Q3 2024 Annual Updates


Each year, the IAPP updates exam forms to reflect changes in the industry and retire older questions.

Are these new IAPP tests?
These tests are not new IAPP exams — they are updated forms of our existing certification exams. Think of forms as separate versions of a specific test. The IAPP’s CIPM exam, for example, may have a Form 1, Form 2, Form 3, etc.

Some exam questions repeat across different forms and some are unique to each.

However, all exams cover the same general content in a designation, regardless of the questions that appear on each form.

How are the new forms different from the exam forms currently in use?
Candidates testing on the new forms should prepare for questions on the topics listed below. There are new versions of the body of knowledge here under “Certification - Free Resources.” Scores will be available immediately after taking your exam.

The CIPP/E, CIPP/US, CIPM and CIPT tests for the new forms all have 90 questions and the same time limit of 2.5 hours.

The following represents updated content you can expect on the exams:

CIPP/E Updates

  • EU Data Act.
  • Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement.
  • Guidelines 3/2022 on Dark patterns in social media platform interfaces.
  • Risks involved in employee data (e.g., via social media and AI systems).
  • GDPR relationship with other global legislations (U.S., U.K ., Switzerland, Germany).
  • Ransomware breach notification procedures.

CIPP/US Updates

  • Privacy torts.
  • Data processing agreements.
  • Data Portability.
  • Web scraping.
  • Cookie deprecation.
  • Sale of PI.
  • New topics related to state privacy laws (refer to Body of Knowledge version 2.6).

CIPM Updates

  • Clarified language.
  • Added Performance Indicators:
    • Competency I.A: Understand the organization's business strategy and risk appetite.
    • Competency I.C: Understand the privacy risks posed by the use of AI in the business environment.
    • Competency II.A: Create data retention and disposal policies and procedures.
    • Competency II.B: Define roles and responsibilities of privacy team and stakeholders.
    • Competency III.D: Collaborate with relevant stakeholders to identify and evaluate technical controls.
  • Deleted Performance Indicators:
    • Competency V.C PI:3: Ensure AI usage is ethical, unbiased, meets data minimization and purpose limitation expectations and is in compliance with any regulations and/or privacy laws.
  • Re-ordered Performance Indicators:
    • Competencies I.A and II.B.

CIPT Updates

  • Added Performance Indicators:
    • Advise on Privacy by Design implementation via privacy engineering in systems engineering processes.
    • Provide technical privacy support to identify and respond to privacy breaches and other types of incidents.
    • Demonstrate how the principles of privacy risk are embedded into the design process.
    • Apply Value Sensitive Design aligned with Privacy by Design principles.
    • Identify and minimize privacy risk involved when using DNA.