Certified Information Privacy Professional (CIPP): Common - Privacy by Design and Default, PbD Principles, Ann Cavoukian

CIPP (US?&?EU) – Privacy by Design & Default (PbD) – Study Guide

What This Is

Privacy?by?Design?and?Default (PbD) is a proactive, risk?based approach that embeds privacy protections into the architecture of systems, processes, and business models from the start rather than tacking them on after a breach. Ann?Cavoukian’s seven foundational pillars (e.g., “embed privacy into design,” “full?capacity privacy”) are now codified in GDPR Art.?25 and echoed in many US?state statutes (e.g., California’s “reasonable security” requirement).

Real?world snapshot: A multinational retailer launches an e?commerce site that tracks visitors with cookies, stores purchase histories, and ships goods from EU warehouses to US fulfillment centers. By applying PbD, the retailer builds consent?driven cookie banners, encrypts data in transit, and configures the platform to retain only the minimum data needed for order fulfilment—thereby meeting GDPR, the ePrivacy Directive, and California’s CCPA/CPRA obligations before the first click goes live.

Key Terms & Provisions

• Privacy by Design (PbD): A set of seven principles (proactive not reactive, privacy as default, embedded, full?capacity, visibility, respect, end?to?end security) that require privacy to be built into systems from conception. (EU – GDPR Art.?25; Canada – PIPEDA)
• Privacy by Default: The default settings of any system must be the most privacy?protective option, requiring no action by the data subject to achieve a high level of privacy. (GDPR Art.?25(2))
• Data Protection Impact Assessment (DPIA): Mandatory under GDPR Art.?35 when processing is likely to result in a high risk to individuals (e.g., large?scale profiling, AI?driven credit scoring).
• Legitimate Interest Assessment (LIA): A two?part test (legitimate interest + balancing test) that lets controllers rely on GDPR Art.?6(1)(f) instead of consent when the interest is lawful, necessary, and does not override the data subject’s rights.
• Consent (opt?in) vs. Opt?out: Under GDPR and ePrivacy, consent must be a freely given, specific, informed, and unamb?iguous opt?in; under CCPA/CPRA, consumers have an opt?out right to the sale of their data.
• Reasonable Security Measures (US): A flexible standard in HIPAA §?164.306 and CCPA/CPRA §?1798.150(b) that requires entities to implement safeguards proportionate to the sensitivity of the data and the risk of breach.
• Data Minimisation: Collect and retain only the data necessary for the specified purpose (GDPR Art.?5(1)(c)).
• Purpose Limitation: Use personal data only for the purposes disclosed at collection (GDPR Art.?5(1)(b)).
• Cross?Border Transfer Safeguards: EU?US transfers must rely on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or an adequacy decision (GDPR Art.?46).
• Controller vs. Processor: The controller determines the purposes and means of processing (GDPR Art.?4(7)); the processor acts on the controller’s instructions (GDPR Art.?4(8)). Both must embed PbD, but the controller bears ultimate accountability.
• Business Associate Agreement (BAA): Under HIPAA, a BAA obligates a covered entity’s processor to implement the same privacy safeguards required of the covered entity, including PbD?type security controls.

Step?by?Step / Process Flow (Applying PbD)

1. Map the Data Lifecycle – Identify every personal data flow (collection, storage, use, sharing, deletion) across all systems and third?party vendors.
2. Conduct a DPIA or LIA – If the processing is high?risk (large?scale, special categories, automated decision?making), run a DPIA; otherwise, perform a quick LIA to confirm that consent isn’t required.
3. Embed Controls at Design Time –
4. Technical: encryption, pseudonymisation, access?control matrices, secure?by?default configurations.
5. Organizational: privacy policies, staff training, incident?response playbooks.
6. Set Default Settings to “Privacy?Protective” – Configure platforms so that the most restrictive privacy option (e.g., minimal data collection, no tracking) is the default for every new user or device.
7. Validate & Document – Record the design decisions, risk?mitigation measures, and compliance evidence in a PbD Register; have senior management sign?off.
8. Monitor & Iterate – Use continuous monitoring (privacy dashboards, audit logs) to detect drift; update the DPIA/LIA and redesign controls when new risks emerge.

Common Mistakes

CIPP Exam Insights

• Art.?25 vs. “reasonable security” – Exams often ask which provision explicitly mandates “privacy?by?default.” Answer: GDPR Art.?25 (EU) vs. HIPAA §?164.306 (US) which only requires “reasonable” safeguards.
• Opt?in vs. Opt?out – A classic trap: CCPA/CPRA uses opt?out for data sales, while GDPR/ePrivacy require opt?in for consent. Remember the phrase “CCPA = opt?out, GDPR = opt?in.”
• Controller’s PbD duty – Even when a processor implements technical safeguards, the controller remains liable for overall compliance (GDPR Art.?4(7) & Art.?24).
• DPIA trigger thresholds – Look for “large?scale processing of special categories” or “systematic monitoring of publicly accessible areas” as DPIA triggers; the exam loves the “systematic monitoring” example (e.g., CCTV).

Quick Check Questions

1. Scenario: A US?based SaaS provider offers a service to EU customers and stores their email addresses for marketing newsletters. The provider only displays a “Cookie Settings” link in the footer.
   Answer: The provider is non?compliant because GDPR requires explicit opt?in consent for marketing communications and for non?essential cookies; a footer link alone does not satisfy the consent standard.

2. Scenario: A hospital (HIPAA Covered Entity) contracts a cloud analytics firm to run predictive models on de?identified patient data. The contract includes a BAA.
   Answer: The hospital must still ensure PbD by confirming that the analytics firm applies encryption, access controls, and audit trails; the BAA alone does not guarantee compliance with HIPAA’s “reasonable safeguards.”

3. Scenario: A retailer uses a third?party ad network that places behavioural tracking cookies on EU visitors. The retailer’s privacy notice states “We may share data with partners for advertising.”
   Answer: The retailer must conduct a DPIA (high?risk profiling) and obtain opt?in consent before any tracking; a generic notice is insufficient under GDPR Art.?25 and ePrivacy.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?25 – “Privacy by Design and Default” applies to all processing, not just new projects.
2. CCPA/CPRA §?1798.150(b) – “Reasonable security” is a flexible standard; courts look at industry best practices.
3. HIPAA §?164.306 – Requires administrative, physical, and technical safeguards; encryption is “addressable,” not mandatory.
4. GDPR Art.?35 – DPIA is mandatory when “the processing is likely to result in a high risk to the rights and freedoms of natural persons.”
5. ePrivacy Directive Art.?5(3) – Consent for cookies must be prior, informed, and explicit (opt?in).
6. CCPA/CPRA – Consumers have a right to delete (right to be forgotten) but the business can refuse if data is needed to complete a transaction.
7. Standard Contractual Clauses (SCCs) – Remain valid after the Schrems?II decision if supplemented with additional safeguards (e.g., encryption).
8. Binding Corporate Rules (BCRs) – Require approval by the EU data?protection authority and must cover all group entities.
9. Legitimate Interest Assessment (LIA) – Must be documented in a two?step test (interest + balancing).
10. Ann?Cavoukian’s 7 PbD Principles – Remember the mnemonic “P?E?B?F?V?R?E” (Proactive, Privacy?by?Default, Embedded, Full?Capacity, Visible, Respectful, End?to?End).

Good luck—embed privacy early, document everything, and you’ll ace the exam!