Skip to main content

CIPP prep, adaptive plan with ARIA

The CIPP from IAPP is 150 minutes, 90 questions, 300 out of 500 to pass, and the most recognized privacy credential in the world across four jurisdiction-specific tracks: CIPP/US, CIPP/E, CIPP/A, and CIPP/C. I prep you for it with a 25-question adaptive evaluation, a personalized roadmap built around the four privacy domains, and a pass guarantee tied to five measurable conditions. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=CIPP.

TL;DR

  • 150 minutes, 90 questions, 300/500 passing score, four domains weighted 25 / 35 / 25 / 15.
  • Four jurisdiction-specific tracks: CIPP/E (GDPR), CIPP/US (US law), CIPP/A (Asia-Pacific), CIPP/C (Canada).
  • Not a technical cert: no hands-on configuration, no coding, no lab component.
  • Privacy Laws and Regulations is the heaviest domain at 35 percent of the exam.
  • Renews every two years via 20 CPE credits, not by exam retake.
  • I open with a 15-to-25-question adaptive eval that outputs a per-domain skill estimate.

What the CIPP exam is

CIPP stands for Certified Information Privacy Professional. It is issued by the International Association of Privacy Professionals (IAPP), the leading global body for privacy practitioners. Unlike most IT certifications, CIPP is not a single exam: it exists in four jurisdiction-specific tracks, each testing the same foundational privacy domains but applying them to a different legal framework.

The most commonly taken tracks in 2026:

  • CIPP/E: European data protection law, centered on GDPR, plus the ePrivacy Directive, national implementations, and cross-border transfer mechanisms.
  • CIPP/US: US federal and state privacy law, including HIPAA, COPPA, CCPA, FCRA, GLBA, and the patchwork of sector-specific regulations.
  • CIPP/A: Asia-Pacific frameworks, including Singapore's PDPA, Japan's APPI, Australia's Privacy Act, and other regional laws.
  • CIPP/C: Canada's PIPEDA and provincial privacy legislation including Quebec's Law 25.

The four domains are consistent across all tracks, though the legal examples differ:

DomainWeightWhat it covers
Privacy Foundations25%Core privacy concepts, fair information practices, data subject rights, privacy principles (notice, choice, access, security, accountability), privacy by design.
Privacy Laws and Regulations35%The jurisdiction's primary legal framework(s), regulatory bodies, enforcement mechanisms, definitions of personal data and sensitive data, legal bases for processing (or lawful bases under GDPR), consent requirements, rights frameworks.
Privacy Program Management25%Building and running a privacy program: governance structure, data inventory and mapping, privacy impact assessments, training and awareness, incident response and breach notification, records of processing activities.
Privacy Operations and Technology15%Technical privacy controls, data minimization by design, encryption and pseudonymization concepts, online tracking and cookies (ePrivacy), vendor and third-party management, privacy in system design.

Privacy Laws and Regulations is the heaviest domain at 35 percent. Most of the exam's hardest questions live there, because the legal frameworks are dense and jurisdiction-specific. Candidates who treat the law section as a skim and focus on program management (25%) tend to fail on the regulatory detail questions.

How ARIA preps you for CIPP

ARIA runs your CIPP prep end to end, calibrated to whichever track you select.

The CAT evaluation. Your first session is 15 to 25 adaptive questions calibrated to the CIPP blueprint for your chosen track. The eval allocates question slots toward your weakest domains. If Privacy Laws comes up weak early, more of your 25 questions go there. Output is a per-domain skill estimate.

The personalized roadmap. I generate three to five phases from your eval output, sequenced weakest first. Privacy Laws and Privacy Foundations are usually covered in Phases 1 and 2 given their combined 60 percent weight. Privacy Operations (15%) gets the fewest milestones by default unless your eval flags it as a gap.

The daily task engine. One card per day: the single highest-value action right now, weighted by active milestone, error backlog density, readiness decay, and schedule drift. Full mechanics at how ARIA picks today's task.

The error backlog. Every wrong answer is tagged by domain, regulatory provision, and trap pattern, then queued for return at increasing intervals until you answer correctly three times in a row. For CIPP/E, GDPR article misidentification is tagged at the article level (Art. 6 vs Art. 9 vs Art. 46 are separate backlog entries, not one "GDPR" tag).

The readiness score. A 0-to-100 estimate of your probability of passing CIPP today, blending coverage, accuracy, and recency. At 80 with all milestones completed and two mock passes, the pass guarantee is eligible.

Common pitfalls on CIPP

1. GDPR lawful bases confusion (CIPP/E)

For CIPP/E candidates, the six GDPR lawful bases for processing under Article 6 are one of the highest-failure question clusters: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The trap is questions where consent looks like the right answer but the processing actually has a stronger lawful basis (a contract, or a legal obligation). Consent is also not the "default" basis: it requires a freely given, specific, informed, and unambiguous indication of agreement and can be withdrawn at any time. Reaching for consent reflexively produces wrong answers.

What I do: the Privacy Laws milestones for CIPP/E treat each lawful basis as a separate concept before introducing scenario mixing. The error backlog tracks which basis you confused (consent vs legitimate interests is a different tag than consent vs legal obligation) and resurfaces the narrowest version.

2. CCPA consumer rights scope (CIPP/US)

For CIPP/US candidates, CCPA questions ask about consumer rights under California law: the right to know, the right to delete, the right to opt-out of sale, and the right to non-discrimination. The exam writes stems where one right sounds applicable but another is the precise fit, or where the business category exemption changes which right applies. Businesses below the CCPA threshold ($25 million revenue, fewer than 100,000 consumers, or less than 50% revenue from data sale) are exempt, but many questions assume the business is covered and test the right's scope.

What I do: CIPP/US milestones introduce each consumer right with its precise scope and exceptions before mixing them. Threshold and exemption knowledge is a separate milestone from rights knowledge.

3. Sensitive data categories vs standard personal data

Across all CIPP tracks, a consistent failure point is distinguishing between standard personal data and special categories of sensitive data (health, biometric, racial or ethnic origin, political opinion, religious belief, trade union membership, genetic data, sexual orientation). Sensitive data triggers additional requirements or heightened processing restrictions in every jurisdiction's framework, but the exact category definitions differ slightly by track. CIPP/E uses the Article 9 list; CIPP/US is more sector-specific (HIPAA covers health, FCRA covers financial).

What I do: the Privacy Laws milestones include a sensitive data category set for your track that drills the exact categories before introducing scenario questions. The error backlog distinguishes between "wrong category assigned" and "right category but wrong restriction level."

4. Data subject rights in breach notification timelines

CIPP/E specifically tests GDPR breach notification timelines: 72 hours to the supervisory authority from the moment of awareness, with a caveat for "where feasible." The exam writes questions with incomplete or delayed discovery scenarios and asks whether the 72-hour clock has started. Candidates who memorize "72 hours" without understanding when awareness begins get these wrong. CIPP/US has different timelines by sector (HIPAA's 60-day rule, state-level notification windows).

What I do: breach notification milestones pair the timeline with the "awareness trigger" concept explicitly, not just the hour count. Wrong answers on the awareness question get a different backlog tag than wrong answers on the hour count.

5. Privacy by design as a default, not a feature

CIPP questions on privacy by design (and the GDPR concept of data protection by default) test whether candidates understand that privacy controls must be embedded at the design stage, not retrofitted. The exam writes scenarios where an organization adds a privacy control after deployment and asks whether this satisfies the requirement. The correct answer is usually "no": the requirement is design-stage embedding. Candidates who treat PbD as a checklist item rather than a lifecycle principle miss these.

What I do: Privacy Operations milestones include design-stage vs retrofit scenarios as a distinct concept. The error backlog tracks whether the miss was at the "what is PbD" level or the "when does PbD apply" level.

Common questions

What is the CIPP exam format and passing score?

CIPP is 150 minutes, 90 multiple-choice questions, with a passing score of 300 on a scale of 100 to 500. It is offered in jurisdiction-specific tracks: CIPP/E, CIPP/US, CIPP/A, and CIPP/C.

Which CIPP track should I take?

CIPP/E is the most globally relevant in 2026 given GDPR's reach and its influence on privacy law worldwide. CIPP/US is the right choice for US-based privacy professionals working under US federal and state law. Pick the track that matches where your organization processes data and where your career will operate.

Does the CIPP expire?

Yes. IAPP credentials expire every two years. Renewal requires 20 Continuing Privacy Education (CPE) credits before the expiration date, at least 10 of which must be IAPP-approved. Lapsing fully requires sitting a new exam.

Is CIPP worth it in 2026?

For privacy professionals, yes. CIPP/E and CIPP/US appear consistently in job descriptions for privacy analyst, privacy counsel, and DPO roles. IAPP reports a global average salary around 136 thousand US dollars for holders. It validates legal framework knowledge and program management capability, not security engineering. If your role is privacy-focused rather than security engineering-focused, CIPP is the right credential.

What is the difference between CIPP and CIPM?

CIPP tests knowledge of privacy laws in a specific jurisdiction. CIPM tests how to build and manage a privacy program: governance, data inventories, risk assessment, vendor management, training. The two certs complement each other and most senior privacy professionals hold both, with CIPP typically taken first.

  • CISM: information security management for professionals who overlap privacy and security governance
  • CISSP: the senior security certification with a privacy domain, suitable after CIPP for those moving into broader security leadership
  • CRISC: risk and information systems control, relevant for privacy professionals who manage third-party and technology risk

Start your CIPP prep

The CAT evaluation maps your starting level across all four CIPP domains in 15 to 25 questions, calibrated to your chosen track. It is the first and cheapest step before committing to a prep calendar or booking an exam date.

Start your free CIPP evaluation at claudelab.me/onboarding/select-cert?code=CIPP.

Related reading: the cybersecurity certification roadmap covers where CIPP fits alongside security certs for practitioners whose role spans both disciplines, and the AI cert prep guide explains the adaptive prep model behind every ClaudeLab roadmap.