Course Syllabus

Privacy Law for Technologists

Professor Chris Hoofnagle
Info 236: Privacy Law for Technologists (Lec 001, CCN 32366)
Law 276.72: Privacy Law for Technologists (Lec 001, CCN 32261)
Mondays and Wednesdays from 11:20-1:00 in South Hall 210.

Office Hours: Thursdays from 10-12 in South Hall 212.

Information privacy law profoundly shapes how internet-enabled services may work. Privacy Law for Technologists will translate the regulatory demands flowing from the growing field of privacy, information security, and consumer law to those who are creating interesting and transformative internet-enabled services. The course will meet twice a week, with the first session focusing on the formal requirements of the law, and the second on how technology might accommodate regulatory demands and goals. Topics include: Computer Fraud and Abuse Act (reverse engineering, scraping, computer attacks), unfair/deceptive trade practices, ECPA, children’s privacy, big data and discrimination (FCRA, ECOA), DMCA, intermediary liability issues, the anti-marketing laws, the GDPR, and new for 2019, the California Consumer Privacy Act.

The required textbook for this class is my book (how opportunistic!): FTC Privacy Law and Policy (CUP 2016) But here is the good news: I negotiated a good price for it (about $37 in softcover), and there are several ways that you can get the content free. For instance, if you use the UCB VPN and go to Cambridge Books online, you can download a PDF of the whole book free.


This course is more demanding than it appears at first. Each week, you will be asked to learn substantive law, and then discuss how that law (or its policy goals) could be met with technology. This is a challenging exercise for both School of Information and School of Law students. Your participation in discussions (quality over quantity) is essential and is 30% of your grade. The remaining 70% comes from your final presentation.

Final presentation: you may work alone or in a group. Choose a service or a product of interest to you and prepare a presentation (no more than 10 minutes, and there will be a strict time limit) on how its privacy and/or security could be improved based on what you have learned in the course. You may work in a team for this presentation. Your presentation should identify the service or product's privacy/security implications, and discuss technological fixes, including the benefit and costs of the approach. Please identify your team and topic by March 7th.

APM-015 Part II statement

This course will deal with material concerning current events and exploration of government actions and their possible consequences. Class discussion will feature such material.

BCLT Certificate

Law students: Hoofnagle's courses count toward's BCLT's certificate program.

Date Assignment
W Jan 23

Introduction to the Course; Privacy

Please read:

Note, UCB subscribes to everything under the sun. If the link to the Otto/Anton paper does not work, be sure you have the UCB library proxy set up, or use the VPN. Either of these resources will give you subscribed access to pretty much anything. 

M 28 Jan

Privacy by Design

This week we will get into focus on a relatively-new movement in consumer protection: privacy by design (PbD). Generally attributed to former information and privacy commissioner of Ontario, Ann Cavoukian, privacy by design has increasing relevance in regulatory frameworks--the FTC has explicitly called. for companies to consider it and it is an important element of the European General Data Protection Regulation (GDPR). We'll see that PbD isn't so easy and think about the incentive structures that are congruous and incongruous with PbD.

Please read:

W 30 Jan

Discussion: Privacy by Design

On an abstract level, privacy by design appears to be a useful approach to addressing technical choices. Today's discussion will focus on the mechanics of making privacy by design workable. We will consider the incentive conflicts in privacy by design, some case studies, and examples of privacy by design that you encounter in your role as consumer. For discussion, please:

  1. Read Ira Rubinstein & Nathan Good, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, 28 Berkeley Technology Law Journal 1333 (2013). < This paper is co-authored by a School of Info PhD (Good) and won an award at the Privacy Law Scholars Conference.
  2. Think about the products and services you use--find an example where privacy by design has been applied, or where you think it might be applied effectively. Come prepared to discuss your example in light of this week's readings. Post your example in the discussions area of bCourses.

W/r/t #2--and for future discussion assignments--feel free to work in a group to develop examples. Be sure to identify your group in your bcourses post.

M 4 Feb

No class; Hoofnagle is out of town

W 6 Feb

California Consumer Privacy Act Mini-Module

Class, my travel breaks up our lecture/discussion format, so let's do both lecture and discussion in one day for this topic. The California Consumer Privacy Act takes effect in 2020. Enacted in a hurry in order to block the likely passage of a legislative initiative, the CCPA is likely to be amended before its effective date, but the fundamental protections it contains will likely stay in place. What does the CCPA mean for information-intensive businesses? The CCPA delegates responsibilities to the CA Attorney General on many issues--how should the AG handle this?

Please read:

*Class, please note, I've updated the reading. Please read the redline instead of AB 375. This is much easier to read.

California Consumer Privacy Act Redline 

California Consumer Privacy Act (AB 375 as enacted).

M 11 Feb

Unfair and Deceptive Acts and Practices

This week we will study Unfair and Deceptive Acts and Practices (UDAP) law. UDAP law forms a baseline of regulation for technology in the US. Consumer law thus forms the broadest kind of technology regulation, and it frames and constrains how we think about technology and fairness. In addition to the federal UDAP law, the Federal Trade Commission Act (FTC Act), states have their own versions of UDAP statutes, and some of these are broader than federal law.

Please read: Federal Trade Commission Privacy Law and Policy Chapter 5 (119–141).


W 13 Feb

Discussion: Unfair and Deceptive Acts and Practices

In preparation for discussion, please take these three steps:

Please read the following policy guides on modern advertising techniques

Be prepared to discuss how you might implement policy or technological interventions to promote compliance with the various rules we learned about UDAP and the more specific policies set forth by the FTC in the policy statement and guides above. You could think of the problem from at least two ways--as a FTC lawyer or technologist, or as a company that is selling products that wants to avoid affiliate marketers and others from engaging in deception (e.g. in LeanSpa, the company was held liable for 3rd party affiliate marketers who created fake news sites).

M 18 Feb

No class--Presidents' day holiday

W 20 Feb 

FTC Privacy Part 1

Class, last week we discussed the basics of unfair and deceptive practices acts. This week and next we look at how the law of unfair and deceptive trade practices apply to online privacy issues. For the lecture, please read:

Federal Trade Commission Privacy Law and Policy, Chapter 6 (145–192). It is a lot of reading, but we'll use this same reading for this week and next.

M 25 Feb

Discussion: FTC Privacy Part 1

Let us start with privacy policies. For this discussion exercise, feel free to work in a group. Find a privacy policy from a website or service that you are interested in (try to select one that is not too long or intractable). Prior to class, place the text in to Microsoft Word or Google Docs, and highlight these elements in different colors:

1) Disclosures you think are "material" under the FTC Act.

2) Text that specifies affirmative obligations on the website/service (we shall do x).

3) Text that specifies restrictions on the website/service (we will not do y).

4) Text that gives the user some choice (opt in or opt out).

Post your policy or a link to it in the discussion board, and be prepared to discuss what you found and what puzzles/intrigues you about the privacy policy. We will discuss these four elements both from the lens of the requirements and prohibitions of the FTC Act, and from the perspective of what administrative and technical infrastructure must exist behind the scenes to implement these privacy policies.

W 27 Feb

FTC Privacy Part 2

For this part, please:

1) Review the reading from last week (Federal Trade Commission Privacy Law and Policy, Chapter 6).

2) Read the FTC report, Internet of Things: Privacy & Security in a Connected World (2015).

M 4 Mar

Discussion: FTC Privacy Part 2

Discussion this week will focus on the internet of things (IoT). It will become clear that the IoT presents one of the most difficult regulatory challenges for privacy. Our goal will be to consider how the FTC might apply its tools to police the IoT sector, and how we might engineer IoT devices differently in order to protect consumers.

To prepare for the discussion, please choose a consumer product that is now sold as "connected." An example is door locks--these are bronze-age inventions that are now offered in "internet connected" formats. Give thought to the potential new benefits that come from internet connectivity for this product. What new functions will be enable? What knock-on effects will these functions create? What new societal tensions will internet connectivity introduce? How might we introduce privacy by design or other engineering principles to steer this technology toward FTC compliance?

W 6 Mar

 FTC Security & Security Breach Notification

For this lecture, please:

Th 7 Mar

Please identify your final project + team by this date.

M 11 Mar

Discussion: Security Frameworks 

For this discussion, we will divide into groups to analyze and present several different security standards. Note that the security standards we are visiting here are not law, exactly. They are often developed with the private sector and required by private contract or through procurement standards.

Group 1: Cover ISO 27000/27001/27002. These standards are not publicly available--they have to be licensed. However, Professor Georg Disterer has written a good overview of these standards. See, Georg Disterer, ISO/IEC 27000, 27001 and 27002 for Information Security Management, 4(2) Journal of Information Security (2003).

Group 2: Cover NIST 800-53 (Rev 4). This is a 460 page document. Suffice it to say that it would be a waste of time to read the whole thing. Instead, start with the NIST Summary, and then look at chapters 1, 2, and appendixes F, G, and J. In the process, be sure to note any controls that you find particularly useful or underexamined in the course so far.

Group 3: Cover PCI-DSS (Ver. 3.2). PCI-DSS governs the acceptance of credit and debit cards. This is a long document as well. You might start by looking at the "quick" reference guide :) and the sample reporting form.

Group 4: NIST Cybersecurity Framework. You will see the NIST framework in practice because financial regulators and the SEC have urged companies to implement it. A good starting point for understanding the framework is the FAQ on the NIST website.

All groups: do some searching and try to determine who uses your group's standard and why. You'll find that many companies do state their security standard in product specification sheets and regulatory findings.

Group assignments: TBD

W Mar 13

Children's Privacy 

Read Federal Trade Commission Privacy Law and Policy, Chapter 7 (193–215).

M Mar 18

Discussion: Children's Privacy

Class, for our discussion, please spend about an hour looking at a specific COPPA-regulated service (remember--it can be a website, app or other internet "service.") Pay specific attention to the privacy policy (how it differs from the non-COPPA service you looked at weeks ago) and parental consent mechanisms. Overall, do you think the service meets the privacy and security goals of the COPPA? If you want a refresher on COPPA requirements, this guide from the FTC is very good. Also here are this week's slides.

We'll discuss the differences between COPPA and non-COPPA sites during our discussion, and then do a short, in-class exercise focused on monetizing COPPA regulated sites.

W Mar 20

The Stored Communications Act and Law Enforcement Agency (LEA) Requests 

Please read Orin Kerr's A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending it, 72 George Washington Law Review 1208 (2004), pages 1208–1233.

M Mar 25
W Mar 27

No class, spring break

M Apr 1

Discussion: The Stored Communications Act and Law Enforcement Agency (LEA) Requests

Class, for this discussion, we are going to consider a series of different LEA requests for user information.

In order to prepare, could you:

1) Read the entire assignment, including the requests that the other groups are receiving. It's not a lot of reading--about 20 pages in total.

2) Give some thought to how you might respond to the request from the lens of your client/company? Is there anything special about your business model that would affect how you want to respond? What steps should you take to comply? What information should your company disclose in response to the request? What should it not provide?

In class, we'll divide into groups for 20-25 minutes, and then discuss with the whole class the steps and issues you think are important to responding.

Group 1: You work for the Internet Archive. Your Chief Security Officer (CSO) receives a call from the FBI, and Agent Jones says she is going to come in person to the Internet Archive office this afternoon with a request for information (nov2007_nsl_edited.pdf). Agent Jones appears, shows you this letter on FBI letterhead, allows you and the CSO to read it, but does not allow you to keep a copy.

Group 2: You work for a telecommunications carrier Sprint. Your company operates a law enforcement response office 24/7. This request appears in the fax machine (Sprint - Nextel Exigent Circumstances Form_edited.pdf) from Irvine PD. You do a quick Google search and turn up this guide for Cell Tracking Requests from Irvine's police department. (celltrackingpra_irvine4_irvineca.pdf).

Group 3: You are the publisher of a well-established libertarian magazine, You receive this grand jury subpoena (reason_gjs.pdf). Warning: this case involves threats and there is nasty language in it.

Feeling a bit at sea? That's totally normal! Companies receive these processes out of the blue, with no context, and often without their counsel present. We'll work through the issues together.

W Apr 3

Wiretapping, Consumer Protection, and LEA Requests 

Please read

M Apr 8

Discussion: Wiretapping, Consumer Protection, and LEA Requests 

From the lecture it should become clear that many new consumer services "intercept" the human voice. There are obvious examples, such as in-home assistants (Amazon Echo, Google Home), devices that sometimes respond to human commands (such as Smart TVs), and perhaps some less obvious ones--consider that your phone may be "listening," or that you might use a "wearable" device that captures information in your interpersonal life.

There is almost no caselaw concerning these products and services--the closest we have are the Deep Packet Inspection cases, the Google Gmail Scanning Litigation, and the Google Street View Wifi Scanning cases.

For our discussion, we'll focus on what companies in this space are doing to comply with the federal Wiretap Act and state laws on interception of voice. To prepare

  • Please identify a product or service that captures the human voice and post it to the discussion page.
  • Try to determine how the company is dealing with the Wiretap Act issues I discussed in lecture. This might be apparent from the privacy policy, the terms of service, or aspects of the product's design
  • Give some thought to "secondary" parties that might be near the device. While you may have agreed to having your television capture your voice, visitors to your home presumably have not. What can the law or tech do about that problem?
W Apr 10


Please read FTC Privacy Law and Policy pages 236–240; 249–259.

We'll also do a final presentation by ES, ND, & MC

M Apr 15

Discussion: Marketing 

To prepare for our discussion, please:

1) As you visit stores in person or on the web, take note of companies that wish to enroll you in text marketing. Here's an example from FEMA, and here's another from a company that recently litigated a TCPA case. Take a screenshot or copy the link and post it in the discussion area--remember that you might find these as you shop offline and if you can snap a picture of them, that's great.

2) I’d like to spend some time discussing “platform liability” for text messages. Please look at these services—can you tell what policies and procedures they have in place to deal with the problem that users might employ the services for illegal telemarketing? Be sure to look at the terms of service, privacy policy, and other disclosures surrounding enrollment. Oops! Groupme was recently bought by Microsoft. The old terms are here and the privacy policy here.

W Apr 17 Final Presentations See discussion for schedule.
M Apr 22 Final Presentations
T Apr 23

Boalt Hall Room 107 11:20-12:20

Last day for law students; Final presentations

W 24 Apr

Marketing Part 2 

Please read FTC Privacy Law & Policy 240–249; 259–267.

M 29 Apr

International Privacy Part 1

Class, for our last session, we will look at how the European Union is shaping privacy norms in the U.S. This is a quickly changing subject matter. For background, please read:

W 1 May

International Privacy Part 2

  • No new reading


Course Summary:

Date Details Due