I'm a privacy analyst at a mid-size healthcare company and just registered for the CIPP/US. I've been in the field about 4 years but mostly on the operational side – incident response, vendor assessments, that kind of thing. The legal and regulatory framework side is where I feel shakiest, especially the state-level distinctions like CCPA vs VCDPA.
I've seen timelines ranging from 6 weeks to 6 months in various posts. I'm planning about 1.5 hours per day on weekdays and maybe 3 hours on Saturdays. My exam is booked for 10 weeks out. Is that realistic for someone with my background, or am I underestimating the depth of material?
I'm using the IAPP official textbook and the Exam Cram guide. I've done about 80 practice questions so far and I'm sitting around 63% correct, which I know isn't good enough yet. Passing is a 300/500 scaled score.
Any tips on which domains to prioritize? I've heard US private sector law and the healthcare/financial sector overlays trip people up the most.
10 weeks with 1.5 hours daily is very doable if you already have a privacy background. I passed in 8 weeks coming from a similar operational role. The legal framework section is dense but the IAPP textbook covers it well if you actually read it carefully rather than skimming.
The CCPA vs CPRA distinction and the FTC enforcement authority questions tripped me up more than anything else. Make sure you know exactly what "sale" means under CCPA – it's broader than most people expect.
I'd also spend real time on HIPAA – the exam had more healthcare overlay questions than I expected based on the domain weightings.
Don't underestimate the state law section. I thought I'd just memorize a few CCPA points and be fine but there were questions about Illinois BIPA, Texas privacy law, and Nevada that I hadn't studied at all. Cover the full state survey chapter.
Your 63% practice score at week one is actually fine. I was at 58% at week three and ended up passing with a 340 scaled score. The key is tracking which categories you're missing and drilling those specifically rather than doing random practice sets.