What does it take to be an IAPP-certified privacy professional? What should it take?

September 9th, 2009 by Grace Meng


UPDATE: I recently was referred to this thoughtful blog post on a similar topic, “Nurturing an Accountable Privacy Profession.” Well-worth a read.

A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a “Certified Information Privacy Professional” or CIPP.  I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California.

So what exactly did I need to know to become a CIPP?

To be certified in corporate privacy law, you’re expected to know what’s covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and “the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions.”

You’re also expected to pass the Certification Foundation, required for all three certifications offered by IAPP.  That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and “online privacy,” which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context.

So what do you think?  Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a “privacy professional”?

There are no sample questions available online, and I was too cheap to take a prep course, but if I remember correctly, a typical question on the exam went something like this:

The Gramm-Leach-Bliley Act authorizes financial institutions to share consumer information with third parties if:

a. The information is not personally identifiable.

b. The consumer is informed and given the opportunity to opt-out.

c.  Any information without notice if it is shared with affiliated companies.

d.  All of the above.

The answer would be “C,” since the consumer is only required to be given notice if the third party is “non-affiliated.”  My sample is poorly constructed, and there are also questions that require you to analyze a fact pattern, but essentially, the exam covers existing laws, practices, and technologies.

It doesn’t ever ask you, “What would you do if you were advising RealAge and they told you they wanted to sell answers from a health questionnaire to pharmaceutical companies?”  Or, “Is Facebook doing enough to prevent third parties from misusing images of Facebook members in their ads?”

IAPP presumably doesn’t ask you these questions because there’s no “objectively” right answer.  There may, one day, be an objectively legal answer, depending on if and when legislation gets passed.  Still, it’s obvious that in the field of privacy, the most interesting aspects are not what laws do exist, but what laws should exist, what practices should be used, what innovations, both technological and social, should be promoted to protect privacy in meaningful ways.  But the exam only covers what is, not what could be or what should be.

Privacy may be an ancient concept, but it’s a very modern, very new, very undefined profession, which perhaps is even more reason for the IAPP to exist.  We as a society, particularly in the U.S., are struggling to figure out what privacy means and what we need to do to protect it.  While the medical profession has the Hippocratic Oath dating back to the 4th century B.C., and the legal profession’s adherence to the concept of attorney-client privilege goes back at least as far as the 16th century, the privacy profession has no clear guiding principle.  We don’t know yet what it should be.

I’m not really criticizing the IAPP for having a test that doesn’t quite encompass the dynamic, constantly changing field of privacy.  It’s not like other professions do better.  The bar exam certainly doesn’t screen out incompetent, unethical people from practicing law, even if you are actually required to pass an ethics exam.  And the IAPP does provide resources to its members for tracking changes in privacy law and policy.  But I’m curious to see where the IAPP goes as it tries to “professionalize” the profession, whether the certification exam will change and what expectations will be set for IAPP-certified privacy professionals.  Perhaps in another 100 years, or hopefully sooner, we’ll have a code of conduct for privacy professionals.

Tags: , ,

6 Responses to “What does it take to be an IAPP-certified privacy professional? What should it take?”

  1. Annie says:

    hi grace,

    i am also thinking about taking the CIPP exam. i just got the materials to start studying but have no background in privacy law. do you have any suggestions as to how much time to put in, whether the lectures are enough (or do i need to read the whole reference book), whether it is easy/hard?

    i can send you my official email if you want.


  2. Grace Meng says:

    Hi Annie, I basically bought the books I referenced and read through them once each and didn’t listen to any lectures, but didn’t feel really prepared at the exam. Luckily, I knew enough to pass but I’m not sure I passed by a great deal. If you want more information, email me at info@commondataproject.org, and I’ll answer any specific questions you have.

  3. Elise says:

    Hi Grace,

    I appreciate your insight regarding the CIPP test. Recently I decided that I wanted to pursue the certification so I have taken the first steps – buying some of the suggested study materials through the IAPP.
    I don’t know anyone who has taken the exam and I haven’t been able to find much about it online. I would like to be prepared enough to pass the test on my first attempt. Having said that I’d like to find out if you can offer any more information – what materials are best to use for self-study, were there questions that were difficult to understand, is there anything that you would recommend to someone fairly new in the field, that kind of advice?

  4. Grace Meng says:

    Elise, sorry to be late getting back to you, I was on vacation. The only materials I used for self-study were the ones published by IAPP, and I can’t say any were better than others. I’m glad I read through all of them. Frankly, though, when I took the exam, I really was not sure if I would pass or not. Even after the exam, I wasn’t sure if I had passed. The questions did not feel as carefully crafted as those on other standardized tests I’ve taken. There were definitely questions and answers for which I could imagine, if they were on an exam like the LSAT, would be seriously contested. I’m not sure what your background is, but I am a lawyer, so most of the legal stuff was at least familiar to me, even though the privacy stuff was not. Feel free to email me at info [at] commondataproject [dot] org if you have more questions.

  5. Diane Miller says:

    Hi Grace —

    Congrats on the bar and the CIPP certification!

    Was there any particular topics you felt like you weren’t prepared for by reading the material? And were the questions clearly written?


  6. Yash says:

    HI Grace,
    Many congrats for your great success. I was planing for CIPP and need your help for study material. Please let me know if any guide available online for download or i should purchase the same.
    Also request for any study links if any you have used for your study.


Get Adobe Flash player