Course Syllabus

Privacy Law For Technologists
MW 10:30–12

South Hall 205
Professor Chris Hoofnagle

INFO 290 LEC 002 40455
LAW 276.72 LEC 001 45962

Law students: please note that Berkeley Law starts classes on Monday, August 21, but campus starts Wednesday the 23rd. Our first class will be on Wednesday the 23rd. We will make up the missed class.

Information privacy law profoundly shapes how internet-enabled services may work. Privacy Law for Technologists will translate the regulatory demands flowing from the growing field of privacy and security law to those who are creating interesting and transformative internet-enabled services. The course will meet twice a week, with the first session focusing on the formal requirements of the law, and the second on how technology might accommodate regulatory demands and goals. Topics include:  Computer Fraud and Abuse Act (reverse engineering, scraping, computer attacks), unfair/deceptive trade practices, ECPA, children’s privacy, big data and discrimination (FCRA, ECOA), DMCA, intermediary liability issues, ediscovery and data retention, the anti-marketing laws, and technical requirements flowing from the EU-US Privacy Shield

The required textbook for this class is my book (how opportunistic!): FTC Privacy Law and Policy (CUP 2016) But here is the good news: I negotiated a good price for it (about $37 in softcover), and there are several ways that you can get the content free. For instance, if you use the UCB VPN and go to Cambridge Books online, you can download a PDF of the whole book free.


This course is more demanding than it appears at first. Each week, you will be asked to learn substantive law, and then discuss how that law (or its policy goals) could be met with technology. This is a challenging exercise for both School of Information and School of Law students. Your participation in discussions (quality over quantity) is essential and is 30% of your grade. The remaining 70% comes from your final presentation.

Final presentation: you may work alone or in a group. Choose a service or a product of interest to you and prepare a presentation (no more than 10 minutes, and there will be a strict time limit) on how its privacy and/or security could be improved based on what you have learned in the course. You may work in a team for this presentation. Your presentation should identify the service or product's privacy/security implications, and discuss technological fixes, including the benefit and costs of the approach. Please identify your team and topic by October 2.

APM-015 Part II statement

This course will deal with material concerning current events and exploration of government actions and their possible consequences. Class discussion will feature such material.

BCLT Certificate

Law students: Hoofnagle's courses count toward's BCLT's certificate program.

Date Assignment
Wed Aug 23

Introduction to the Course; Privacy

Please read:

Note, UCB subscribes to everything under the sun. If the link to the Otto/Anton paper does not work, be sure you have the UCB library proxy set up, or use the VPN. Either of these resources will give you subscribed access to pretty much anything. The VPN is probably easier to use--just download it, install it, and start it up. After that, every page you visit will get a UCB IP referrer, thus giving you access to materials.

Fri Aug 25

Optional EventThe Troubled Future of Privacy ... and How to Stop It by Palantir Technologies' John Grant, Wozniak Lounge 430 Soda Hall, 6:00–7:30, dinner provided.

Mon Aug 28

Privacy by Design

This week we will get into focus on a relatively-new movement in consumer protection: privacy by design. Generally attributed to former information and privacy commissioner of Ontario, Ann Cavoukian, privacy by design has increasing relevance in regulatory frameworks--the FTC has explicitly called. for companies to consider it.

Please read:

Wed Aug 30

Discussion: Privacy by Design

On an abstract level, privacy by design appears to be a useful approach to addressing technical choices. Today's discussion will focus on the mechanics of making privacy by design workable. We will consider the incentive conflicts in privacy by design, some case studies, and examples of privacy by design that you encounter in your role as consumer. For discussion, please:

  1. Read Ira Rubinstein & Nathan Good, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, 28 Berkeley Technology Law Journal 1333 (2013). < This paper is co-authored by a School of Info PhD (Good) and won an award at the Privacy Law Scholars Conference.
  2. Think about the products and services you use--find an example where privacy by design has been applied, or where you think it might be applied effectively. Come prepared to discuss your example in light of this week's readings. Post your example in the discussions area of bCourses.

W/r/t #2--and for future discussion assignments--feel free to work in a group to develop examples. 

Mon Sep 4

Labor Day Holiday, No Class

Tues Sept 5

Optional Talk: Becoming a Technical Lawyer (or, Sorry, You Are Going to Have to Do Math After All) 12:45-1:45 Boalt Hall (probably room 105 or 110) 

Description:  In addition to criminal and civil code, lawyers inevitably need to understand computer code in order to function effectively in today’s world.  Technical architectures govern everything from determining what data exists to prove or disprove theories, when and how surveillance can be conducted, the range of policy options available to courts and legislatures, as well as raising novel legal questions that defy traditional solutions.  John Grant, Director of Privacy and Civil Liberties Engineering at Palantir Technologies (J.D., Georgetown 2007), draws from his experience as a non-technical lawyer joining a highly technical startup to offer insights into what you need to know, why you need to know it, and how to build an effective relationship with the engineers who will be critical to your success.

Tue Sep 5

Optional Talk: Reigning in Online Abuses

Hany Farid, Sept 5, 2017  4pm, South Hall TBD 
ABSTRACT: Online platforms today are being used in deplorably diverse ways: recruiting and radicalizing terrorists, buying and selling illegal weapons and underage prostitutes, cyberbullying and cyberstalking, revenge porn, theft of personal and financial data, propagating fake and hateful news, and much more. Technology companies have been and continue to be frustratingly slow in responding to these real threats with real consequences. I advocate for the development and deployment of new technologies that allow for the free flow of ideas while reigning in abuses. As a case study, I will describe one such technology—photoDNA—that is currently being used in the global fight against child exploitation. I will also describe the technological, legal, and policy obstacles that we faced prior to deployment and how lessons from this work can inform future efforts. I will also describe ongoing efforts in countering extremism on-line.
Wed Sep 6

Active Defense and "Hacking Back" Mini-Module

Class, the holiday breaks up our lecture/discussion schedule, so let's do a one-day module with both lecture and discussion. Jonathan Jaffe, PWC's Director of Cybersecurity will join us.

New amendments to federal law give more leeway for "active defense" measures. In this module, we will look at the new statutory language and attempt to envision what active defense might entail.

Please read a backgrounder on the Computer Fraud and Abuse Act:

And then portions of the Cybersecurity Act of 2015:

Jonathan has specified two more readings:

Mon Sep 11, 2017 

Unfair and Deceptive Acts and Practices

This week we will study Unfair and Deceptive Acts and Practices (UDAP) law. UDAP law forms a baseline of regulation for technology in the US. In addition to the federal UDAP law, the Federal Trade Commission Act (FTC Act), states have their own versions of UDAP statutes, and some of these are broader than federal law.

Please read: Federal Trade Commission Privacy Law and Policy Chapter 5 (119–141).


Wed Sep 13

Discussion: Unfair and Deceptive Acts and Practices

In preparation for discussion, please take these three steps:

Please read the following policy guides on modern advertising techniques

Be prepared to discuss how you might implement policy or technological interventions to promote compliance with the various rules we learned about UDAP and the more specific policies set forth by the FTC in the policy statement and guides above. You could think of the problem from at least two ways--as a FTC lawyer or technologist, or as a company that is selling products that wants to avoid affiliate marketers and others from engaging in deception (e.g. in LeanSpa, the company was held liable for 3rd party affiliate marketers who created fake news sites).

Mon Sep 18

FTC Privacy Part 1

Class, last week we discussed the basics of unfair and deceptive practices acts. This week and next we look at how the law of unfair and deceptive trade practices apply to online privacy issues. For the lecture, please read:

Federal Trade Commission Privacy Law and Policy, Chapter 6 (145–192). It is a lot of reading, but we'll use this same reading for this week and next.

Wed Sep 20

Discussion: FTC Privacy Part 1

Let us start with privacy policies. For this discussion exercise, feel free to work in a group. Find a privacy policy from a website or service that you are interested in (try to select one that is not too long or intractable). Prior to class, place the text in to Microsoft Word or Google Docs, and highlight these elements in different colors:

1) Disclosures you think are "material" under the FTC Act.

2) Text that specifies affirmative obligations on the website/service (we shall do x).

3) Text that specifies restrictions on the website/service (we will not do y).

4) Text that gives the user some choice (opt in or opt out).

Post your policy or a link to it in the discussion board, and be prepared to discuss what you found and what puzzles/intrigues you about the privacy policy. We will discuss these four elements both from the lens of the requirements and prohibitions of the FTC Act, and from the perspective of what administrative and technical infrastructure must exist behind the scenes to implement these privacy policies.

Mon Sep 25

FTC Privacy Part 2

For this week, please:

1) Review the reading from last week (Federal Trade Commission Privacy Law and Policy, Chapter 6).

2) Read the FTC report, Internet of Things: Privacy & Security in a Connected World (2015).

Wed Sep 27

Discussion: FTC Privacy Part 2

Discussion this week will focus on the internet of things (IoT). It will become clear that the IoT presents one of the most difficult regulatory challenges for privacy. Our goal will be to consider how the FTC might apply its tools to police the IoT sector, and how we might engineer IoT devices differently in order to protect consumers.

To prepare for the discussion, please choose a consumer product that is now sold as "connected." An example is door locks--these are bronze-age inventions that are now offered in "internet connected" formats. Give thought to the potential new benefits that come from internet connectivity for this product. What new functions will be enable? What knock-on effects will these functions create? What new societal tensions will internet connectivity introduce? How might we introduce privacy by design or other engineering principles to steer this technology toward FTC compliance?

Mon Oct 2

 FTC Security & Security Breach Notification

For this lecture, please:

Mon Oct 2

Make Up Session: Please attend Professor Edward Balleisen's talk, 12:45–2 in Boalt (Law School Room 130). To prepare please

  • Read this interview.
  • Prepare a question for Professor Balleisen and post it on the discussion board.
Wed Oct 4

Discussion: Security Frameworks 

For this discussion, we will divide into groups to analyze and present several different security standards. Note that the security standards we are visiting here are not law, exactly. They are often developed with the private sector and required by private contract or through procurement standards.

Group 1: Cover ISO 27000/27001/27002. These standards are not publicly available--they have to be licensed. However, Professor Georg Disterer has written a good overview of these standards. See, Georg Disterer, ISO/IEC 27000, 27001 and 27002 for Information Security Management, 4(2) Journal of Information Security (2003).

Group 2: Cover NIST 800-53 (Rev 4). This is a 460 page document. Suffice it to say that it would be a waste of time to read the whole thing. Instead, start with the NIST Summary, and then look at chapters 1, 2, and appendixes F, G, and J. In the process, be sure to note any controls that you find particularly useful or underexamined in the course so far.

Group 3: Cover PCI-DSS (Ver. 3.2)View in a new window. PCI-DSS governs the acceptance of credit and debit cards. This is a long document as well. You might start by looking at the "quick" reference guideView in a new window :) and the sample reporting formView in a new window.

Group 4: NIST Cybersecurity FrameworkView in a new window. You will see the NIST framework in practice because financial regulators and the SEC have urged companies to implement it. A good starting point for understanding the framework is the FAQ on the NIST website.

All groups: do some searching and try to determine who uses your group's standard and why. You'll find that many companies do state their security standard in product specification sheets and regulatory findings.

Group assignments: TBD

Mon Oct 9

Children's Privacy 

Read Federal Trade Commission Privacy Law and Policy, Chapter 7 (193–215).

Wed Oct 11

Discussion: Children's Privacy

Class, for our discussion, please spend about an hour looking at a specific COPPA-regulated service (remember--it can be a website, app or other internet "service.") Pay specific attention to the privacy policy (how it differs from the non-COPPA service you looked at weeks ago) and parental consent mechanisms. Overall, do you think the service meets the privacy and security goals of the COPPA? If you want a refresher on COPPA requirements, this guide from the FTC is very good.

We'll discuss the differences between COPPA and non-COPPA sites during our discussion, and then do a short, in-class exercise focused on monetizing COPPA regulated sites.

Wed Oct 11

Makeup Session: Please attend Professor Josh Lauer's talk, 4:10–5:30 in South Hall 202.

To prepare, please:

Mon Oct 16

The Stored Communications Act and Law Enforcement Agency (LEA) Requests 

Please read Orin Kerr's A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending it, 72 George Washington Law Review 1208 (2004), pages 1208–1233.

Wed Oct 18

Discussion: The Stored Communications Act and Law Enforcement Agency (LEA) Requests

Class, for this discussion, we are going to consider a series of different LEA requests for user information.

In order to prepare, could you:

1) Read the entire assignment, including the requests that the other groups are receiving. It's not a lot of reading--about 20 pages in total.

2) Give some thought to how you might respond to the request from the lens of your client/company? Is there anything special about your business model that would affect how you want to respond? What steps should you take to comply? What information should your company disclose in response to the request? What should it not provide?

In class, we'll divide into groups for 20-25 minutes, and then discuss with the whole class the steps and issues you think are important to responding.

Group 1: You work for the Internet Archive. Your Chief Security Officer (CSO) receives a call from the FBI, and Agent Jones says she is going to come in person to the Internet Archive office this afternoon with a request for information (nov2007_nsl_edited.pdf). Agent Jones appears, shows you this letter on FBI letterhead, allows you and the CSO to read it, but does not allow you to keep a copy.

Group 2: You work for a telecommunications carrier Sprint. Your company operates a law enforcement response office 24/7. This request appears in the fax machine (Sprint - Nextel Exigent Circumstances Form_edited.pdf) from Irvine PD. You do a quick Google search and turn up this guide for Cell Tracking Requests from Irvine's police department. (celltrackingpra_irvine4_irvineca.pdf).

Group 3: You are the publisher of a well-established libertarian magazine, You receive this grand jury subpoena (reason_gjs.pdf). Warning: this case involves threats and there is nasty language in it.

Feeling a bit at sea? That's totally normal! Companies receive these processes out of the blue, with no context, and often without their counsel present. We'll work through the issues together.

Mon Oct 23

Wiretapping, Consumer Protection, and LEA Requests 

Please read

Wed Oct 25

Discussion: Wiretapping, Consumer Protection, and LEA Requests 

From the lecture it should become clear that many new consumer services "intercept" the human voice. There are obvious examples, such as in-home assistants (Amazon Echo, Google Home), devices that sometimes respond to human commands (such as Smart TVs), and perhaps some less obvious ones--consider that your phone may be "listening," or that you might use a "wearable" device that captures information in your interpersonal life.

There is almost no caselaw concerning these products and services--the closest we have are the Deep Packet Inspection cases, the Google Gmail Scanning Litigation, and the Google Street View Wifi Scanning cases.

For our discussion, we'll focus on what companies in this space are doing to comply with the federal Wiretap Act and state laws on interception of voice. To prepare

  • Please identify a product or service that captures the human voice and post it to the discussion page.
  • Try to determine how the company is dealing with the Wiretap Act issues I discussed in lecture. This might be apparent from the privacy policy, the terms of service, or aspects of the product's design
  • Give some thought to "secondary" parties that might be near the device. While you may have agreed to having your television capture your voice, visitors to your home presumably have not. What can the law or tech do about that problem?
Mon Oct 30

Marketing Part 1

Please read FTC Privacy Law and Policy pages 236–240; 249–259.

Wed Nov 1

Discussion: Marketing Part 1 

To prepare for our discussion, please:

1) As you visit stores in person or on the web, take note of companies that wish to enroll you in text marketing. Here's an example from FEMA, and here's another from a company that recently litigated a TCPA case. Take a screenshot or copy the link and post it in the discussion area--remember that you might find these as you shop offline and if you can snap a picture of them, that's great.

2) I’d like to spend some time discussing “platform liability” for text messages. Please look at these services—can you tell what policies and procedures they have in place to deal with the problem that users might employ the services for illegal telemarketing? Be sure to look at the terms of service, privacy policy, and other disclosures surrounding enrollment. Oops! Groupme was recently bought by Microsoft. The old terms are here and the privacy policy here.

Mon Nov 6

Marketing Part 2 

Please read FTC Privacy Law & Policy 240–249; 259–267.

Wed Nov 8

Discussion: Marketing Part 2

For the discussion, please:

  • 1) Consider CAN-SPAM: The CAN-SPAM rules are under review this year. Given your experience with commercial email, consider what regulatory changes would you recommend to the FTC?
    • Are there technical or legal changes that would help the private sector or consumers better comply with the law, distinguish between commercial and non-commercial mail, enable filtering, and so on?
  • 2) Find an example of software that potentially could be spyware. Upload a link to the discussion page. Look at the software’s marketing, privacy policy, and related disclosures. Consider how it is using legal language and technology to avoid liability.
Mon Nov 13

Financial Privacy

Please read Federal Trade Commission Privacy Law and Policy, Chapter 10 (268–305) 

Wed Nov 15

International Privacy

Class, for our last sessions, we will look at how the European Union is shaping privacy norms in the U.S. This is a quickly changing subject matter. For background, please read:

Thurs Nov 16

Optional Event: Professor Christine Borgman (UCLA Info Studies) will speak on Open Data, Trust, and Stewardship: Universities at the Privacy Frontier. Thursday, Nov. 16th from 3:30–5 at the Faculty Club. Register here.

Mon Nov 20

Discussion: International Privacy

+MD Final Presentation on Blockchain Analysis

Class, assume that you work for Quantcast (, focusing on the company's measurement product ( --check out the metrics on some websites of interest to you). Quantcast is among the most successful web measurement companies--it can figure out how many people visit a website and their basic demographics. It does this by encouraging website owners to place a beacon on their site that transmits data to Quantcast. Quantcast uses cookies to track these persistent and unique identifiers across sites. After becoming familiar with how Comcast Measure works, consider two problems that you face as the GDPR comes into effect in 2018:

1) Europeans who visit US-based websites, and demand access or challenge your processing of their data as "illegitimate."

2) Whether and how you can place Quantcast measure beacons on EU-based web services (which presumably will move European's data outside the EEA). Do you sign a standard contractual clause with the European web service, or try to transfer data under the new EU-US Privacy Shield?

Wed Nov 22

No class--Thanksgiving break

Mon Nov 27

Final Presentations

KF & KH Alexa/Echo 27-Nov
AD Mint 27-Nov
VS & WT Uber 27-Nov
MG & JM Data Broker 27-Nov
JO & SC Venmo 27-Nov
Wed Nov 29

Final Presentations

ML & LN TBD 29-Nov
KB & KB Beacons/Ultrasonic Tracking 29-Nov
JC, BO, & KC Real Quantum 29-Nov
SS Google's AI cameras (Pixel and Clips). 29-Nov
SN OnStar 29-Nov
MR Spotify 27-Nov


Course Summary:

Date Details Due