Becoming an ABA/IAPP Certified Privacy Law Specialist

I have just been certified as a Privacy Law Specialist by the International Association of Privacy Professionals, and by extension the American Bar Association, as part of the inaugural class of this brand new area of specialization.  Because a specialization in privacy law is something that has never before been possible in the United States, I thought I would describe the specialization, the application criteria and process, and how the ABA/IAPP certification interacts with state bar rules.

What is a legal specialization?

Many lawyers limit their practices to certain areas of law, because, frankly, the law has become far too complex for any one person to be competent, let alone proficient, in the entire spectrum of law.   Not every lawyer who focuses his or her practice on one or two areas of law, however, is necessarily proficient.  Recognizing this, virtually all state bars (the regulatory bodies that govern the practice of law) prohibit attorneys from calling themselves "specialists" or "experts" (or similar terms) unless they have been certified as specialists.  Certification is intended to objectively verify the lawyer's mastery of the practice area.  (See, for example, Rule 7.4 of the Rules of Professional Conduct of the North Carolina State Bar.)  According to the North Carolina State Bar:

"Certification of lawyers as specialists by an objective entity and according to objective criteria fulfills the mission of the State Bar to protect the public by providing relevant, truthful, and reliable information to consumers of legal services. Certification helps consumers to identify lawyers who have experience and skill in a certain area of practice. Certification also helps lawyers by encouraging them to improve their expertise in particular areas of practice and providing them with a legitimate way of informing the public and other lawyers of this expertise."

Most state bars create specializations and the associated criteria themselves, but about one-half of all states allow lawyers to hold themselves out as specialists if they are certified by an American Bar Association (ABA) accredited entity.

Why did the ABA and IAPP create this specialization?

After extensive deliberation, the American Bar Association's House of Delegates voted in February 2018 to approve a new certification in privacy law, making it the 15th such accredited specialization.  Although no state bar had yet issued a specialization certificate in privacy law, it had become clear that lawyers were focusing their practices on this rapidly-evolving area of law, which was becoming more and more complex and specialized.  The ABA acknowledged that privacy law has become so specialized that the public would benefit by knowing which attorneys could be deemed proficient according to objective standards.

What are the requirements?

If you want to be considered for Privacy Law Specialist status, you must meet each of the following seven requirements:

1. Be an attorney admitted in good standing in at least one U.S. jurisdiction; 
2. Earn a CIPP/US designation; 
3. Earn either a CIPM or CIPT designation; 
4. Pass a legal ethics exam administered by the IAPP (similar to a mini-MPRE exam) or submit a very recent MPRE score of at least 80 points;
5. Provide evidence of “ongoing and substantial” involvement in the practice of privacy law (at least 25% of your full-time practice over the last three years);
6. Supply evidence of at least 36 hours of continuing education in privacy law for the three-year period preceding the application date; and
7. Provide five to eight peer references from attorneys, clients or judges who can personally attest to your qualifications.

What is the application process?

First, you need to achieve a passing score on each of three examinations: the CIPP/US exam, either the CIPM or CIPT exam, and the legal ethics exam.  These tests are all administered electronically at testing centers around the world.  You can schedule the exams online at the testing center nearest you, and results are delivered instantly.  The IAPP offers study guides for all of the exams except for the ethics exam.  (However, I created a study manual for the ethics exam, which I am happy to share with you.  Just connect with me on LinkedIn and send me a message!)

Next, you need to compile information about at least 36 hours of continuing education that you have obtained in the past three years relating to privacy or a closely-related area.  If you have not yet taken enough continuing education courses in the area, you need to defer your application and focus on obtaining more continuing education credits. 

You will also need to identify peers who will serve as your references.  I recommend you select lawyers with (or against) whom you have worked, because they have the best, firsthand knowledge of your experience and expertise.  I also suggest you confirm that they are willing to serve as a reference before you submit their names (because...courtesy!) and that you submit at least eight rather than the minimum number of five.  If some of your references get busy and fail to respond to the IAPP, your application could be denied. 

Of course, you will need to pay a fee.  For the $125 application fee, your initial IAPP membership will be included.  You do not have to become an IAPP member, but the annual certification fee is equivalent to the IAPP membership fee, and the membership is included, so it is difficult to imagine why any certificate holder would not also be a member.

Where can I learn more?

That's easy: The IAPP's website has more info.  (Also, the IAPP's staff was pretty cool about answering my questions.)

Can I become a state bar certified specialist in privacy law?

Not quite yet.  No state bar has certified specialists in privacy law, but the North Carolina State Bar has already approved a specialization in privacy and data security law and the first examination will be administered this fall.  This effort (led by yours truly) has been underway since before the ABA considered adopting a privacy law specialization, but the ABA was able to move more quickly because it decided to rely primarily on existing IAPP examinations.  In North Carolina, we are creating a three-hour examination which focuses on North Carolina law, as well as the IAPP's CIPP/US examination.  The first application deadline has already come and gone, and we look forward to certifying our first class of specialists soon!  If you are interested in establishing a privacy and data security specialization in your state, I would be happy to share my experiences with you.