IAPP Certified Information Privacy Professional/United States (CIPP-US) Exam Syllabus

- Branches of government
- Sources of law

• Constitutions
• Legislation
• Regulations and rules
• Case law
• Common law
• Contract law

- Legal definitions

• Jurisdiction
• Person
• Preemption
• Private right of action

- Regulatory authorities

• Federal Trade Commission (FTC)
• Federal Communications Commission (FCC)
• Department of Commerce (DoC)
• Department of Health and Human Services (HHS)
• Banking regulators
  1. Federal Reserve Board
  2. Comptroller of the Currency
• State attorneys general
• Self-regulatory programs and trust marks

- Understanding laws

• Scope and application
• Analyzing a law
• Determining jurisdiction
• Preemption

- Criminal versus civil liability
- General theories of legal liability

• Contract
• Tort
• Civil enforcement

- Negligence
- Unfair and deceptive trade practices (UDTP)
- Federal enforcement actions
- State enforcement (Attorneys General (AGs), California Privacy Protection Agency (CPPA))
- Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
- Self-regulatory enforcement (PCI, Trust Marks)

- Data sharing and transfers

• Data inventory
• Data classification
• Data flow mapping

- Privacy program development
- Managing User Preferences
- Incident response programs

• Cyber threats (e.g., ransomware)

- Workforce Training
- Accountability
- Data and records retention and disposal (FACTA)
- Online Privacy
- Privacy notices
- Vendor management

• Data processing agreements
• Vendor incidents
• Cloud issues
• Third-party data sharing

- International data transfers

• U.S. Safe Harbor, Privacy Shield, and the EU-U.S. Data Privacy Framework
• Binding Corporate Rules (BCRs)
• Standard Contractual Clauses (SCCs)
• Other approved transfer mechanisms
• Schrems decisions, implications of

- Other key considerations for U.S.-based global multinational companies

• GDPR requirements
• APEC privacy framework

- Resolving multinational compliance conflicts

• EU data protection versus e-discovery

- The Federal Trade Commission Act
- FTC Privacy Enforcement Actions
- FTC Security Enforcement Actions
- The Children’s Online Privacy Protection Act of 1998 (COPPA)
- Future of federal enforcement (Data brokers, Big Data, IoT, AI, unregulated data)

- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• HIPAA privacy rule
• HIPAA security rule
• Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

- Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
- The 21st Century Cures Act of 2016
- Confidentiality of Substance Use Disorder Patient Records Rule

• 42 CFR Part 2

- The Fair Credit Reporting Act of 1970 (FCRA)
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or GLBA)

• GLBA privacy rule
• GLBA safeguards rule
• Exemptions under state laws

- Red Flags Rule
- Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
- Consumer Financial Protection Bureau
- Online Banking

- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Education technology

- Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)

• The Do-Not-Call registry (DNC)

- Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
- The Junk Fax Prevention Act of 2005 (JFPA)
- The Wireless Domain Registry
- Telecommunications Act of 1996 and Customer Proprietary Network Information
- Cable Communications Policy Act of 1984
- Video Privacy Protection Act of 1988 (VPPA)

• Video Privacy Protection Act Amendments Act of 2012 (H.R. 6671)

- Driver’s Privacy Protection Act (DPPA)
- Digital advertising
- Web scraping
- Data Ethics

- Access to financial data

• Right to Financial Privacy Act of 1978
• Bank Secrecy Act of 1970 (BSA)

- Access to communications

• Wiretaps
• Electronic Communications Privacy Act (ECPA)
  1. E-mails
  2. Stored records
  3. Pen registers

- The Communications Assistance to Law Enforcement Act (CALEA)

- Foreign Intelligence Surveillance Act of 1978 (FISA)

• Wiretaps
• E-mails and stored records
• National security letters
• Amendments Act: Section 702 (2008)

- Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
- The USA Freedom Act of 2015
- The Cybersecurity Information Sharing Act of 2015 (CISA)

• Privacy Protection Act of 1980

- Workplace privacy concepts

• Human resources management

- U.S. agencies regulating workplace privacy issues

• Federal Trade Commission (FTC)
• Department of Labor
• Equal Employment Opportunity Commission (EEOC)
• National Labor Relations Board (NLRB)
• Occupational Safety and Health Act (OSHA)
• Securities and Exchange Commission (SEC)

- U.S. Anti-discrimination laws

• Civil Rights Act of 1964
• Americans with Disabilities Act (ADA)
• Genetic Information Nondiscrimination Act (GINA)

- Automated employment decision tools and potential for bias
- Employee background screening

• Requirements under FCRA
• Methods
  1. Personality and psychological evaluations
  2. Polygraph testing
  3. Drug and alcohol testing
  4. Social media

- Employee monitoring

• Technologies
  1. Computer usage (including social media)
  2. Biometrics
  3. Location-based services (LBS)
  4. Wellness Programs
  5. Mobile computing
  6. E-mail and postal mail
  7. Photography
  8. Telephony
  9. Video
• Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
• Unionized worker issues concerning monitoring in the U.S. workplace

- Investigation of employee misconduct

• Data handling in misconduct investigations
• Use of third parties in investigations
• Documenting performance problems
• Balancing rights of multiple individuals in a single situation

- Termination of the employment relationship

• Transition management
• Records retention
• References

- Applicability

• Thresholds (e.g., number of state residents, annual revenue, etc.)
• Available exemptions

- Data subject rights (e.g., access; deletion/correction; portability; opt-out)
- Privacy notice requirements (e.g. California Online Privacy Protection Act and similar laws)
- Data security requirements
- Data protection agreements
- Data protection assessments / risk assessments
- Health data rules

• Geofencing bans and restrictions
• Washington My Health, My Data (MHMD) Act (2023)
• Nevada Consumer Health Data Privacy Law (SB 370) (2023)
• Privacy class actions based on the Illinois Genetic Information Privacy Act (GIPA) (2023)

- Data retention and destruction
- Selling and Sharing of Personal Information (PI)
- Enforcement

• Cure periods
• Penalties

- Cookie and online tracking regulations
- Facial recognition use restrictions
- Biometric information privacy regulations

• Illinois Biometric Information Privacy Act (BIPA) (2008)
• Other biometric privacy laws (e.g. Washington, Texas)

- AI bias laws

• Automated decision-making rules and regulations (e.g. California, Colorado)
• NYC Automated Employment Decision Tool law
• Colorado’s Protecting Consumers from Unfair Discrimination in Insurance Practices law

- Important comprehensive data privacy laws

• California data privacy laws: California Consumer Privacy Act (CCPA) (2018) as amended by the California Privacy Rights Act (CPRA)(2020), California Age-Appropriate Design Code Act (A.B. 2273) (2022), Delete Act (SB 362) (2023)
• Key provisions of other significant state acts and laws (Virginia, Colorado, Connecticut, Utah, Nevada, Florida, Oregon, Texas, Montana)

- Elements of state data breach notification laws

• Definitions of relevant terms (personal information, security breach)
• Conditions for notification (who, when, how)
• Subject rights (credit monitoring, private right of action)

- Key differences among states today
- Significant developments

• Utah S.B. 127 Cybersecurity Amendments
• Pennsylvania SB 696
• Other significant state amendments