CIPP/US Certification Privacy Law Compilation

CIPP/US Certification Privacy Law Compilation

by John Bandler

If you are reading this it is probably because you are taking one of my online courses to learn privacy law (and cybersecurity law) and prepare for the CIPP/US certification exam. That online course has what you need, this is merely a supplemental resource to list some laws, regulations, and regulators that are outlined in the IAPP CIPP/US Body of Knowledge (BOK).

This is not really an article but more of a listing of laws and regulations.

It is easy to feel overwhelmed, but remember that you do not need to be a master of every detail of all of these laws. My courses have the prioritized information, the rest of this is for people who want more. Remember that only a small group of attorneys that choose to specialize in this area of privacy and cybersecurity laws.

* Please pardon the construction as I update my courses and webpages *

For background information and additional reading, first read these:

• John's Main CIPP/US landing page, https://johnbandler.com/cippus/ (links to all 7 parts of John's CIPP/US learning)
• John's CIPP/US Part 1, About the CIPP/US, IAPP, Privacy and Law Basics, Studying and Exam Taking, https://johnbandler.com/cippus/part1/
• Cyberlaw: Law for Digital Spaces and Information Systems (my 2025 book, see my chapter resource pages also)
  • Chapter 29, Data law introduced
    • Ch 29 resource page, https://johnbandler.com/cyberlawbook-resources-ch29/
  • Chapter 30, Data breach notification laws
    • Ch 30 resource page, https://johnbandler.com/cyberlawbook-resources-ch30/
  • Chapter 31, Cybersecurity and data protection laws
    • Ch 31 resource page, https://johnbandler.com/cyberlawbook-resources-ch31/
  • Chapter 32, Privacy and privacy laws
    • Ch 32 resource page, https://johnbandler.com/cyberlawbook-resources-ch32/
• Consumer Privacy Rights, https://johnbandler.com/consumer-privacy-rights/
• And consider my online course on CIPP/US at Udemy (check for my coupon code first).

And consider this:

• CIPP/US stands for Certified Information Privacy Professional, United States and focuses on US privacy law and practice. The certification is administered by the IAPP
• IAPP stands for International Association of Privacy Professionals.
• What the CIPP/US calls "Privacy Law", includes other types of law relating to data, cybersecurity, data breach reporting, and more. In fact, it also covers broad swathes of traditional law.
• This summarizes information from the CIPP/US Body of Knowledge (BOK). So this can be a jump off point to learn more about specific laws.

Privacy regulators in the US

Here is a list of regulatory authorities emphasized in the BOK for having responsibilities relating to privacy.

• Federal Trade Commission (FTC) ***
• Federal Communications Commission (FCC)
• Department of Commerce (DoC)
• Department of Health and Human Services (HHS)
• Federal Reserve Board
• Comptroller of the Currency
• Consumer Financial Protection Bureau
• State attorneys general
• Self-regulatory programs and trust marks
• More!

U.S. agencies regulating workplace privacy issues

• Federal Trade Commission (FTC)
• Department of Labor
• Equal Employment Opportunity Commission (EEOC)
• National Labor Relations Board (NLRB)
• Occupational Safety and Health Act (OSHA)
• Securities and Exchange Commission (SEC)

Privacy frameworks to know

• APEC privacy framework, Asia-Pacific Economic Cooperation   https://www.apec.org/
• OECD privacy framework, Organisation for Economic Co-operation and Development

Privacy laws listed in the CIPP US body of knowledge

Here is a list of specific privacy laws mentioned in the CIPP/US body of knowledge, with light annotations and some links.

Europe (important for the U.S.!)

• GDPR General Data Protection Regulation
  • The text of GDPR can be found through https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
  • https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations_en
  • Text of GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
  • IAPP GDPR topic page  https://iapp.org/resources/topics/eu-gdpr/
• U.S. Safe Harbor and Privacy Shield
• Binding Corporate Rules (BCRs)
• Standard Contractual Clauses

US general

• The Federal Trade Commission Act
• The Children’s Online Privacy Protection Act of 1998 (COPPA)
  • 15 U.S.C Chapter 91 - Children’s Online Privacy Protection Act, 15 USC §6501 et seq, https://www.law.cornell.edu/uscode/text/15/chapter-91
  • 16 CFR Part 312 - Children's Online Privacy Protection Rule, 16 CFR §312. et seq, https://www.law.cornell.edu/cfr/text/16/part-312

Health

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • HIPAA privacy rule
  • HIPAA security rule
• Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
• The 21st Century Cures Act of 2016
• Confidentiality of Substance Use Disorder Patient Records Rule, 42 CFR Part 2

Financial

• The Fair Credit Reporting Act of 1970 (FCRA)
• The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or GLBA)
  • GLBA privacy rule
  • GLBA safeguards rule
• Red Flags Rule
• Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
  • Created Consumer Financial Protection Bureau
• Right to Financial Privacy Act of 1978
• Bank Secrecy Act of 1970 (BSA)

Education

• Family Educational Rights and Privacy Act of 1974 (FERPA)

Telecommunications - marketing - entertainment

• Telephone Consumer Protection Act of 1991 (TCPA)
• Telemarketing sales rule (TSR)
• The Do-Not-Call registry (DNC)
• Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
• The Junk Fax Prevention Act of 2005 (JFPA)
• The Wireless Domain Registry
• Telecommunications Act of 1996 and Customer Proprietary Network Information
• Cable Communications Privacy Act of 1984 (CCPA)
• Video Privacy Protection Act of 1988 (VPPA)
• Video Privacy Protection Act Amendments Act of 2012 (H.R. 6671) (VPPAAA)

Law enforcement

• Electronic Communications Privacy Act (ECPA)
  • Wiretap Act
  • Stored Communications Act (SCA)
  • Pen Register Trap and Trace Devices
• The Communications Assistance to Law Enforcement Act (CALEA)
• Privacy Protection Act of 1980

National security

• Foreign Intelligence Surveillance Act of 1978 (FISA)
• Amendments Act: Section 702 (2008)
• USA-PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
• The USA Freedom Act of 2015
• The Cybersecurity Information Sharing Act of 2015 (CISA)

U.S. Anti-discrimination laws

• Civil Rights Act of 1964
• Americans with Disabilities Act (ADA)
• Genetic Information Nondiscrimination Act (GINA)

State laws

Remember again that privacy, cybersecurity, and breach notification laws often overlap. And federal and state enforcement can overlap too.

IAPP has great summaries of state laws and they are changing rapidly. Here is the list of laws specifically mentioned in recent BOKs. You cannot be expected to master every state's law.

State “privacy" and "security" laws

• Illinois Biometric Information Privacy Act (BIPA) (2008)
• California Electronic Communications Privacy Act (2015)
• California Consumer Privacy Act (CCPA) (2018)
• California Privacy Rights Act (CPRA) (2020)
  • Note that California has created a separate privacy regulator, the California Privacy Protection Agency (CPPA) (unlike other states where the state Attorney General does privacy and cybersecurity regulation and enforcement)
• Delaware Online Privacy and Protection Act (2016)
• Nevada SB 538 (2017)
• Illinois Right to Know Act (2017)
• New Jersey Personal Information and Privacy Protection Act (2017)
• Washington Biometric Privacy Law (H.B. 1493) (2017)
• NYDFS Cybersecurity Regulation (financial sector) (2017)
• Virginia Consumer Data Protection Act (VCDPA) (2021)
• Colorado Privacy Act (CPA) 2021
• Nevada Privacy Law & Amendment (SB280) (2019/2021)
• Connecticut Data Privacy Act (CTDPA) (2022)
• Utah Consumer Privacy Act (UCPA) (2022)
• California Age-Appropriate Design Code Act (A.B. 2273) (2022)

State “Data Breach Notification Laws”

Remember that every state now has a data breach notification law. Recent BoK's have mentioned these laws.

• Tennessee SB 2005
• Illinois HB 1260
• California AB 2828
• New Mexico HB 15
• Massachusetts HB 4806

Also consider

• NYS SHIELD Act (2019) (not mentioned in the BoK but is my home state, a notification and security law)

Additional privacy laws you should know about

Take a look at some of my other articles on this site and at the IAPP site.

Conclusion and Disclaimer

The CIPP/US is an excellent certification from an excellent organization, and studying for it will give you an excellent foundation in law and privacy (and laws relating to information security).

I prepared the CIPP/US study course on the Udemy platform, and another one before that for another platform. I learned a lot, and think you will too.

See other CIPP/US and law references on this site and remember this is just a brief summary and that IAPP is the final authority on the certification and body of knowledge that they administer.

John Bandler’s Articles & Work Relating to the CIPP/US certification and Privacy Laws

• CIPP/US Main jump off page with links: https://johnbandler.com/cippus
• Part 1:  Intro to law, privacy, and CIPP/US, https://johnbandler.com/cippus/part1/
  • Brief descriptions if IAPP, CIPP/US, other, introductory information, IAPP links and references, privacy study references, etc.
  • Links to many additional resources, including my CIPP/US FAQ, learning, privacy laws
  • My article: About the CIPP/US, IAPP, Privacy and Law Basics, Studying and Exam Taking
• Part 2: CIPP/US BoK I, Intro US Law and Privacy, https://johnbandler.com/cippus/part2/
  • An introduction to U.S. law and U.S. privacy law, tracking CIPP/US Body of Knowledge (BoK) Domain I.
• Part 3: CIPP/US BoK II, Federal Privacy Law, https://johnbandler.com/cippus/part3/
  • Federal civil privacy laws, meaning federal laws that relate to privacy, cybersecurity, and data breach notifications. Domain II.
• Part 4: CIPP/US BoK III, Government Access, https://johnbandler.com/cippus/part4/
  • Fourth Amendment, ECPA, FISA, eDiscovery, laws on how government can obtain or compel data and evidence. Domain III.
• Part 5: CIPP/US BoK IV, Workplace Privacy https://johnbandler.com/cippus/part5/
  • Privacy in the workplace, laws on hiring, monitoring, firing, anti-discrimination laws. Domain IV.
• Part 6: CIPP/US BoK V, State Privacy Law, https://johnbandler.com/cippus/part6/
  • State laws on privacy, cybersecurity, data breach notification. States have led the way. Preemption issues.
• Part 7: Conclusion and Bring Together, https://johnbandler.com/cippus/part7/
  • Conclude
• My Udemy course was originally geared for lawyers and law students, but many non-lawyers have taken it too. It is on the Udemy learning platform, and you can purchase it for under $20, including with my coupon code.
  • • Go direct to my Udemy CIPP/US landing page (don't buy until you check my coupon code)
    • Check here for a coupon code first (if expired ask me to generate another)
• Another course is geared for information security professionals, on the Infosec Skills learning platform (they were bought by Cengage, and that platform is subscription based).

If you are not ready for a deep dive yet, here's some introductory materials on data law and privacy:

• Data law, https://johnbandler.com/data-law/
  • What is Data law (YouTube), https://youtu.be/thyW3XoGrYg
• Privacy, https://johnbandler.com/privacy/
  • What is Privacy (YouTube), https://youtu.be/xvdoZNULC-8

This page is hosted at https://johnbandler.com/cipp-us-certification-law-compilation. Copyright John Bandler, all rights reserved. No claim to legal materials.

Please notify me of any corrections or updates.

Page posted 12/09/2021. Page updated 03/23/2026 but law links need work.