Skip to main content

CIPP/US study lessons

Certified Information Privacy Professional, US25 free, citation-backed lessons covering every exam domain. Read on any device, no login.

Start with Lesson 01 →
  1. 01Welcome: How to Pass the CIPP/US with AMLReadyMeet your independent, public-source study aid for the IAPP CIPP/US. We map the five exam domains, explain why state privacy laws now carry the most weight, and set up the learn-test-review loop that actually moves your score.5 min read
  2. 02The Structure of U.S. Privacy Law: Sectoral, Not OmnibusThe single idea behind the whole exam: the U.S. regulates privacy sector by sector and state by state, not under one law. Learn the five sources of law, the four privacy torts, and the Fair Information Practices that run through every statute.5 min read
  3. 03Who Enforces U.S. Privacy Law: FTC, AGs, Regulators & Private SuitsThe FTC is the closest thing to a national privacy regulator. Master Section 5's deceptive-versus-unfair tests, the role of state attorneys general and sector regulators, and which laws let consumers sue you directly.5 min read
  4. 04Information Management & Privacy Program GovernanceTurn law into a working program. We cover the data inventory, privacy notices, consumer-rights intake, vendor management, security, and incident response, plus the privacy-by-design reasoning the exam's best-answer questions reward.5 min read
  5. 05FTC Section 5: Unfair & Deceptive Practices and Consent DecreesHow a broken privacy promise becomes a federal case. Learn the deceptive and unfair prongs, the FTC's reasonable-security benchmark, and why the twenty-year consent decree, not a first-offense fine, is the agency's real lever.5 min read
  6. 06Healthcare Privacy I: The HIPAA Privacy RuleHIPAA is narrower than people think. Nail the coverage question, what counts as PHI, and the treatment-payment-operations framework, plus minimum-necessary and patient rights, so the fitness-app and employer traps never catch you.5 min read
  7. 07Healthcare Privacy II: HIPAA Security, Breach & HITECHThe Security Rule's three safeguard families, the risk analysis keystone, HITECH's business-associate liability, and the breach four-factor test and sixty-day clock, with the encryption safe harbor the exam loves to test.5 min read
  8. 08Financial Privacy: GLBA Privacy & Safeguards Rules and the FCRA/FACTAGLBA's notice-and-opt-out plus the written security program, then the FCRA's permissible-purpose, adverse-action, and dispute rules, and FACTA's Red Flags and Disposal Rules. Keep the lanes apart and the questions get easy.5 min read
  9. 09Education Privacy: FERPA and Student DataFERPA's funded-school scope, education records versus carve-outs, the consent default and its exceptions, and the directory-information and ed-tech traps where COPPA and PPRA also enter the picture.5 min read
  10. 10Children's Privacy: COPPAThe under-13 trigger, verifiable parental consent, parental review-and-delete rights, and the FTC Safe Harbor, plus the new wave of state laws extending protections to teens, the layering the updated blueprint wants you to spot.5 min read
  11. 11Telemarketing & Do-Not-Call: TCPA and the Telemarketing Sales RuleTwo regimes, two agencies. Master the TCPA's consent gradations and statutory-damages exposure, the Do-Not-Call Registry and its exceptions, and why a single careless text blast becomes a class action.5 min read
  12. 12Email & Digital Marketing: CAN-SPAM and Online AdvertisingCAN-SPAM is opt-out, not opt-in, learn its content checklist cold. Then cover online behavioral advertising, tightening state opt-out rights, and the VPPA's surprising punch against tracking-pixel video-data leaks.5 min read
  13. 13Telecommunications & Data Privacy: CPNI and the FCCThe FCC's telecom-privacy regime: customer proprietary network information, the Cable Act's subscriber protections, and where telecom overlaps the TCPA, with a full Domain II wrap-up of the federal sectoral map.5 min read
  14. 14Law Enforcement Access: ECPA, the SCA, Wiretaps & the CLOUD ActWhen the government can reach private data. Separate ECPA's three parts, the Wiretap Act, Stored Communications Act, and Pen Register Act, using the content-versus-metadata and transit-versus-rest axes, plus CALEA and the CLOUD Act.5 min read
  15. 15National Security & the Privacy Act of 1974The Privacy Act governs federal agencies, not companies. Cover systems of records and routine uses, FOIA's counterweight, FISA and Section 702 surveillance, the PATRIOT and FREEDOM Acts, and national security letters.5 min read
  16. 16Civil Litigation, e-Discovery & Regulatory DemandsLawsuits and regulators reach private data too. Learn litigation holds and spoliation, protective orders and the SCA's civil-subpoena limit, civil investigative demands, and the cross-border discovery-versus-GDPR conflict.5 min read
  17. 17Hiring & Background Screening: FCRA, ADA & GINAThe pre-employment phase. Master the FCRA disclose-authorize-pre-adverse-adverse sequence, the ADA's pre-versus-post-offer medical-inquiry timing, GINA's genetic-information bar, and the state ban-the-box overlays.5 min read
  18. 18Monitoring Employees: ECPA, Email, BYOD & Social MediaWhat makes workplace monitoring lawful: ECPA's business-use and consent exceptions, the SCA line at personal accounts, video and biometric limits, and the NLRA and social-media-password protections employers can't trample.5 min read
  19. 19Investigations, Whistleblowers & Off-Duty ConductRun a lawful workplace investigation, scoped and documented. Cover the FCRA misconduct carve-out, the Defend Trade Secrets Act immunity notice, drug-testing and off-duty-conduct limits, and privacy duties at termination.5 min read
  20. 20The State-Law Landscape & Breach NotificationWhy state law now dominates the exam. Learn preemption (floor versus ceiling), the universal-but-varied breach-notification duty, and Illinois BIPA's biometric notice, consent, and class-action-driving private right of action.5 min read
  21. 21The California Model: CCPA & CPRAThe most-tested single state. Cover business thresholds and the service-provider-versus-third-party roles, the full consumer-rights list including sale and sharing, the CPPA regulator, the breach-only private suit, and honoring Global Privacy Control.5 min read
  22. 22The VCDPA Template: Virginia, Colorado, Connecticut & the WaveLearn one shared blueprint and answer most state questions: controller/processor roles, opt-out of ads-sale-profiling, opt-in for sensitive data, broad GLBA/HIPAA exemptions, and AG-only enforcement, with the key state-by-state twists.5 min read
  23. 23State Data Subject Rights, Consent & Sensitive DataThe mechanics the updated blueprint rewards: response deadlines and appeals, verifying the requester before you disclose, the consent tiers for sensitive data, children and teens, and controller duties like minimization and data protection assessments.5 min read
  24. 24Sector & Emerging State Rules: Health, AI & InsuranceThe frontier the new blueprint adds: consumer-health-data laws beyond HIPAA like Washington's MHMDA, profiling and automated-decision opt-outs, state AI governance, and the NAIC AI and Insurance Data Security model guidance.5 min read
  25. 25Exam-Day Strategy & Full Course ReviewAssemble the five-domain map, run the triage habit, and spot the recurring distractors, GDPR-in-a-US-question, HIPAA over-reach, CAN-SPAM-as-opt-in. Then execute a final-week and exam-day plan built on best-answer technique.5 min read

Get every CIPP/US lesson + the full question bank

Drop your email and we'll send new lessons and unlock the complete CIPP/US practice bank.

I'll email you when CIPP/US lessons drops. No spam, unsubscribe anytime.

By signing up, you agree to our Privacy Policy and Terms.

Or jump straight to CIPP/US practice questions →