Q3 2025 Annual Updates
CIPP/US & CIPT (Beta) and CIPP/E, CIPP/C, CIPM (Updates) Updates
Each year, the IAPP updates exam forms to reflect changes in the industry and retire older questions. Our CIPP/E, CIPP/US, CIPP/C, CIPM and CIPT exam updates will be effective on 1 September 2025.
Are these new IAPP tests?
These tests are not new IAPP exams — they are updated forms of our existing certification exams. Think of forms as separate versions of a specific test. The IAPP’s CIPM exam, for example, may have a Form 1, Form 2, Form 3, etc.
Some exam questions repeat across different forms, and some are unique to each.
However, all exams cover the same general content in a designation, regardless of the questions that appear on each form.
Looking to get your CIPP/US or CIPT certification? By testing the new CIPP/US or CIPT beta exam form from 21-27 July, you will receive up to 50% off your exam fee — that is a potential savings of USD275 on a full price exam! Please click here for more information about taking the CIPP/US or CIPT beta exam this July.
How are the new forms different from the exam forms currently in use?
Candidates testing on the new forms should prepare for questions on the topics listed below. There are new versions of the body of knowledge here under “Certification - Free Resources.” Those planning to test on updated forms beginning fall 2025 as well as those testing on the CIPP/US or CIPT beta exams in July should refer to the Bodies of Knowledge effective on 1 September 2025.
The following represents updated content you can expect on the exams:
CIPP/US updates
- Mergers, Acquisitions & Divestitures.
- Departments of Insurance.
- NAIC AIS Governance Guidelines.
- Verifiable parental consent.
- Fiduciary duty.
- Intersection between US and non-US laws (e.g., GDPR, FADP).
- Data leaks (in terms of “Workforce Training”).
CIPT Updates
Most changes were re-organization and consolidation of topics:
- Number of domains reduced from 7 to 5.
- Broke up Domains I (Foundational Principles), III (Privacy risks, threats, and violations), IV (Privacy-enhancing strategies, techniques, and technologies) and distributed the content into other domains.
- Added Domain II (Data collection, use, dissemination, and destruction).
- Added performance indicators:
- Added performance indicator I.C.2: Understand and apply common privacy threat models and frameworks (e.g., LINDDUN and MITRE PANOPTIC™).
- Deleted performance indicators:
- VII.D.9: Identify and minimize privacy risk involved when using quantum computing.
- VII.D.10: Identify and minimize privacy risk involved when using blockchain, cryptocurrencies and non-fungible tokens (NFT).
- VII.D.11: Identify and minimize privacy risk involved when using virtual/augmented reality.
- VII.D.9: Identify and minimize privacy risk involved when using quantum computing.
- VII.D.10: Identify and minimize privacy risk involved when using blockchain, cryptocurrencies and non-fungible tokens (NFT).
- VII.D.11: Identify and minimize privacy risk involved when using virtual/augmented reality.
CIPP/E Updates
- EDPB "Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)".
- EDPB "Opinion 04/2024 on the notion of main establishment of a controller in the Union under Article 4(16)(a) GDPR".
- EDPB Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR.
- AI and the GDPR (various topics).
- Privacy and Security Incidents (various topics).
Please note: The CIPP/E Body of Knowledge and Exam Blueprint have been reorganized. Domain II (European Data Protection Law and Regulation), previously comprised of sub-topics A. through K., has been split into Domains II., III. (European Data Processing), and IV. (European Data Protection: Scope & Accountability). The sub-topics in these new domains, and the number of exam questions apportioned to them, are the same as in the previous versions of the BoK and EBP. All changes are strictly organizational.
CIPM Updates
Clarified language and examples:
Most of these changes are clarifying language, so the content is the same, but is more concrete and precise. Some of the content may have been relocated or combined together.
In some cases, performance indicators were deleted because they were covered elsewhere in the BoK.
CIPP/C Updates
Clarified language and examples:
I.B.5 Understand the common governance principles for responsible AI (e.g., the OECD AI Principles, NIST's 'AI RMF', Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems).
Added NEW Performance Indicators:
- I.B.7 Identify the roles and responsibilities of the relevant stakeholders in supporting the organization’s compliance efforts, including the privacy officer when applicable.
- II.C.2 Understand the penalties for non-compliance of CASL.
- III.B.2 Understand what should be included in a PIA report.
Added to current performance indicators:
- II.A.5 Added “consent exception” to currently listed requirements.
- II.A.9 Added “identity verification requirements” to currently listed access requests.
- II.C.1 Added “Understand scope of” to currently listed rules for CASL.
