Chapter 31 Exercises: Privacy as a Right
Exercise 31.1 — The Warren/Brandeis Argument Applied
Type: Written analysis | Difficulty: Intermediate | Time: 30 minutes
Samuel Warren and Louis Brandeis wrote "The Right to Privacy" in 1890 in response to portable cameras and intrusive journalism. Their core argument: existing law (property, contract, defamation) was insufficient to protect a new kind of harm — unwanted exposure of private life.
Part A: Read the following excerpt carefully:
"The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others. Under our system of government, he can never be compelled to express them (except upon standing in a court of justice); and even if he has chosen to give them expression, he generally retains the power to fix the limits of the publicity which shall be given them."
— Warren & Brandeis, 1890
Part B: Identify a contemporary surveillance technology or practice that you believe represents a harm that existing law inadequately addresses. Write a 400-500 word argument in the style of Warren and Brandeis: - Name the specific harm - Explain why existing legal frameworks (tort law, contract, Fourth Amendment) fail to address it - Articulate what new legal protection is needed - Ground your argument in a concept of personhood or dignity, not just property
Part C: Share your argument with a partner. Together, identify: What assumptions about privacy is your argument making? Do those assumptions hold across all social groups?
Exercise 31.2 — Mapping the Sectoral Patchwork
Type: Research and visual mapping | Difficulty: Beginner | Time: 45 minutes
The United States uses a "sectoral" approach to privacy law — different laws for different types of data and different industries.
Instructions:
Create a visual map (diagram, table, or annotated chart) of U.S. federal privacy protections. For each law below, identify: 1. What type of data or sector it covers 2. Who the law applies to (which organizations) 3. What rights individuals have under the law 4. The most significant gap or limitation
Laws to map: - HIPAA - FERPA - COPPA - ECPA - GLBA (Gramm-Leach-Bliley Act) - FCRA (Fair Credit Reporting Act) - VPPA (Video Privacy Protection Act)
After completing your map, write a 200-word reflection: Which of your personal data activities falls into the largest unprotected gap? What would it take to close that gap?
Exercise 31.3 — Third-Party Doctrine Moot Court
Type: Structured debate/role play | Difficulty: Intermediate | Time: 60-90 minutes (group)
Setup: The class is divided into three groups.
Scenario: It is 2019, one year after Carpenter v. United States. A new case is before the Supreme Court: United States v. Reyes. The government, without a warrant, obtained from a social media company: - All posts (public and private) made in the past two years - All private messages sent during that period - All location check-ins - All "likes" and reactions - IP address logs for every login
The defendant argues this violates the Fourth Amendment. The government argues the third-party doctrine means this information is not protected.
Group Assignments: - Group 1 (Government): Argue that the third-party doctrine applies. Prepare a 5-minute opening argument and responses to anticipated objections. Use Smith v. Maryland and distinguish or limit Carpenter. - Group 2 (Defense): Argue that Carpenter's reasoning extends to social media records. Prepare a 5-minute opening argument. Address why social media data is more like CSLI than like phone numbers. - Group 3 (Justices): Prepare 6 questions to ask each side. After arguments, deliberate and write a one-paragraph holding with brief reasoning.
Debrief: After the moot court, the full class discusses: What principle, if any, should determine when the third-party doctrine applies in digital contexts?
Exercise 31.4 — GDPR vs. US Law Comparison
Type: Comparative analysis | Difficulty: Intermediate | Time: 40 minutes
Part A — Rights inventory: Create a two-column table comparing what rights a person has under GDPR versus under US law (CCPA for California residents; federal law for non-Californians):
| Right | Under GDPR | Under CCPA (CA only) | Under US Federal Law |
|---|---|---|---|
| Access your data | |||
| Delete your data | |||
| Correct your data | |||
| Object to processing | |||
| Data portability | |||
| Opt out of automated decisions | |||
| Limits on data sharing |
Part B — Analysis: Based on your table, write a 300-word response to the argument: "The US approach respects freedom and innovation while GDPR is regulatory overreach that harms both businesses and consumers." Do you agree? Partially agree? What does the evidence support?
Part C — Perspective-taking: Rewrite your analysis from the perspective of: (a) a data broker whose business depends on selling personal information, and (b) a domestic abuse survivor whose location data has been sold to a stalking-app service.
Exercise 31.5 — Your Data Access Request
Type: Experiential/practical | Difficulty: Beginner | Time: 1-2 hours (plus waiting for response)
Instructions: Submit a real data access request to at least two organizations. Options include:
Option A (GDPR path): If you use services based in the EU (or any large tech company with GDPR obligations), submit a Subject Access Request: - Google: takeout.google.com (data download) or submit SAR via Google's privacy center - Meta (Facebook/Instagram): Settings > Your Facebook Information > Download Your Information - Spotify: Submit SAR via privacy@spotify.com or their privacy portal
Option B (CCPA path, California residents): Submit a "Right to Know" request to a company you use regularly. Most large companies have a "Do Not Sell My Personal Information" or "Privacy Rights" page.
Option C (Data broker path): Submit opt-out requests to five data brokers: - Spokeo.com/optout - WhitePages.com (their suppression page) - BeenVerified.com/opt-out - Intelius.com/optout - PeopleFinder.com (opt-out via email to optout@peoplefinder.com)
Reflection questions (500 words minimum): 1. What data did you find or what was the opt-out process like? 2. Were you surprised by anything you found or encountered? 3. How easy or difficult was the process? What barriers did you encounter? 4. What does this experience tell you about the practical reality of privacy rights? 5. If you received a data response: What would a complete stranger learn about you from this data? How comfortable are you with that?
Exercise 31.6 — The Opt-In/Opt-Out Policy Design Challenge
Type: Policy design | Difficulty: Advanced | Time: 45-60 minutes
The United States structures most data privacy protection around opt-out (surveillance is the default; you must affirmatively act to limit it). The EU, through GDPR consent requirements, moves toward opt-in for many uses (your consent must be obtained before collection for many purposes).
Part A: Write a one-page brief making the strongest possible argument for an opt-in default for data broker collection of personal information. Address: - What problem opt-in solves - Anticipated objections (economic costs, chilling effects on legitimate uses) - How the policy should be structured in practice
Part B: Write a one-page brief making the strongest possible argument for the opt-out default. This is an exercise in steelmanning — argue the position as well as you possibly can, not as a straw man. Address: - What legitimate values opt-out protects - Why opt-in might be unworkable or counterproductive - Who benefits from the opt-out default and why that might be legitimate
Part C: Having made both arguments, state your own position in 150 words. What should the default be, and why?
Exercise 31.7 — Carpenter Decision Close Read
Type: Legal text analysis | Difficulty: Advanced | Time: 45 minutes
Instructions: Read the following excerpt from Carpenter v. United States (2018) and answer the questions that follow.
"There is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers today. The Government thus is not asking for a straightforward application of the third-party doctrine, but instead a significant extension of it to a distinct category of information."
"A person does not surrender all Fourth Amendment protection by venturing into the public sphere. To the contrary, 'what [one] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.' Katz. One need not reflect on their movements every single time they leave home in order to retain Fourth Amendment protection."
— Chief Justice Roberts, Carpenter v. United States, 585 U.S. ___ (2018)
Questions: 1. What distinction is Roberts drawing between Carpenter and Smith v. Maryland? Is it a principled distinction or a pragmatic one? 2. Roberts says Carpenter "does not surrender all Fourth Amendment protection by venturing into the public sphere." How does this interact with the Katz "reasonable expectation of privacy" test? 3. Four Justices dissented in Carpenter. Justice Kennedy wrote: "The majority opinion... guarantees a blizzard of litigation while accomplishing little." What do you think he meant? Is he right? 4. What categories of digital data do you think should receive Carpenter-style protection? Why? What principle guides your answer? 5. Carpenter was a 5-4 decision. What does the closeness of the vote tell us about the state of Fourth Amendment jurisprudence in the digital age?