top of page

CIPP/US Body of Knowledge (2024-2025)

If you’re preparing for the Certified Information Privacy Professional/United States (CIPP/US) exam, one of the most important resources you’ll encounter is the Body of Knowledge (BoK). This high-level guide, published by the International Association of Privacy Professionals (IAPP), outlines the topics you’ll be tested on.

To keep the certification current and prevent overexposure of exam content, the IAPP updates the BoK annually, typically in late spring or early summer.


Now, what’s new for the 2024–2025 exam cycle? Let’s break it down.


When Do the Changes Take Effect?


The updated CIPP/US BoK becomes effective on September 2, 2024.


As always, the IAPP releases updates at least 90 days in advance, giving candidates enough time to adjust their prep before changes impact the exam.


Format: Did It Change?


Not this year. Despite IAPP’s recent trend toward a new “competency and performance indicator” structure in other certifications (like the CIPM, CIPP/C, and AIGP), the CIPP/US BoK sticks with its classic nested outline.


This also means that the Exam Blueprint, which provides a range of question counts per topic, remains a separate document.


Have the Domains Changed?


These five core domains below remain unchanged:


  • Domain I – Introduction to the U.S. Privacy Environment

A. Structure of U.S. Law

B. Enforcement of U.S. Privacy and Security Laws

C. Information Management from a U.S. Perspective


  • Domain II – Limits on Private-Sector Collection and Use of Data

A. Cross-sector FTC Privacy Protection

B. Healthcare/Medical

C. Financial

D. Education

E. Telecommunications and Marketing


  • Domain III – Government and Court Access to Private-Sector Information

A. Law Enforcement and Privacy

B. National Security and Privacy

C. Civil Litigation and Privacy


  • Domain IV – Workplace Privacy

A. Introduction to Workplace Privacy

B. Privacy before, during, and after employment


  • Domain V – State Privacy Laws

A. Federal vs. state authority

B. Data Privacy and Security Laws

C. Data Breach Notification Laws


Has the Number of Questions Changed?


The 2024–2025 Exam Blueprint remains identical to last year, with the same number of questions per domain.


What New Topics Were Added?


The updates for this cycle are relatively modest, but they reflect the evolving U.S. privacy law landscape.


Key additions include these new concepts:

  • Section I.C.j.i – Data Processing Agreements

  • Section II.E.j – Web Scraping

  • Section V.A.a – State Attorneys General (under federal vs. state authority)

  • Section V.C.c.i – Utah S.B. 127 Cybersecurity Amendments

  • Section V.C.c.ii – Pennsylvania SB 696


There are also notable expanded sections on State Data Privacy and Security Laws added, such as:

  • Section V.B.a – Applicability and thresholds (e.g., resident counts, revenue)

  • Section V.B.b – Data Subject Rights

  • Section V.B.c – Privacy Notice Requirements (e.g., CalOPPA)

  • Section V.B.d – Data Security Requirements

  • Section V.B.e – Data Protection Agreements

  • Section V.B.f – Risk/Data Protection Assessments

  • Section V.B.g – Health Data Rules (e.g., MHMD Act, SB 370, GIPA)

  • Section V.B.h – Data Retention and Destruction

  • Section V.B.i – Sale and Sharing of PI

  • Section V.B.j – Enforcement (including cure periods, penalties)

  • Section V.B.m.ii – Additional Biometric Privacy Laws (WA, TX, etc.)

  • Section V.B.n – AI Bias and Automated Decision-Making (CA, CO, NYC, etc.)

  • Section V.B.o – Additions like CA’s Delete Act and new laws in FL, OR, TX, MT


These updates reflect a broader shift: state-level privacy laws are gaining more weight on the exam, now accounting for 6–8 questions, per the Exam Blueprint.


Additional Topics Mentioned by IAPP


The IAPP has summarized the new content below: 

  • Privacy torts

  • Data processing agreements

  • Data portability

  • Web scraping

  • Cookie deprecation

  • Sale of Personal Information

  • New topics on state privacy laws (with a cross-reference to the BoK)


While other new topics are not explicitly listed in the BoK, IAPP highlights a few new areas to expect on the exam, which include privacy torts, data portability, cookie deprecation, and sale of personal information.


These topics are likely covered under broader categories in the BoK, but candidates should still be familiar with them.


What Was Removed?


A few specific references have been retired from the BoK:

  • Social Security Numbers under state privacy/security laws

  • Illinois HB 1260

  • Massachusetts HB 4806


The IAPP also removed the broad "Other significant state acts and laws" catch-all category under Section V.B. However, some removed laws may still be fair game, as they fall under broader legal categories (e.g., breach notification amendments).


While these topics have been removed and may be unlikely to be the focus of the CIPP/US exam, you’ll probably see a question about these state laws.


Our Take on Some Changes


This year’s CIPP/US BoK updates are relatively minimal. The structure remains the same, and while some state-level laws and concepts have been added, removed, or updated, IAPP has stated that its annual updates to its various certification exams include new content that will amount, at most, to just 10-15% of the exam. 


If you're preparing for the exam after September 2, 2024, we suggest you review the newly added topics, especially state law updates and AI bias regulations.




Comments

bottom of page