You Can Pass This Exam For Free
Choose Your Study Path
You have limited experience with privacy law or regulatory compliance. You may come from IT, business, or a non-legal background and need to build foundational knowledge of the U.S. legal system, sectoral privacy statutes, and enforcement mechanisms before tackling exam scenarios.
Exam Overview
Format
90 multiple-choice questions (75 scored + 15 unscored field test items) in 150 minutes (2 hours 30 minutes). Includes scenario-based questions testing application of privacy laws to real-world situations. No penalty for wrong answers -- always answer every question.
Scoring
Scaled score 100-500. Passing threshold: 300 out of 500. The scaled scoring accounts for question difficulty across exam forms. Typically requires 65-80% of scored questions answered correctly. No penalty for incorrect answers.
Domains & Weights
- Introduction to the U.S. Privacy Environment37%
- Limits on Private-Sector Collection and Use of Data24%
- Government and Court Access to Private-Sector Information5%
- Workplace Privacy8%
- State Privacy Laws26%
Registration
$550 USD. Register through the IAPP website (iapp.org) and schedule at Pearson VUE testing centers worldwide or remotely via OnVUE online proctoring. Exam fee is $550 USD. Retake fee is $375 USD. Certification requires 20 CPE credits per 2-year cycle.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Introduction to the U.S. Privacy Environment
The largest domain by weight, covering the foundational structure of U.S. privacy law. This includes constitutional origins of privacy rights, the sectoral regulatory model, FTC enforcement authority and mechanisms, state attorney general enforcement, common law privacy torts, Fair Information Practice Principles (FIPPs), and the notice-and-choice framework that underpins most U.S. privacy regulation.
Key Topics
Must-Know Concepts
- Constitutional sources of privacy: First Amendment (freedom of association), Fourth Amendment (unreasonable search and seizure), Fifth Amendment (self-incrimination), Fourteenth Amendment (due process and substantive privacy rights from Griswold v. Connecticut)
- FTC Section 5 enforcement: the unfairness standard (substantial injury, not reasonably avoidable, not outweighed by benefits) and deception standard (material misrepresentation likely to mislead reasonable consumers) are the two legal theories the FTC uses
- FTC enforcement tools: consent decrees, civil penalties, administrative orders, and the ability to require 20-year compliance monitoring programs
- Fair Information Practice Principles (FIPPs): notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress -- the foundational framework underlying most U.S. privacy regulation
- The U.S. sectoral approach: no single comprehensive federal privacy law -- instead, sector-specific statutes (HIPAA for health, GLBA for finance, COPPA for children) supplemented by state laws
- State attorney general enforcement powers: most state privacy laws give AGs authority to enforce violations, issue civil investigative demands, and seek injunctive relief and penalties
- Common law privacy torts: intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness
- The notice-and-choice model: organizations provide notice of data practices and give individuals choices about collection and use -- the dominant U.S. regulatory approach
- Self-regulatory frameworks: industry self-regulation through codes of conduct, BBB Online, DAA (Digital Advertising Alliance) principles, and safe harbor programs
Common Exam Traps
Limits on Private-Sector Collection and Use of Data
This domain covers the major federal privacy statutes that regulate how private-sector organizations collect, use, and share personal information. You need deep knowledge of sector-specific laws including healthcare (HIPAA), financial (GLBA), consumer reporting (FCRA), children's online privacy (COPPA), education (FERPA), and telecommunications/marketing (TCPA, CAN-SPAM). The exam tests both broad understanding and specific statutory details.
Key Topics
Must-Know Concepts
- HIPAA: covered entities (health plans, clearinghouses, providers conducting electronic transactions), business associates, PHI definition, minimum necessary rule, individual rights (access, amendment, accounting of disclosures), breach notification (60 days to individuals, immediate to HHS for 500+ records), de-identification methods (Safe Harbor with 18 identifiers, Expert Determination)
- GLBA: broad definition of financial institution (includes tax preparers, check cashers, debt collectors), Financial Privacy Rule (annual notices, opt-out for third-party sharing), Safeguards Rule (written information security program), and exceptions for joint marketing and affiliate sharing
- FCRA: consumer reporting agencies, permissible purposes for accessing reports (credit, employment with consent, insurance, legitimate business need), adverse action notice requirements (pre-adverse and adverse), accuracy obligations, and consumer dispute rights. FACTA amendments added red flags rule and free annual credit reports
- COPPA: applies to operators of websites/online services directed to children under 13 or with actual knowledge of child users, verifiable parental consent (VPC) required before collection, FTC-approved safe harbor programs, and the broad definition of personal information (includes persistent identifiers, geolocation, photos/videos)
- FERPA: applies to educational institutions receiving federal funding, protects education records, parents' rights transfer to students at age 18 or college enrollment, directory information exception (schools can share unless parent opts out), and exceptions for health/safety emergencies
- TCPA: restrictions on autodialed calls and texts, prior express written consent required for marketing, National Do Not Call Registry, exemptions for emergency calls and debt collection, and the evolving definition of autodialer after Facebook v. Duguid (2021)
- CAN-SPAM: applies to commercial electronic messages, requires functioning opt-out mechanism (10 business days to process), accurate header and subject lines, physical postal address, and pre-empts state email laws
- FTC cross-sector enforcement: Section 5 actions against unfair or deceptive data practices, Children's Online Privacy consent decrees, data security enforcement through unfairness theory
Common Exam Traps
Government and Court Access to Private-Sector Information
This is the smallest domain by weight but covers complex constitutional and statutory material on how the government accesses private-sector data. Topics include Fourth Amendment protections, the Electronic Communications Privacy Act (ECPA), FISA and national security surveillance, law enforcement access mechanisms (warrants, subpoenas, court orders), and civil litigation discovery. Despite the low weight, questions tend to be challenging.
Key Topics
Must-Know Concepts
- Fourth Amendment: protects against unreasonable government searches and seizures -- requires probable cause and a warrant for most searches. Does NOT apply to private-sector actors
- Third-party doctrine: information voluntarily shared with third parties traditionally loses Fourth Amendment protection. Carpenter v. United States (2018) created an exception for cell-site location information, requiring a warrant
- ECPA three titles: Wiretap Act (Title I -- real-time interception, requires super-warrant), Stored Communications Act (Title II -- stored data access, tiered system of legal process), Pen Register Act (Title III -- metadata collection, requires court order showing relevance)
- Law enforcement access hierarchy: subpoena (lowest standard, basic subscriber info), court order under Section 2703(d) (specific and articulable facts), search warrant (probable cause, required for content of stored communications)
- FISA: Foreign Intelligence Surveillance Act authorizes surveillance of foreign powers and agents. Section 702 allows collection of foreign intelligence from non-U.S. persons outside the U.S. through U.S. service providers. National Security Letters compel disclosure of certain records without judicial approval
Common Exam Traps
Workplace Privacy
This domain covers the privacy rights and limitations in the employment context. Topics include employer monitoring of electronic communications and internet usage, background checks and FCRA requirements, BYOD policies, video surveillance, drug testing, biometric data collection (BIPA), genetic information protections (GINA), and the generally limited expectation of privacy employees have when using employer-owned systems and facilities.
Key Topics
Must-Know Concepts
- Employee monitoring: employers generally have broad rights to monitor employee activity on company-owned devices and networks, but must balance against state wiretapping laws, ECPA consent provisions, and union collective bargaining agreements
- FCRA employment provisions: employers must provide standalone written disclosure and obtain written authorization BEFORE obtaining consumer reports, must provide pre-adverse action notice with copy of report and summary of rights, and then a formal adverse action notice
- BYOD (Bring Your Own Device): employers must address privacy expectations for personal devices used for work, establish clear policies on monitoring scope, data separation, and remote wipe capabilities
- Illinois BIPA: strictest biometric privacy law with informed written consent required before collection, private right of action, and the 2024 amendment limiting per-scan damages. Other states have biometric laws but without private right of action
- GINA: prohibits employers from requesting, requiring, or purchasing genetic information of employees or their family members, with narrow exceptions (inadvertent acquisition, voluntary wellness programs, FMLA certification)
- Video surveillance: generally permitted in common work areas but prohibited in areas with reasonable expectation of privacy (restrooms, changing rooms). Some states require notice. Audio recording adds wiretapping law considerations
- Drug testing: varies significantly by state. Some states require reasonable suspicion, others allow random testing. Federal positions and safety-sensitive industries (DOT-regulated) have mandatory testing requirements
Common Exam Traps
State Privacy Laws
The second-heaviest domain and the fastest-growing area on the exam. Covers the rapidly expanding landscape of state comprehensive consumer privacy laws led by California's CCPA/CPRA, followed by Virginia, Colorado, Connecticut, Texas, and 15+ additional states. Also covers state data breach notification laws, biometric privacy laws, and emerging state-level AI and children's privacy regulations. This domain has seen the largest increase in question allocation, with 13-17 questions as of the 2025-2026 exam blueprint.
Key Topics
Must-Know Concepts
- CCPA/CPRA in depth: applicability thresholds (annual gross revenue of $25M statutory base, CPI-adjusted to $26,625,000 effective January 1, 2025, OR 100K consumers/households OR 50% revenue from selling/sharing data), full consumer rights suite (know, delete, correct, opt-out of sale/sharing, limit sensitive data use), service provider vs contractor distinctions, CPPA enforcement, private right of action limited to data breaches ($100-$750 per consumer per incident)
- State law comparison framework: know how to compare applicability thresholds, consumer rights, consent models (opt-in for sensitive data vs opt-out for sale/targeted advertising), cure periods (30-60 days in most states, some sunsetting), enforcement mechanisms, and unique provisions across states
- Virginia VCDPA: controller/processor model, no private right of action, AG exclusive enforcement, permanent 30-day cure period (no sunset -- Virginia's cure period remains in force unlike Colorado and Connecticut which sunsetted theirs January 2025), consumer rights (access, delete, correct, portability, opt-out of targeted advertising/sale/profiling)
- Colorado CPA: universal opt-out mechanism required, no cure period after January 1, 2025 (sunsetted), consumer rights similar to Virginia, AG and district attorney enforcement, data protection assessments required for high-risk processing
- Data breach notification: all 50 states require notification, common triggers include name + SSN, driver's license, financial account number, or health/biometric data. Notification timelines vary (30-90 days in most states, some shorter). Many states require AG notification for large breaches
- California Delete Act (SB 362): requires data brokers to register with CPPA and delete consumer data upon request through a centralized mechanism, effective 2026
- Washington My Health My Data Act: protects consumer health data outside of HIPAA, includes private right of action, broad definition of health data, applies to regulated entities processing consumer health data
- Emerging state AI laws: Colorado AI Act (algorithmic discrimination), NYC Automated Employment Decision Tools (AEDT) Law, Illinois AI Video Interview Act -- know these exist and their basic requirements
- Universal opt-out mechanisms: Colorado and other states requiring businesses to honor browser-based opt-out signals (Global Privacy Control) for sale/targeted advertising
Common Exam Traps
Laws and Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.