breaches). Virginia VCDPA has NO private right of action. The exam tests this distinction frequently because it is the single biggest enforcement difference among state laws.

Wiretap Act (Title I of ECPA) vs Stored Communications Act (Title II of ECPA)

Use Wiretap Act (Title I of ECPA) when…

Governs real-time interception of wire, oral, and electronic communications. Requires a super-warrant (Title III order) with probable cause and showing that other investigative methods have failed.

Use Stored Communications Act (Title II of ECPA) when…

Governs access to stored electronic communications and records held by service providers. Uses a tiered system: subpoena for basic subscriber info, court order for transactional records, warrant for content.

Exam trap

The Wiretap Act covers REAL-TIME interception (communications in transit). The Stored Communications Act covers STORED data (communications at rest). The exam tests whether you know which title applies based on whether the communication is being intercepted live or accessed from storage.

Opt-In Consent vs Opt-Out Consent

Use Opt-In Consent when…

Individual must affirmatively agree before their data can be collected, used, or shared. Used by HIPAA (authorization), COPPA (verifiable parental consent), and for sensitive personal information under many state laws.

Use Opt-Out Consent when…

Data collection or sharing proceeds by default unless the individual takes action to prevent it. Used by GLBA (third-party sharing), CAN-SPAM (commercial email), and most state laws for sale/sharing of non-sensitive data.

Exam trap

Opt-in gives the individual MORE control (nothing happens without consent). Opt-out gives the organization MORE latitude (processing occurs unless the individual objects). The exam tests which consent model applies under each specific statute -- getting this wrong leads to choosing the wrong answer on multiple questions.

FTC Unfairness Standard vs FTC Deception Standard

Use FTC Unfairness Standard when…

A practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits. Does NOT require a misrepresentation.

Use FTC Deception Standard when…

A practice is deceptive if it involves a material representation, omission, or practice that is likely to mislead a consumer acting reasonably under the circumstances. Requires a misleading statement or omission.

Exam trap

Unfairness does NOT require that the company said anything false -- it is about harmful practices. Deception requires a misleading representation or omission. The exam presents scenarios where you must identify whether the FTC would pursue an unfairness or deception theory.

Data Controller (State Laws) vs Data Processor (State Laws)

Use Data Controller (State Laws) when…

The entity that determines the purposes and means of processing personal data. Under state comprehensive privacy laws, controllers bear primary compliance obligations including honoring consumer rights requests.

Use Data Processor (State Laws) when…

The entity that processes personal data on behalf of and at the direction of a controller. Processors have limited obligations primarily focused on data security, confidentiality, and following controller instructions.

Exam trap

Controllers determine WHY and HOW data is processed. Processors act on behalf of controllers. Most state laws (following the GDPR model) impose primary obligations on controllers, not processors. California uses different terminology: 'businesses' (controllers) and 'service providers/contractors' (processors).

Private Right of Action vs Attorney General Enforcement

Use Private Right of Action when…

Allows individual consumers to sue companies directly for violations. Very rare in U.S. privacy law. California CCPA/CPRA has a limited private right of action for data breaches only. Illinois BIPA has a broad private right of action.

Use Attorney General Enforcement when…

The state AG (or a federal agency like the FTC) brings enforcement actions on behalf of consumers. This is the enforcement model for most U.S. privacy statutes and nearly all state comprehensive privacy laws.

Exam trap

Most U.S. privacy laws do NOT give individuals the right to sue. Enforcement is almost always through government agencies. The exam tests whether you know which specific laws include a private right of action (CCPA for data breaches, BIPA, TCPA, VPPA) versus which rely on AG or FTC enforcement.

Top Mistakes to Avoid

Confusing HIPAA's opt-in authorization model with GLBA's opt-out model -- HIPAA generally requires individual authorization for disclosures, while GLBA allows sharing unless consumers opt out
Assuming HIPAA applies to ALL health data -- it only covers PHI held by covered entities and business associates, not consumer health apps, wearables, or employer wellness programs outside the HIPAA ecosystem
Mixing up CCPA/CPRA applicability thresholds with Virginia VCDPA thresholds -- California uses $25M revenue OR 100K consumers OR 50% data sale revenue, while Virginia uses different data volume thresholds
Thinking all state comprehensive privacy laws include a private right of action -- only California CCPA/CPRA has one, and it is limited to data breach scenarios
Confusing FTC unfairness (harmful practices causing substantial injury) with FTC deception (material misrepresentations likely to mislead) -- these are separate legal theories with different elements
Applying Fourth Amendment protections to private-sector data collection -- the Fourth Amendment only restricts government searches, not private company activities
Forgetting the FCRA two-step adverse action process for employment -- employers must provide a PRE-adverse action notice (with report copy) BEFORE making the final decision, then a formal adverse action notice AFTER
Confusing the Wiretap Act (real-time interception) with the Stored Communications Act (stored data access) -- both are part of ECPA but cover different scenarios with different legal standards
Treating FIPPs as enforceable law rather than guiding principles -- FIPPs inform legislation but are not independently enforceable
Assuming there is a single federal data breach notification law -- there is no comprehensive federal breach notification statute, only sector-specific requirements (HIPAA, GLBA) plus all 50 state laws

Exam-Ready Checklist

Can explain all 5 exam domains and their relative weights (37%, 24%, 5%, 8%, 26%)
Know every major federal privacy statute (HIPAA, GLBA, FCRA, COPPA, FERPA, ECPA) including scope, regulated entities, key provisions, consent models, and enforcement
Can distinguish FTC unfairness from FTC deception and identify which theory applies in scenarios
Understand FIPPs (notice, choice, access, integrity, enforcement) and how they map to specific statutory requirements
Can compare California CCPA/CPRA with Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA on applicability thresholds, consumer rights, enforcement, and cure periods
Know which laws use opt-in vs opt-out consent models (HIPAA = opt-in, GLBA = opt-out, COPPA = opt-in, state sensitive data = opt-in, state sale/sharing = opt-out)
Understand Fourth Amendment limitations (government action only), third-party doctrine, and Carpenter exception
Can explain ECPA's three titles (Wiretap Act, SCA, Pen Register Act) and when each applies
Know FCRA employment provisions: standalone disclosure, written authorization, pre-adverse action notice, adverse action notice
Understand BIPA requirements (informed written consent, retention policy, private right of action) and how it differs from other state biometric laws
Know data breach notification basics: all 50 states have laws, common triggers (name + SSN/financial data), varying timelines, AG notification requirements
Can identify which privacy laws include a private right of action (CCPA for breaches, BIPA, TCPA, VPPA) versus AG-only enforcement
Scored 70%+ on at least two full mock exams (need 300/500 to pass, roughly 65-80% of scored questions correct)
Reviewed recent BoK additions: California Delete Act, Washington My Health My Data Act, state AI privacy laws, and universal opt-out mechanisms

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions