CIPP/US Certification Privacy Law Compilation

by John Bandler

If you are reading this it is probably because you are taking my online course for the InfoSec Institute to learn privacy law (and cybersecurity law) and prepare you for the CIPP/US certification exam. That online course has what you need, this is merely a supplemental resource to list some laws, regulations, and regulators that are outlined in the IAPP CIPP/US Body of Knowledge (BOK).

This article is not a fun read. It is not even a tolerable read. But it is a listing of laws and regulations.

For background information and additional reading, first read these:

And consider this:

  • CIPP/US stands for Certified Information Privacy Professional, United States and focuses on US privacy law and practice. The certification is administered by the IAPP
  • IAPP stands for International Association of Privacy Professionals.
  • What the CIPP/US calls "Privacy Law", includes other types of law relating to data, cybersecurity, data breach reporting, and more. In fact, it also covers broad swathes of traditional law.
  • This summarizes information from the CIPP/US Body of Knowledge (BOK). So this can be a jump off point to learn more about specific laws.

Privacy regulators in the US

Here is a list of regulatory authorities emphasized in the BOK for having responsibilities relating to privacy.

  • Federal Trade Commission (FTC) ***
  • Federal Communications Commission (FCC)
  • Department of Commerce (DoC)
  • Department of Health and Human Services (HHS)
  • Federal Reserve Board
  • Comptroller of the Currency
  • Consumer Financial Protection Bureau
  • State attorneys general
  • Self-regulatory programs and trust marks
  • More!

U.S. agencies regulating workplace privacy issues

  • Federal Trade Commission (FTC)
  • Department of Labor
  • Equal Employment Opportunity Commission (EEOC)
  • National Labor Relations Board (NLRB)
  • Occupational Safety and Health Act (OSHA)
  • Securities and Exchange Commission (SEC)

Privacy frameworks to know

  • APEC privacy framework, Asia-Pacific Economic Cooperation   https://www.apec.org/
  • OECD privacy framework, Organisation for Economic Co-operation and Development

Privacy laws listed in the CIPP US body of knowledge

Here is a list of specific privacy laws mentioned in the CIPP/US body of knowledge, with light annotations and some links.

Europe (important for the U.S.!)

  • GDPR General Data Protection Regulation   https://gdpr.eu/
    • U.S. Safe Harbor and Privacy Shield
    • Binding Corporate Rules (BCRs)
    • Standard Contractual Clauses

US general

Health

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    • HIPAA privacy rule
    • HIPAA security rule
  • Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
  • The 21st Century Cures Act of 2016
  • Confidentiality of Substance Use Disorder Patient Records Rule, 42 CFR Part 2

Financial

  • The Fair Credit Reporting Act of 1970 (FCRA)
  • The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
  • The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or GLBA)
    • GLBA privacy rule
    • GLBA safeguards rule
  • Red Flags Rule
  • Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
    • Created Consumer Financial Protection Bureau
  • Right to Financial Privacy Act of 1978
  • Bank Secrecy Act of 1970 (BSA)

Education

  • Family Educational Rights and Privacy Act of 1974 (FERPA)

Telecommunications - marketing - entertainment

  • Telephone Consumer Protection Act of 1991 (TCPA)
  • Telemarketing sales rule (TSR)
  • The Do-Not-Call registry (DNC)
  • Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
  • The Junk Fax Prevention Act of 2005 (JFPA)
  • The Wireless Domain Registry
  • Telecommunications Act of 1996 and Customer Proprietary Network Information
  • Cable Communications Privacy Act of 1984 (CCPA)
  • Video Privacy Protection Act of 1988 (VPPA)
  • Video Privacy Protection Act Amendments Act of 2012 (H.R. 6671) (VPPAAA)

Law enforcement

  • Electronic Communications Privacy Act (ECPA)
    • Wiretap Act
    • Stored Communications Act (SCA)
    • Pen Register Trap and Trace Devices
  • The Communications Assistance to Law Enforcement Act (CALEA)
  • Privacy Protection Act of 1980

National security

  • Foreign Intelligence Surveillance Act of 1978 (FISA)
  • Amendments Act: Section 702 (2008)
  • USA-PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
  • The USA Freedom Act of 2015
  • The Cybersecurity Information Sharing Act of 2015 (CISA)

U.S. Anti-discrimination laws

  • Civil Rights Act of 1964
  • Americans with Disabilities Act (ADA)
  • Genetic Information Nondiscrimination Act (GINA)

State laws

Remember again that privacy, cybersecurity, and breach notification laws often overlap. And federal and state enforcement can overlap too.

IAPP has great summaries of state laws and they are changing rapidly. Here is the list of laws specifically mentioned in recent BOKs. You cannot be expected to master every state's law.

State “privacy" and "security" laws

  • Illinois Biometric Information Privacy Act (BIPA) (2008)
  • California Electronic Communications Privacy Act (2015)
  • California Consumer Privacy Act (CCPA) (2018)
  • California Privacy Rights Act (CPRA) (2020)
    • Note that California has created a separate privacy regulator, the California Privacy Protection Agency (CPPA) (unlike other states where the state Attorney General does privacy and cybersecurity regulation and enforcement)
  • Delaware Online Privacy and Protection Act (2016)
  • Nevada SB 538 (2017)
  • Illinois Right to Know Act (2017)
  • New Jersey Personal Information and Privacy Protection Act (2017)
  • Washington Biometric Privacy Law (H.B. 1493) (2017)
  • NYDFS Cybersecurity Regulation (financial sector) (2017)
  • Virginia Consumer Data Protection Act (VCDPA) (2021)
  • Colorado Privacy Act (CPA) 2021
  • Nevada Privacy Law & Amendment (SB280) (2019/2021)
  • Connecticut Data Privacy Act (CTDPA) (2022)
  • Utah Consumer Privacy Act (UCPA) (2022)
  • California Age-Appropriate Design Code Act (A.B. 2273) (2022)

State “Data Breach Notification Laws”

Remember that every state now has a data breach notification law. Recent BoK's have mentioned these laws.

  • Tennessee SB 2005
  • Illinois HB 1260
  • California AB 2828
  • New Mexico HB 15
  • Massachusetts HB 4806

Also consider

  • NYS SHIELD Act (2019) (not mentioned in the BoK but is my home state, a notification and security law)

Additional privacy laws you should know about

Take a look at some of my other articles on this site and at the IAPP site.

Conclusion and Disclaimer

The CIPP/US is an excellent certification from an excellent organization, and studying for it will give you an excellent foundation in law and privacy (and laws relating to information security).

I prepared the CIPP/US study course, hosted by the InfoSec Institute, a respected and leading online educational provider. I learned a lot, and think you will too.

See other CIPP/US and law references on this site and remember this is just a brief summary and that IAPP is the final authority on the certification and body of knowledge that they administer.

John Bandler’s Articles & Work Relating to the CIPP/US certification and Privacy Laws

This page is hosted at https://johnbandler.com/cipp-us-certification-law-compilation. Copyright John Bandler, all rights reserved. No claim to legal materials.

Please notify us of any corrections or updates.

Page posted 12/09/2021. Updated 03/14/2023.