International Association of Privacy Professionals

The International Association of Privacy Professionals is the newest ABA-accredited certification program. Although it has not yet certified its inaugural class of specialist lawyers, it began accepting applications on April 2, 2018. The end of the first submission period is June 30, 2018.

The IAPP has approximately 30,000 members worldwide, although most of the members are not lawyers. The IAPP-membership and its examination-only certifications are the current gold standard of credentialing in the privacy field.

Members can apply to become an ABA-accredited "Privacy Law Specialist" beginning April 2, 2018. Attorneys who meet the IAPP’s specialist designation requirements may be permitted under their state’s rules of professional responsibility to advertise their specialization in privacy law.


Becoming Certified as a Specialist in "Privacy Law" by the IAPP

The program requirements to become a privacy law specialist include:

  • being an attorney admitted in good standing in at least one state;
  • earning or holding a CIPP / US designation from the IAPP, plus either a CIPM or CIPT designation;
  • passing the PLS Ethics Exam administered by the IAPP, or submit a recent MPRE score of 80+;
  • providing proof of “ongoing and substantial” involvement practicing privacy law (at least 25% of your full-time practice over the last three years);
  • supplying evidence of at least 36 hours of continuing education in privacy law for the 3-year period preceding your application;
  • providing at least 5 peer references from attorneys, clients or judges attesting to your privacy law qualifications.

Atttorneys who become a board certified specialist in Priacy Law will a digital designation badge from the IAPP to add to their credentials. The specialist will also have the opportunity to be included in a searchable directory of specialists on the IAPP website.

After the first set of attorneys are certified by the IAPP as a specialist, those attorneys will be able to disclose that IAPP as conferring them with the “Privacy Law Specialist” designation.


Showing Substantial Involvement in the Practice of Privacy Law

The applicants must demonstrate their focus on the practice of privacy law either as a transactional lawyer, in privacy program management, privacy litigation or regulatory practice, or a combination of these.

Active engagement in information security law will also be considered provided that the applicant demonstrates its connection to and role in the privacy specialization.

The applicant must demonstrate substantial involvement in the field of privacy law at both the quantitative and qualitative level. At least one-quarter (25%) of the practice during the prior three years must be devoted to the practice of privacy law.

For outside counsel and in-house lawyers with principally a transactional practice, at least 15% of Applicant’s full time practice must include:

  • Preparation and review of privacy notices compliant with state, federal and/or international laws and regulations, and reflective of an organization’s privacy practices, and privacy and security policy development, including development of information handling, sharing, storage, training, and security policies and programs;
  • Contract development, negotiation, and compliance, which may include review of vendor, purchase, procurement, or acquisition contracts as well as drafting and negotiation of contracts for inclusion of privacy and security provisions;
  • Privacy advice in compliance with state and federal laws, including legal advice on privacy by design in product design or services;
  • Conducting Privacy Impact Assessments and providing advice in connection with them;
  • Risk assessment with regard to use and potential misuse of personally identifiable information, and corresponding legal advice to clients and organizational leadership;

The Definition of “substantial involvement in the practice of Privacy Law,” as approved by the ABA Standing Committee on Specialization includes:

  • Counseling on cross-border data transfers, and other compliance with international privacy laws pertaining to data transfer (such as drafting Binding Corporate Rules, standard contractual contacts, certifying to US-EU Safe Harbor/Privacy Shield, and the like);
  • Counseling on cybersecurity issues, breach preparedness, and breach remediation;
  • Legislative or regulatory public policy engagement, which may include drafting of position papers or opinions, and interaction with legislative or regulatory bodies, which develop laws or regulate privacy practices;
  • Advice about cyber insurance and negotiating cyber insurance policies.

For attorneys primarily engaged in data breach response, adversarial proceedings and/or litigation, at least 20% of Applicant’s full time practice must include:

  • Internal breach investigation and evaluation, involving managing internal investigations of data breaches and evaluating risks for mitigation and policy development, as well as engaging and overseeing the work of forensic teams, preparing breach notification letters, and working with regulators (at least 10% of full time law practice);
  • Litigation of data protection and data breach matters in state, federal, international, and administrative tribunals (at least 5% of full time law practice); and
  • Regulatory investigations and defense, including federal, state, or international filings of regulatory inquiries or responses to regulatory inquiries of privacy and data protection practices;
  • Privacy tort litigation such as litigation of consumer protection / privacy statutes that provide a private right of action (federal and state), including without limitation rights of publicity, rights against publication of false information, intrusion on seclusion, or public disclosure of private facts; and
  • Advice about cyber insurance and negotiating cyber insurance policies.

This article was last updated on Friday, May 5, 2018.