You Can Pass This Exam For Free
Choose Your Study Path
You work in IT, software development, or data roles but have limited formal privacy training. You need to build foundational knowledge of privacy law concepts, engineering principles, and the technical tools used to protect personal data before diving into CIPT-specific content.
Exam Overview
Format
90 multiple-choice questions (75 scored + 15 unscored pretest items), 150 minutes plus an optional 15-minute break. Delivered via Pearson VUE at a test center or via OnVUE online proctoring. Closed-book exam. ANAB-accredited under ISO/IEC 17024:2012.
Scoring
Scaled scoring from 100 to 500. Passing score is 300. The 15 pretest (unscored) questions are randomly distributed throughout the exam and are indistinguishable from scored questions — answer all 90 questions. Score report provided upon completion. No penalty for wrong answers.
Domains & Weights
- The Privacy Technologist's Role in the Context of the Organization23%
- Data Collection, Use, Dissemination, and Destruction28%
- Privacy Risk Management25%
- Privacy by Design11%
- Privacy Engineering and Privacy Governance13%
Registration
$550 USD. Register at pearsonvue.com/iapp or through iapp.org. Exam fee is $550 USD. Retake fee is $375 USD with a mandatory 30-day waiting period between attempts. Certification is valid for 2 years and requires 20 CPE credits per 2-year term and a $250 maintenance fee for renewal.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
The Privacy Technologist's Role in the Context of the Organization
This domain covers the organizational role of privacy technologists — how they collaborate with legal, compliance, IT, and business teams. It includes privacy risk models (LINDDUN and MITRE PANOPTIC), data ethics frameworks, bias in automated decision systems, and the technical privacy responsibilities distinct from legal privacy responsibilities.
Key Topics
Must-Know Concepts
- The privacy technologist bridges the gap between legal/compliance requirements and technical implementation — translating legal obligations into engineering controls
- Legal privacy responsibilities: policy development, regulatory compliance, data subject rights response. Technical privacy responsibilities: implementing controls, conducting threat modeling, designing privacy-preserving architectures
- LINDDUN is a systematic privacy threat modeling methodology applied to data flow diagrams. Each letter represents a threat category: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance
- MITRE PANOPTIC (Pattern and Action Nomenclature Of Privacy Threats In Context) provides a catalog of privacy attack tactics, techniques, and procedures (TTPs) analogous to MITRE ATT&CK for cybersecurity, covering how adversaries compromise privacy
- Data ethics principles for privacy technologists: fairness, transparency, accountability, purpose limitation, and non-maleficence in data use
- Bias in automated decision systems: algorithmic bias can arise from biased training data, biased feature selection, or biased objective functions. Privacy technologists must understand both the privacy implications and fairness implications of AI systems
- The IAPP AIGP (AI Governance Professional) certification covers AI governance in depth — the CIPT and AIGP share content around automated decision-making and AI ethics. Candidates with AIGP will have a head start on Domain 1 AI/ML topics
- The BoK explicitly names several privacy risk models and frameworks beyond LINDDUN and PANOPTIC: Nissenbaum's Contextual Integrity (privacy as appropriate information flow in context), Calo's Harms Dimensions (subjective and objective privacy harms), the FAIR model (Factor Analysis in Information Risk), NIST/NICE framework, FIPPs (Fair Information Practice Principles), and OECD privacy principles. Know each at a recognition level
- Privacy risk assessment at the organizational level involves mapping privacy risks to organizational risk registers, distinguishing privacy risks from cybersecurity risks, and communicating risk to non-technical stakeholders
- Differential privacy and other PETs play a role in de-biasing AI models by limiting the information that can be inferred about individuals in training data
Common Exam Traps
Data Collection, Use, Dissemination, and Destruction
The largest domain at 28%, covering the full data lifecycle from collection to destruction. Topics include notice and consent mechanisms, automatic data collection technologies (cookies, tracking, fingerprinting), data minimization strategies, Privacy-Enhancing Technologies (PETs), retention and destruction policies, and defense in depth for personal data protection.
Key Topics
Must-Know Concepts
- Layered privacy notices: a short-form notice for initial disclosure with a link to the full-length privacy policy. Just-in-time notices appear at the exact point of data collection
- Valid consent requirements under GDPR: freely given (no coercion or bundling with service access unless necessary), specific (separate consent for each distinct purpose), informed (clear description of what consent covers), unambiguous (affirmative act — no pre-ticked boxes, no silence)
- Cookie types: session cookies (expire when browser closes), persistent cookies (survive browser close, have expiry date), first-party cookies (set by visited domain), third-party cookies (set by external domain). Strictly necessary cookies are exempt from consent requirements under ePrivacy Directive
- Browser fingerprinting: collecting browser and device attributes to create a unique identifier without storing data on the device. Cannot be defeated by clearing cookies. Requires prior consent under many jurisdictions
- Data minimization strategies: collect only required fields at intake, use aggregate data instead of individual records, implement field-level access controls, use synthetic data for testing, apply pseudonymization to reduce identifiability in analytics
- K-anonymity: dataset provides k-anonymity if each record is indistinguishable from at least k-1 others on quasi-identifiers. L-diversity adds distinct sensitive attribute values per group. T-closeness requires the distribution of sensitive attributes within groups to mirror the overall distribution
- Differential privacy: adds calibrated random noise to outputs. Privacy budget (epsilon) controls the privacy-utility tradeoff. Lower epsilon = more noise = stronger privacy = less useful output
- Retention schedules: defined periods for which personal data may be retained based on the original purpose. Data must be deleted or anonymized when the retention period expires
- NIST SP 800-88 guidelines for media sanitization: Clear (software-only overwrite), Purge (hardware or firmware techniques defeating forensic recovery), Destroy (physical destruction). The required level depends on data sensitivity and the target media type
- Defense in depth for privacy: data minimization + pseudonymization + access controls + encryption + audit logging + DLP + incident response. No single control is sufficient
Common Exam Traps
Privacy Risk Management
The second-largest domain at 25%. Covers identifying and managing privacy risks in systems and processes. Topics include dark patterns that undermine consent, surveillance and tracking technologies, biometric data controls, workplace monitoring, software privacy risks, intrusion and decisional interference, and Privacy Impact Assessments (PIAs/DPIAs).
Key Topics
Must-Know Concepts
- Dark pattern categories: nagging (repeated consent requests), obstruction (making privacy-protective choices difficult), sneaking (undisclosed data collection), interface interference (visual design that manipulates choice), forced action (requiring unnecessary consent to access service), disguising (hiding the commercial or tracking nature of an action), trick questions (ambiguous wording producing unexpected consent)
- Intrusion: unreasonable interference with a person's solitude, seclusion, or private affairs. Decisional interference: influencing a person's personal decisions through surveillance or information use. The BoK also covers behavioral advertising, behavioral profiling, cyberbullying, and social engineering as forms of interference
- Software privacy risks: client-side logging of sensitive fields, debug logs containing personal data, insecure error messages exposing data, overly broad API responses returning more data than necessary, lack of input validation leading to injection attacks that expose data
- Surveillance technologies: CCTV and video analytics, location tracking (GPS, cell tower, Wi-Fi positioning), network traffic monitoring, metadata collection, cross-device tracking
- Biometric data uniqueness: immutable (cannot be changed after breach), inherently identifying, enables persistent identification across contexts. Special category data under GDPR
- Biometric technical safeguards: store only processed templates (not raw biometric data), use one-way hashing with salting for templates, implement template aging (periodic re-enrollment), provide non-biometric alternatives, purpose limitation (biometrics enrolled for one purpose cannot be used for another)
- Workplace monitoring technologies: keystroke logging, screen capture, email monitoring, network traffic inspection, productivity scoring software, location tracking on company devices. Privacy risk depends on scope, employee notice, and proportionality to legitimate business purpose
- Workplace technologies also include AI/ML/deep learning systems, communications platforms (video conferencing, messaging, mobile devices, social media, gaming platforms), and each carries distinct privacy risks. The BoK explicitly tests the ability to identify and minimize privacy risks in these technologies
- IoT privacy risks: continuous ambient data collection, lack of user-facing consent interfaces, insecure data transmission, long device lifespans with short software support windows, data aggregation revealing sensitive behavioral patterns
- PIA process: identify data flows and processing activities, assess privacy risks to data subjects, identify legal basis for processing, evaluate data minimization and proportionality, recommend mitigations, document residual risk
- DPIA triggers under GDPR Article 35: systematic and extensive profiling, large-scale processing of special categories, systematic monitoring of publicly accessible areas
Common Exam Traps
Privacy by Design
This domain covers the Privacy by Design framework developed by Ann Cavoukian — its seven foundational principles, privacy goals and specifications derived from those principles, the impact of design choices on UX and user privacy, and value-sensitive design methodology for embedding privacy into systems from inception.
Key Topics
Must-Know Concepts
- Seven Privacy by Design Principles: (1) Proactive not Reactive; Preventative not Remedial — anticipate and prevent privacy-invasive events before they occur; (2) Privacy as the Default Setting — personal data is automatically protected; no action required by the individual; (3) Privacy Embedded into Design — integrated into system design, not added as an add-on; (4) Full Functionality — Positive-Sum not Zero-Sum — privacy AND functionality, not privacy OR functionality; (5) End-to-End Security — Full Lifecycle Protection — strong security from data collection to secure deletion; (6) Visibility and Transparency — Keep it Open — practices are visible and transparent to users and providers; (7) Respect for User Privacy — Keep it User-Centric — individual interests are respected with strong defaults, appropriate notice, and empowering options
- Privacy goals framework: Unlinkability (prevent linking data to an individual beyond intended use), Transparency (all stakeholders can verify and understand how data is used), Intervenability (individuals can intervene in processing), Confidentiality (data is protected from unauthorized access), Availability (data is accessible to authorized parties when needed)
- Value-sensitive design: three types of investigations — conceptual (identify values and stakeholders), empirical (study how users and affected parties experience the system), technical (analyze how design decisions embody or undermine values)
- Privacy specifications: formal or semi-formal documentation of privacy requirements derived from PbD principles and privacy goals. Used as input to security and privacy engineering processes
- UX privacy design: clear, comprehensible consent interfaces; accessible privacy settings; meaningful control over personal data; transparent data use indicators. Good privacy UX enhances trust without sacrificing usability
- PbD is proactive — privacy risks must be identified and mitigated BEFORE deployment, not in response to incidents or regulatory action
- PbD Principle 4 (Full Functionality / Positive-Sum) directly challenges the assumption that privacy and functionality are zero-sum. Organizations claiming that privacy requirements reduce product quality are failing to apply Principle 4
- GDPR Article 25 legally codifies data protection by design and by default, making PbD Principles 1 and 2 legal requirements for GDPR-scope processing
Common Exam Traps
Privacy Engineering and Privacy Governance
This domain covers the engineering implementation of privacy controls across the software development lifecycle and the governance structures that sustain privacy programs. Topics include the three NIST privacy engineering objectives (Predictability, Manageability, Disassociability), data flow and lineage analysis, SDLC privacy controls, data inventories, Records of Processing Activities (ROPA), code review for privacy, and ongoing privacy monitoring.
Key Topics
Must-Know Concepts
- Three NIST Privacy Engineering Objectives (NIST IR 8062): Predictability — enabling reliable assumptions by individuals, owners, and operators about how personal data and systems behave; Manageability — providing individuals and organizations with the ability to manage personal data processing including granting, modifying, and revoking data processing; Disassociability — enabling processing with decreasing levels of association between individuals and their data (the engineering objective underlying de-identification, aggregation, pseudonymization)
- ROPA contents under GDPR Article 30: name and contact details of controller, purposes of processing, description of categories of data subjects and personal data, categories of recipients, international transfers and safeguards, retention periods, description of security measures. Both controllers AND processors must maintain a ROPA
- Data inventory: a comprehensive catalog of all personal data held by an organization, including data categories, storage locations, access controls, retention periods, and legal bases. Foundation for ROPA and PIA work
- Data lineage: tracking how personal data flows from source to destination through all transformations, copies, and uses. Essential for understanding data provenance and identifying where privacy controls must be applied
- Data flow diagrams (DFDs) for privacy: annotate flows with data categories, legal bases, retention periods, and sharing relationships. Used as input to LINDDUN threat modeling, PIA/DPIA, and ROPA population
- SDLC privacy integration: privacy requirements in functional spec → privacy threat modeling in design → privacy code review in development → privacy testing in QA → DPIA update in maintenance. Privacy must be embedded at EVERY phase, not just reviewed at the end
- Code review for privacy: check for over-collection (collecting more fields than required), insecure logging (personal data in log files), missing field-level encryption for sensitive attributes, hardcoded keys or secrets, insecure deletion (missing secure erase of sensitive data), and overly broad API responses
- Privacy monitoring: ongoing processes for detecting privacy incidents, measuring privacy control effectiveness, reviewing data processing activities for compliance, and tracking data subject rights requests. The BoK specifically includes runtime behavior monitoring — analyzing system behavior during execution to detect privacy violations
- Enterprise architecture and cross-border data transfer considerations: understand how data flow diagrams and data lineage tools map to cross-border transfer requirements (e.g., SCCs, BCRs, adequacy decisions) and where technical controls must be applied to support lawful international transfers
- NIST Privacy Framework Core: Identify-P (data governance), Govern-P, Control-P, Communicate-P, Protect-P (data processing ecosystem risk management). Complements but is distinct from the NIST Cybersecurity Framework
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.