CIPP/US (Certified Information Privacy Professional/United States) Ultimate Cheat Sheet
Your Quick Reference Study Guide
This cheat sheet covers the core concepts, terms, and definitions you need to know for the CIPP/US (Certified Information Privacy Professional/United States). We've distilled the most important domains, topics, and critical details to help your exam preparation.
💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.
About This Cheat Sheet: This study guide covers core concepts for CIPP/US (Certified Information Privacy Professional/United States). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
CIPP/US (Certified Information Privacy Professional/United States)
Cheat Sheet •
About This Cheat Sheet: This study guide covers core concepts for CIPP/US (Certified Information Privacy Professional/United States). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
Domain I — The U.S. Privacy Environment
30%ECPA (incl. SCA): Law‑Enforcement Access Rules
Federal rules for compelled access to electronic communications — distinguishes content, metadata, storage, and provider
Key Insight
Content vs non‑content and storage status drive process: warrants commonly for content; subpoenas/orders depend on SCA categories.
Often Confused With
Common Mistakes
- Treat the 180‑day 'older email' rule as absolute — it's limited and context‑specific.
- Assume metadata always requires a warrant — many provider records use lower processes.
- Think providers may never voluntarily disclose content — consents and limited disclosures occur.
UDAP/UDTP — State Consumer‑Protection for Privacy
State unfair/deceptive laws policing privacy/security practices; enforced by state AGs, private suits, and sometimes pre
Key Insight
UDAP claims can target privacy harms without out‑of‑pocket loss; federal preemption is narrow and fact‑specific.
Often Confused With
Common Mistakes
- Assume federal law automatically preempts state UDAP claims.
- Think only the FTC enforces unfair practices — state AGs and private plaintiffs often can.
- Believe UDAP always needs monetary loss or proof of intent to deceive.
Criminal vs Civil Liability — Who Sues & What They Win
Who enforces (government vs private), the burden of proof, and the remedies each route can secure.
Key Insight
Govt prosecutes crimes (higher burden, fines/prison); private civil suits seek damages/injunctions; statutes decide who may sue.
Often Confused With
Common Mistakes
- Thinking private parties can directly file criminal charges
- Assuming civil suits only recover money damages
- Believing every statutory violation creates a private right to sue
Privacy Torts: Intrusion, Disclosure, Appropriation, False Light
Four distinct torts: seclusion invasion, publicizing private facts, commercial use of identity, and misleading portrayal
Key Insight
Match tort to harm: intrusion = invasion of seclusion (no publication needed); disclosure = publicity of private facts; appropriation = commercial use
Often Confused With
Common Mistakes
- Equating false light with defamation
- Assuming appropriation only protects celebrities
- Believing intrusion requires publication
Data Inventory & Scoping — Living Map
Living catalog of personal data: locations, purposes, flows, owners and retention to enable notices, SARs and cross‑bord
Key Insight
Classify records by purpose + flow + owner — that triple answers SARs, legal holds and cross‑border controls.
Often Confused With
Common Mistakes
- Thinking an inventory must list every individual or every field to be useful.
- Only inventorying customer-facing records and ignoring HR, security logs or backups.
- Treating the inventory as the retention schedule—different uses and governance.
Controller vs Processor — Roles & Liability
Controller decides purpose/means; processor performs per instructions — DPAs, oversight and liability differ in practice
Key Insight
Controller = decision-maker (purpose/means); processors still have compliance duties and can incur liability.
Often Confused With
Common Mistakes
- Assuming the data subject 'owns' the data and can unilaterally direct controllers/processors.
- Believing a processor is just a technical vendor with no compliance obligations or liability.
- Thinking a DPA fully transfers GDPR liability from controller to processor.
ECPA (incl. SCA): Law‑Enforcement Access Rules
Federal rules for compelled access to electronic communications — distinguishes content, metadata, storage, and provider
Key Insight
Content vs non‑content and storage status drive process: warrants commonly for content; subpoenas/orders depend on SCA categories.
Often Confused With
Common Mistakes
- Treat the 180‑day 'older email' rule as absolute — it's limited and context‑specific.
- Assume metadata always requires a warrant — many provider records use lower processes.
- Think providers may never voluntarily disclose content — consents and limited disclosures occur.
UDAP/UDTP — State Consumer‑Protection for Privacy
State unfair/deceptive laws policing privacy/security practices; enforced by state AGs, private suits, and sometimes pre
Key Insight
UDAP claims can target privacy harms without out‑of‑pocket loss; federal preemption is narrow and fact‑specific.
Often Confused With
Common Mistakes
- Assume federal law automatically preempts state UDAP claims.
- Think only the FTC enforces unfair practices — state AGs and private plaintiffs often can.
- Believe UDAP always needs monetary loss or proof of intent to deceive.
Criminal vs Civil Liability — Who Sues & What They Win
Who enforces (government vs private), the burden of proof, and the remedies each route can secure.
Key Insight
Govt prosecutes crimes (higher burden, fines/prison); private civil suits seek damages/injunctions; statutes decide who may sue.
Often Confused With
Common Mistakes
- Thinking private parties can directly file criminal charges
- Assuming civil suits only recover money damages
- Believing every statutory violation creates a private right to sue
Privacy Torts: Intrusion, Disclosure, Appropriation, False Light
Four distinct torts: seclusion invasion, publicizing private facts, commercial use of identity, and misleading portrayal
Key Insight
Match tort to harm: intrusion = invasion of seclusion (no publication needed); disclosure = publicity of private facts; appropriation = commercial use
Often Confused With
Common Mistakes
- Equating false light with defamation
- Assuming appropriation only protects celebrities
- Believing intrusion requires publication
Data Inventory & Scoping — Living Map
Living catalog of personal data: locations, purposes, flows, owners and retention to enable notices, SARs and cross‑bord
Key Insight
Classify records by purpose + flow + owner — that triple answers SARs, legal holds and cross‑border controls.
Often Confused With
Common Mistakes
- Thinking an inventory must list every individual or every field to be useful.
- Only inventorying customer-facing records and ignoring HR, security logs or backups.
- Treating the inventory as the retention schedule—different uses and governance.
Controller vs Processor — Roles & Liability
Controller decides purpose/means; processor performs per instructions — DPAs, oversight and liability differ in practice
Key Insight
Controller = decision-maker (purpose/means); processors still have compliance duties and can incur liability.
Often Confused With
Common Mistakes
- Assuming the data subject 'owns' the data and can unilaterally direct controllers/processors.
- Believing a processor is just a technical vendor with no compliance obligations or liability.
- Thinking a DPA fully transfers GDPR liability from controller to processor.
Domain II — Federal Privacy Laws
17%COPPA — Children's Online Privacy (Under-13 Rule)
Protects children under 13: notice, verifiable parental consent, limits collection/retention; PII is broad.
Key Insight
Persistent IDs, photos, geolocation or data combinations can be PII — verifiable parental consent is the trigger.
Often Confused With
Common Mistakes
- Assuming COPPA covers minors to 18 — it's only for children under 13.
- Thinking only direct identifiers count — device IDs, IPs, photos & combos can be PII.
- Believing removing one identifier ends obligations — re-identification risk still triggers COPPA.
FTC Section 5 — Unfair & Deceptive Acts (Privacy/Security)
FTC authority to challenge unfair or deceptive privacy/security practices; unfairness needs substantial, avoidable harm.
Key Insight
Deception is judged objectively (no intent required); unfairness hinges on meaningful consumer injury, not mere annoyance.
Often Confused With
Common Mistakes
- Thinking deception needs proof of intent — intent is not required.
- Believing any minor inconvenience is 'substantial' harm — FTC looks for real, non-trivial injury.
- Assuming a data breach automatically proves a Section 5 violation — you must show unfair/deceptive practices.
HIPAA Privacy & Security (ePHI, HITECH)
HHS rules that set safeguards for PHI/ePHI, breach notification, and business-associate obligations.
Key Insight
Rules implement the HIPAA statute — focus on who is covered, required safeguards (addressable vs required), and HITECH breach/BA duties.
Often Confused With
Common Mistakes
- Treat HIPAA statute and HHS Rules as the same text
- Assume HIPAA creates a private federal right of action
- Think encryption is always mandatory under the Security Rule
HIPAA Privacy Rule (PHI uses & disclosures)
HHS standard for permitted uses/disclosures of PHI by covered entities and their business associates; many TPO uses need
Key Insight
PHI = identifiable health info; de-identified data is not PHI. Treatment, Payment, Operations (TPO) often allowed without authorization.
Often Confused With
Common Mistakes
- Treat all health-related data as PHI — de‑identified data is not PHI
- Assume every employer or org handling health data is a covered entity
- Believe patient authorization is required for TPO disclosures
Enforcement Map — FTC, CFPB, OCC, FDIC, NCUA, AGs
Who can enforce financial-privacy rules: jurisdiction depends on charter, activity, and statutory authority — not one en
Key Insight
Depository institutions fall primarily under banking regulators (OCC/FDIC/NCUA); FTC generally lacks jurisdiction over them; state AGs and CFPB can·or
Often Confused With
Common Mistakes
- Assuming the FTC enforces all financial-privacy claims — it often lacks jurisdiction over depository institutions.
- Believing only the bank’s federal regulator can bring enforcement — state AGs and other agencies may also act.
- Treating all federal banking regulators as identical — charter type and statutory powers differ (OCC vs FDIC vs NCUA).
GLBA & Safeguards Rule — BHCA §4(k) Coverage
Requires covered financial institutions to protect nonpublic personal information; 'financial institution' uses BHCA §4(
Key Insight
Coverage hinges on the BHCA §4(k) 'significantly engaged' facts‑and‑circumstances test; Safeguards Rule mandates a risk‑based security program, not a
Often Confused With
Common Mistakes
- Thinking only banks are covered by GLBA — nonbank firms can be covered if 'significantly engaged' in financial activities.
- Assuming any minor financial activity automatically excludes GLBA — 'significantly engaged' is a facts‑and‑circumstances test.
- Treating the Safeguards Rule as a prescriptive checklist or thinking a privacy notice alone meets GLBA obligations.
FERPA — Education Records & Exclusions
Defines what counts as an 'education record', who may access it, and key exclusions (sole‑possession, vendor‑maintained,
Key Insight
School‑maintained records (including vendor‑maintained on the school's behalf) are education records; sole‑possession notes and many school health/cam
Often Confused With
Common Mistakes
- Treating every piece of student info as an education record (e.g., teacher's private notes).
- Assuming vendor‑held data are never FERPA records.
- Believing school health/counseling records are automatically governed by HIPAA.
FERPA Exceptions & Parental Access
Permits specific disclosures without consent: transfers, school officials, safety/law requests, de‑identified research,
Key Insight
Parental access ends at postsecondary unless the student is an IRS‑dependent or consents; researchers generally need de‑identified data or a written D
Often Confused With
Common Mistakes
- Assuming parents always retain full access to college records.
- Fulfilling grad‑school or employer requests without a FERPA exception or student consent.
- Thinking the research exception allows sharing PII without de‑identification or a DUA.
TSR & DNC — Exemptions, Disclosures, Liability
FTC Telemarketing Sales Rule + National Do‑Not‑Call: required disclosures, banned practices, narrow DNC exemptions, and谁
Key Insight
DNC blocks telemarketing to registered numbers unless consent/EBR or narrow exemptions; TSR adds disclosure, no‑abandonment and recordkeeping duties —
Often Confused With
Common Mistakes
- Assuming sellers or lead generators are immune — they can be liable if they control or benefit from calls.
- Believing DNC stops every incoming call — consent, established business relationships and narrow exemptions (political, charity, survey, debt) apply.
- Thinking abandonment only means completely unanswered calls — it can include answered calls routed without an available agent or improper prerecorded routing.
Private Right of Action — Statutory Suits & Damage Math
When statutes (CCPA, TCPA, VPPA) create a private cause of action: check triggering language, remedies, and per‑violate/
Key Insight
Private suits require explicit (or strongly implied) statutory language; damages are often per‑violation/per‑plaintiff, so class suits can multiply li
Often Confused With
Common Mistakes
- Assuming any privacy protection creates a private right — courts require explicit or clearly implied language.
- Treating statutory damages as one lump sum — many statutes authorize per‑violation amounts that multiply across plaintiffs.
- Relying on consent as an absolute defense — consents can be invalid, limited, revoked, or ineffective under some statutes.
Domain III — Government and Court Access to Private-sector Information
6%Fourth Amendment — Warrant & Probable Cause
Constitutional guard against unreasonable searches/seizures; triggers warrant + probable‑cause rules and narrow, defined
Key Insight
Probable cause + a particularized warrant is the default; consent, exigency, plain‑view and arrest exceptions are narrowly applied.
Often Confused With
Common Mistakes
- Treating reasonable suspicion as equivalent to probable cause.
- Assuming every government search requires a warrant.
- Thinking provider consent always waives Fourth Amendment limits.
FISA/FISC — National‑Security Surveillance Rules
Statutory regime and specialized (often secret) court that authorizes foreign‑intel surveillance, with unique targeting,
Key Insight
FISC largely reviews ex parte/classified orders under intelligence standards — not a mirror of criminal warrants; many orders include nondisclosure.
Often Confused With
Common Mistakes
- Believing FISC operates like an open, adversarial federal court.
- Assuming FISA requires the same criminal probable‑cause showing.
- Thinking recipients can freely disclose FISA orders or immediately notify targets.
Compelled Government Data Access (Warrants, Subpoenas, NSLs)
When and how authorities compel data (warrants, subpoenas, NSLs, FISA) and required provider/recipient preservation, doc
Key Insight
Different legal tools set different standards, timelines and notice limits—warrants need probable cause; subpoenas/NSLs do not and may include gag or‑
Often Confused With
Common Mistakes
- Assuming all compelled requests require a probable‑cause warrant.
- Treating a preservation request as an order to produce immediately.
- Believing providers can always notify customers despite gag orders.
FISA Section 702 — Foreign‑Targeted Collection
Authority to collect foreign intelligence by targeting non‑U.S. persons abroad; covers upstream/downstream collection, +
Key Insight
702 targets non‑U.S. persons abroad; incidental U.S. person collection is limited by minimization, querying and oversight rules.
Often Confused With
Common Mistakes
- Assuming Section 702 authorizes bulk, warrantless surveillance of U.S. persons.
- Believing agencies have unrestricted access to all stored customer content under 702.
- Treating Section 702 as the same as traditional warrant‑based FISA (Title I).
eDiscovery — ESI Lifecycle & Defensible Handling
Manage ESI: preserve, collect, process, review, produce — defensibly under FRCP while protecting privilege/privacy.
Key Insight
Treat preservation, collection, processing, review and production as separate, auditable steps; use proportionality (FRCP 26), logs, and human checks.
Often Confused With
Common Mistakes
- Assuming eDiscovery is only preservation (ignores processing/review/production rules).
- Believing all ESI must be produced — forgetting relevance, proportionality, privilege, and privacy limits.
- Trusting de-duplication/redactors as foolproof — automated tools need human validation.
Attorney–Client Privilege — Client-Controlled Shield
Protects confidential communications made for legal advice; the client holds and can waive the privilege; narrow, with 3
Key Insight
Privilege covers communications for legal advice (not routine business chat); third parties, crime–fraud, and certain waivers defeat it; client owns w
Often Confused With
Common Mistakes
- Assuming every communication with an attorney is privileged regardless of purpose or presence of third parties.
- Thinking in-house counsel communications are automatically privileged in all contexts.
- Believing a 'Privileged' label or the attorney alone guarantees protection or controls waiver.
Domain IV — Workplace Privacy
8%FCRA — Employment Consumer Reports
Federal rules for employer use of consumer reports — standalone disclosure, signed authorization, and strict adverse‑act
Key Insight
Must give a clear written disclosure + separate authorization; follow exact pre‑adverse and final adverse notices or incur liability.
Often Confused With
Common Mistakes
- Assuming oral consent suffices — FCRA requires a written disclosure + separate authorization.
- Believing FCRA only covers credit reports — it covers any consumer report used for hiring.
- Skipping pre/post‑adverse notices — FCRA prescribes specific timing and content for each notice.
ADA — Workplace Disability Rights
Title I forbids disability discrimination at work, restricts medical inquiries, and requires reasonable accommodations.
Key Insight
Medical exams/info must be job‑related and business‑necessary; accommodation is an interactive, fact‑specific duty, not an automatic right.
Often Confused With
Common Mistakes
- Assuming unlimited medical exams/info — only job‑related, business‑necessary inquiries allowed.
- Believing accommodations are automatic — employer need only provide reasonable ones unless undue hardship.
- Confusing ADA with HIPAA — ADA governs discrimination, not medical‑privacy rules.
Monitoring Tech & ECPA (Electronic Communications Privacy Act)
Surveillance tools (email, IM, keystrokes, GPS, CCTV) and ECPA limits—what triggers wiretap vs. stored‑access rules.
Key Insight
Real‑time interception triggers ECPA/wiretap rules; access to stored communications is treated differently — ownership ≠ automatic waiver.
Often Confused With
Common Mistakes
- Assuming blanket employer monitoring is always lawful
- Thinking a generic consent clause authorizes any monitoring
- Treating video and audio rules as identical; audio often needs stricter notice/consent
Workplace Privacy Sources — Statute, Tort, Contract & CBAs (NLRA)
Employee privacy comes from statutes, torts, contracts and collective‑bargaining obligations under the NLRA.
Key Insight
Collective Bargaining Agreements and NLRA duties can make monitoring/discipline a mandatory bargaining subject—individual consent doesn't negate that.
Often Confused With
Common Mistakes
- Assuming notice to the union alone satisfies bargaining obligations
- Believing an individual employee's consent removes the employer’s duty to bargain
- Thinking a CBA clause automatically bans all employer monitoring
Domain V — State Privacy Laws
39%State AGs: Civil Power & UDAP Enforcement
State attorneys general can investigate and bring civil UDAP/other suits to get injunctions, restitution, and penalties.
Key Insight
AG power is broad but state-specific: civil-focused, can act proactively; remedies, procedures and scope vary by state and preemption isn't automatic.
Often Confused With
Common Mistakes
- Thinking AGs can only bring criminal charges—many actions are civil UDAP suits.
- Assuming AG authority and remedies are uniform across all states.
- Believing federal enforcement automatically preempts state AG actions.
California Privacy Protection Agency (CPPA)
State agency created by the CPRA to issue binding regs, guidance, and enforce California privacy rules and penalties.
Key Insight
CPPA has independent rulemaking and enforcement under the CPRA, can reach out‑of‑state firms processing Californians' data; its regs aren't absolute‑f
Often Confused With
Common Mistakes
- Equating CPPA with the California Attorney General's office.
- Assuming CPPA only issues nonbinding guidance and can't enforce.
- Thinking CPPA jurisdiction is limited to businesses physically in California.
CCPA — California Consumer Privacy Act
California law granting access, deletion and opt‑out of sale; requires notices, opt‑out tools and thresholds for scope.
Key Insight
Not universal — applies only when a business meets statutory thresholds (revenue/PI volume/percentage from sales); rights have exceptions.
Often Confused With
Common Mistakes
- Assuming CCPA applies to every company regardless of size or thresholds.
- Treating the deletion right as absolute with no statutory exceptions.
- Believing federal laws automatically preempt CCPA compliance.
Privacy Notice Rules — Content, Timing, Conspicuousness
Consumer-facing disclosures must list data categories, purposes, sharing, and rights; be clear, conspicuous, timely, and
Key Insight
Timing and placement decide compliance — notice must appear at or before the point of collection and match actual practices.
Often Confused With
Common Mistakes
- Relying on one generic privacy policy to satisfy all state timing and delivery rules.
- Assuming a footer link or buried menu item always meets ‘clear and conspicuous.’
- Using dense legalese or boilerplate and calling it a compliant notice.
State Breach Rules — Triggers, Notices & Exceptions
Which events, data elements, recipients, deadlines, and exemptions trigger state breach-notice duties.
Key Insight
States vary on the trigger (unauthorized access vs acquisition vs demonstrable harm), covered data types, deadlines, and required regulator/media/CBI/
Often Confused With
Common Mistakes
- Assuming harm must be shown — many states trigger on unauthorized access or acquisition alone.
- Thinking encryption always avoids notice — exemptions depend on key management and state definitions.
- Believing one consumer notice covers all obligations — separate regulator, credit-bureau, or media notices may be required.
Incident Response Playbook — Contain, Preserve, Notify
A focused IR workflow: detect, contain, image/preserve evidence, determine legal notice duties, notify, remediate, and纪录
Key Insight
Engage legal/privacy early, preserve chain-of-custody (image before live analysis), and time notices to statutory triggers and law‑enforcement needs.
Often Confused With
Common Mistakes
- Treating IR as IT-only — exclude legal, privacy, comms, and leadership at your peril.
- Waiting for confirmed exfiltration/attribution before notifying — many laws require notice on unauthorized access.
- Starting live-system forensics without imaging — you risk altering evidence and losing legal defensibility.