Certified Information Privacy Professional (CIPP): Common - What Is Privacy? Definitions, Fair Information Practice Principles, FIPPs, OECD Guidelines

What This Is

Privacy is the set of rules and expectations that govern how personal information is collected, used, stored, and shared. It matters because every organization that handles data—whether a U.S.?based e?commerce site, a European?headquartered manufacturer, a hospital, or a cloud provider—must respect those rules or face massive fines, lawsuits, and reputational damage. Example: A multinational retailer moves employee payroll data from its German office to a data?center in Virginia. The transfer triggers GDPR?required safeguards (Standard Contractual Clauses or an adequacy decision) and must be documented, or the retailer risks €20?million in penalties and a U.S. regulator?led investigation for violating the CCPA’s “sale” definition.

Key Terms & Provisions

• Privacy (general definition): The right of individuals to control the collection, use, and disclosure of information about themselves.
• Fair Information Practice Principles (FIPPs): A set of foundational privacy concepts—notice, purpose limitation, data minimization, accuracy, security, access, and accountability—originating from the 1970 OECD Guidelines and echoed in most modern statutes.
• OECD Privacy Guidelines (1980): International principles that shaped the EU’s Data Protection Directive and later the GDPR; they stress transparency, collection limitation, and safeguards.
• Data Protection Impact Assessment (DPIA): A mandatory risk?assessment under GDPR Art.?35 (EU) for processing that is likely to result in a high risk to individuals (e.g., deploying facial?recognition cameras).
• Right to Access / Right to Know: The right of data subjects to obtain a copy of their personal data and the purposes for which it is processed. GDPR Art.?15 (EU) and CCPA/CPRA Sec.?1798.100 (US?CA) both codify this right.
• Legitimate Interest (GDPR Art.?6?(1)(f)): A lawful basis for processing that balances the organization’s legitimate business purpose against the individual’s privacy rights; requires a “balancing test.”
• Consent (opt?in vs. opt?out): GDPR Art.?7 requires freely given, specific, informed, and unambiguous opt?in consent; CCPA/CPRA uses an opt?out model for the sale of personal information, with a “Do Not Sell” link.
• Controller vs. Processor (GDPR Art.?4): The controller decides why and how data is processed; the processor acts on the controller’s behalf (e.g., a cloud vendor). Both have distinct obligations (e.g., controllers must maintain records, processors must follow a written contract).
• Covered Entity / Business Associate (HIPAA): A Covered Entity (healthcare provider, health plan, or clearinghouse) directly handles PHI; a Business Associate performs services that involve PHI and must sign a BAA.
• Standard Contractual Clauses (SCCs): EU?approved model contracts that provide adequate safeguards for cross?border transfers of personal data to non?EU countries (e.g., the U.S.).

Step?by?Step Process Flow (Applying Privacy Foundations)

1. Identify the Data & Jurisdiction – Catalog the personal data you handle and map where the data subjects reside (EU, California, etc.).
2. Determine the Legal Basis – For each processing activity, decide whether you rely on consent, legitimate interest, contract, legal obligation, vital interests, or public task.
3. Conduct a DPIA (if required) – If the activity is high?risk (new technology, large?scale profiling), run a DPIA, document mitigation, and obtain supervisory authority sign?off if needed.
4. Implement FIPP Controls – Apply the seven FIPPs: publish clear notice, limit purpose, minimize data, ensure accuracy, secure data, enable access, and assign accountability (e.g., appoint a Data Protection Officer).
5. Document & Communicate – Record the lawful basis, DPIA outcomes, and safeguards (SCCs, BAA, etc.) in a privacy register; train staff and update privacy notices.
6. Monitor & Respond – Continuously audit compliance, handle data?subject requests within statutory timeframes, and be ready to report breaches (GDPR 72?h, CCPA 60?days).

Common Mistakes

CIPP Exam Insights

1. FIPPs vs. GDPR Articles – Exams often ask you to match a principle (e.g., “purpose limitation”) to its GDPR article (Art.?5(1)(b)). Remember the seven FIPPs map directly to Art.?5.
2. Opt?in vs. Opt?out – A classic trap: “Which law requires opt?in consent for marketing?” Answer: GDPR (Art.?7) – CCPA uses opt?out for “sale” but still requires a clear “Do Not Sell” link.
3. Controller vs. Processor duties – Expect scenario questions that differentiate obligations (e.g., who must maintain a record of processing activities? – the controller under Art.?30).
4. Territorial Scope – The exam loves the “extra?territorial” nuance: GDPR applies to any entity processing EU data subjects’ personal data, regardless of physical presence, while CCPA applies to for?profit businesses meeting any of the three thresholds (revenue, data volume, or 50% of annual revenue from selling personal info).

Quick Check Questions

1. Scenario: An EU citizen emails a U.S. SaaS provider asking for deletion of all their data. The provider argues the request is “outside the GDPR.”
   Answer: The provider must comply under GDPR Art.?17 (right to erasure) if the SaaS provider offers goods/services to EU residents or monitors their behavior.
   Explanation: GDPR’s territorial scope is based on targeting EU data subjects, not on physical location.

2. Scenario: A California resident receives a “Do Not Sell My Personal Information” link on a retailer’s website. The retailer disables data?selling but continues to share the data with a third?party analytics firm for “service improvement.”
   Answer: The retailer is still non?compliant because “service improvement” is a sale under CCPA/CPRA unless the analytics firm is a service provider and the sharing is covered by a contract that prohibits further disclosure.
   Explanation: CCPA defines “sale” broadly; sharing with a third party for any commercial purpose is a sale unless an exemption applies.

3. Scenario: A hospital (Covered Entity) outsources medical?record storage to a cloud vendor (Business Associate) without a signed BAA.
   Answer: Both the hospital and the cloud vendor are liable for HIPAA violations.
   Explanation: A BAA is mandatory; without it, the Business Associate is directly subject to HIPAA’s security and breach?notification rules.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?3 – Applies to any entity processing EU data subjects regardless of physical presence (“targeting” rule).
2. CCPA/CPRA §?1798.100 – Right to know: consumers can request a “record of disclosures” within 45?days.
3. HIPAA 45?CFR?164.308 – Requires a written security plan for all PHI, even when stored in the cloud.
4. GDPR Art.?32 – Data?security must be “appropriate to the risk” (risk?based approach).
5. SCCs (2021 version) – Must be signed before any cross?border transfer; cannot be modified without regulator approval.
6. GDPR Art.?35 – DPIA is mandatory when processing is “likely to result in a high risk” (e.g., systematic profiling).
7. CCPA/CPRA – Fine up to $7,500 per intentional violation; up to $2,500 per unintentional violation.
8. GDPR Art.?6(1)(f) – Legitimate interest requires a balancing test; cannot be used for “marketing” without a separate opt?in.
9. OECD Guidelines (1980) – The seven FIPPs are the global “privacy DNA” that underpins most statutes.
10. GDPR Art.?33 – Breach notification to supervisory authority within 72?hours of becoming aware; if delayed, must explain why.

Use this guide to drill the core concepts, spot the exam traps, and walk away with practical steps you can apply tomorrow. Good luck!