Chapter 31 Quiz: Privacy as a Right
Instructions: Choose the best answer for each question. Some questions may have more than one defensible answer — be prepared to explain your reasoning.
1. Samuel Warren and Louis Brandeis published "The Right to Privacy" in 1890. What was the primary legal innovation of their argument?
a) They created a new property right in personal information b) They grounded privacy in personhood rather than property or contract c) They argued the Fourth Amendment protected personal correspondence d) They proposed a federal privacy statute for the first time
Answer: b — Warren and Brandeis argued for privacy as "inviolate personality" — a right grounded in the person rather than in property relationships. This was the conceptual break from prior legal thinking.
2. Which of the following correctly states the third-party doctrine as established in Smith v. Maryland (1979)?
a) Third parties who share your data without consent violate your Fourth Amendment rights b) Information voluntarily shared with a third party loses Fourth Amendment protection c) The government must obtain a warrant before accessing records held by private companies d) Third-party doctrine applies only to communications content, not metadata
Answer: b — The third-party doctrine holds that when you voluntarily share information with a third party (such as a phone company or service provider), you assume the risk that they may share it with the government, and thus lose Fourth Amendment protection for that information.
3. In Katz v. United States (1967), the Supreme Court held that Charles Katz had a Fourth Amendment right protecting conversations in a public phone booth. What was the key principle established?
a) Physical trespass onto property is required for a Fourth Amendment violation b) Public spaces are never protected by the Fourth Amendment c) The Fourth Amendment protects people, not places — based on reasonable expectations of privacy d) Wiretapping without a warrant is always unconstitutional
Answer: c — Justice Stewart wrote that "the Fourth Amendment protects people, not places." Justice Harlan's concurrence established the two-part "reasonable expectation of privacy" test that remains controlling.
4. Carpenter v. United States (2018) required the government to obtain a warrant before accessing cell site location information (CSLI). Which of the following was NOT a key reason the Court distinguished CSLI from the phone numbers at issue in Smith v. Maryland?
a) CSLI is more comprehensive, providing a near-perfect record of movements over time b) CSLI reveals intimate details of life — medical appointments, religious affiliations, relationships c) CSLI is collected involuntarily as a function of using a cellular network d) CSLI is protected by HIPAA as a form of health information
Answer: d — HIPAA was not relevant to the Carpenter decision. The Court's reasoning focused on comprehensiveness, intimacy, and involuntariness of CSLI collection, distinguishing it from the limited phone records in Smith.
5. Which of the following best describes the United States' approach to privacy law, in contrast to the EU's approach?
a) Comprehensive federal statute covering all types of personal information b) Sector-specific laws that protect different types of data in different contexts c) Constitutional right to privacy that covers all government and private collection d) No privacy protection of any kind for individuals
Answer: b — The United States uses a sectoral approach: HIPAA for health, FERPA for education, COPPA for children's online data, etc. There is no comprehensive federal privacy law covering all types of personal information.
6. HIPAA's privacy protections apply to "protected health information" held by "covered entities." Which of the following would NOT be a covered entity under HIPAA?
a) A hospital billing department b) A health insurance company processing claims c) A period-tracking smartphone application d) A pharmacy transmitting prescription information
Answer: c — Period-tracking apps are not HIPAA covered entities. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses. Commercial apps that collect health-related data — including period trackers, mental health chatbots, and fitness trackers — are not subject to HIPAA.
7. Which of the following correctly describes the GDPR's principle of purpose limitation?
a) Data may only be collected for purposes that benefit the user, not the company b) Data collected for one purpose may not be used for incompatible purposes without a new legal basis c) The amount of data collected must be limited to one category of information per request d) Companies must limit data collection to European Union residents only
Answer: b — Purpose limitation means that personal data collected for a specific, stated purpose cannot be repurposed for something incompatible with the original purpose (such as collecting data to fulfill a contract and then using it for behavioral advertising) without obtaining a new legal basis.
8. The "right to be forgotten" (right to erasure) under GDPR allows individuals to request deletion of their personal data. Under what circumstance is this right most clearly applicable?
a) When the data is true but the data subject is embarrassed by it b) When data is no longer necessary for the purpose for which it was collected c) Any time the individual prefers the data be deleted d) Only when the data was collected unlawfully in the first place
Answer: b — The right to erasure is strongest when data is "no longer necessary in relation to the purposes for which it was collected" — a purpose limitation argument. The right is more contested when data is still needed for a legitimate purpose, when free expression is implicated, or when there is a public interest in retention.
9. Warren and Brandeis identified four harms that their proposed privacy tort would address. William Prosser later systematized these into the "four privacy torts." Which of the following is NOT one of the four recognized privacy torts?
a) Intrusion upon seclusion b) Appropriation of name or likeness c) Discriminatory disclosure based on protected characteristics d) False light
Answer: c — The four privacy torts are: (1) intrusion upon seclusion, (2) public disclosure of private facts, (3) false light, and (4) appropriation of name or likeness. Discriminatory disclosure is not one of the four torts, though it may give rise to claims under anti-discrimination law.
10. The California Consumer Privacy Act (CCPA) includes a "private right of action" provision. What does this mean?
a) Only the California Attorney General may sue companies for CCPA violations b) Consumers can sue directly — without waiting for government enforcement — for certain CCPA violations c) Companies have a private right to challenge CCPA through arbitration instead of courts d) CCPA gives consumers the right to demand compensation even when no harm occurred
Answer: b — The CCPA's private right of action allows consumers to sue companies directly (for certain types of violations, particularly data breaches) without relying on the California Attorney General to bring enforcement actions. This is significant because it creates a direct accountability mechanism.
11. The Foreign Intelligence Surveillance Act (FISA) creates a separate legal framework for national security surveillance. Which of the following best describes the FISA Court?
a) A public federal court that publishes all of its decisions b) A secret court that meets in a secure facility and whose decisions are classified c) An international tribunal that reviews surveillance of foreign nationals d) A congressional oversight body that approves intelligence programs
Answer: b — The FISA Court (officially the Foreign Intelligence Surveillance Court, or FISC) is a secret court that meets in a secure facility. Its decisions are classified, with limited exceptions. This secrecy has been criticized as undermining accountability.
12. When Jordan Ellis submitted opt-out requests to data brokers, they were required to provide a photograph of their driver's license. What does this requirement illustrate?
a) Data brokers have legitimate security needs to prevent fraudulent opt-out requests b) The irony that exercising privacy rights often requires surrendering more personal information c) CCPA allows data brokers to require additional data as a condition of processing opt-out requests d) All of the above
Answer: d — All three answers reflect aspects of the situation. The requirement does create a genuine irony (surrendering data to protect data). It does reflect data brokers' claimed need to verify identity. And it does raise questions about whether privacy law should allow such requirements as a condition of exercising privacy rights.
13. Article 12 of the Universal Declaration of Human Rights and Article 17 of the ICCPR both protect privacy. How do these international human rights protections differ from, say, the U.S. Fourth Amendment?
a) International protections are stronger because they apply to both government and private actors b) International protections are aspirational or binding treaty commitments but lack strong enforcement mechanisms c) International protections don't apply to the United States because it has not signed these documents d) International protections apply only to citizens, not residents, of signatory states
Answer: b — The UDHR is aspirational (not a binding treaty); the ICCPR is a binding treaty but enforcement relies on the Human Rights Committee's monitoring rather than direct legal enforcement. The U.S. has signed both documents. Neither has a strong enforcement mechanism equivalent to a domestic constitutional court.
14. The GDPR requires organizations to appoint a Data Protection Officer (DPO) in certain circumstances. What is the DPO's role?
a) To advocate for the organization's data interests before regulatory authorities b) To ensure the organization complies with data protection law and to serve as contact for data subjects and regulators c) To review and approve all data collection practices before they are implemented d) To represent data subjects in disputes with the organization about their data
Answer: b — The DPO is an internal role responsible for ensuring GDPR compliance. The DPO must be independent within the organization, must not receive instructions from management on the performance of their tasks, and must be a contact point for data subjects and regulatory authorities.
15. Which of the following best explains why the third-party doctrine has become inadequate in the digital age?
a) Digital data is more sensitive than analog data, so it deserves stronger protection b) The "voluntary" sharing assumption fails when engaging with third parties is a practical requirement of modern life c) Digital companies are more powerful than the phone companies that existed when Smith was decided d) Digital data can be used to commit more serious crimes than phone records
Answer: b — The core problem is that the doctrine assumes voluntary sharing as a meaningful choice. When using email, carrying a mobile phone, and having a bank account are functional requirements of modern economic and social life, the "voluntary" premise becomes untenable. The person who "chooses" to share their location with their carrier doesn't have a meaningful alternative while remaining in modern society.
16. Which legislation protects the privacy of student education records and grants students (over 18) or parents access rights?
a) HIPAA b) COPPA c) FERPA d) ECPA
Answer: c — The Family Educational Rights and Privacy Act (FERPA) of 1974 protects student education records. It applies to educational institutions that receive federal funds, grants access rights to parents and eligible students, and requires written consent for most disclosures to third parties.
17. GDPR's enforcement has been criticized for being concentrated in Ireland. Why?
a) Ireland has the strongest data protection authority in the EU b) Ireland is where most technology companies have their European headquarters for tax reasons, meaning the Irish Data Protection Commission handles their cases c) The GDPR designates Ireland as the lead enforcement jurisdiction for digital privacy d) Ireland's courts have ruled GDPR applies retroactively, making it more powerful there
Answer: b — Many large technology companies (Meta, Google, Apple, Twitter/X, LinkedIn) have established their European headquarters in Ireland partly for tax reasons. Under GDPR's "one-stop shop" mechanism, the data protection authority in a company's main EU establishment has lead supervisory authority. This has meant the Irish DPC handles an outsized share of major cases, and critics have questioned whether Ireland (as a small nation eager for tech company investment) is sufficiently aggressive in enforcement.
18. Warren and Brandeis wrote that the right of privacy protects "inviolate personality." Justice Brandeis later wrote (dissenting in Olmstead v. United States, 1928) that the right to be let alone is "the right most valued by civilized men." Which of the following is the strongest critique of grounding privacy in personhood rather than in specific economic or social harms?
a) Personhood-based rights are too broad and could be used to challenge any unwanted observation b) Personhood-based privacy arguments have historically been more protective of wealthy people whose dignity claims courts found sympathetic, while marginalized people's privacy claims were ignored c) Privacy rights based on personhood are incompatible with the First Amendment d) Personhood is a cultural concept that varies across societies and cannot serve as a universal legal foundation
Answer: b — The strongest structural critique is that privacy as personhood has worked best for people whose personhood courts were prepared to recognize and respect. Enslaved people, Indigenous people, immigrants, and people in poverty have historically had their claims to privacy rejected even when the theoretical framework should have supported them. This doesn't invalidate the personhood concept, but it demands attention to how it is applied.
Score interpretation: 16-18 correct — Excellent mastery of legal framework | 13-15 — Good understanding with some gaps | 10-12 — Review sections 31.2–31.6 | Below 10 — Revisit the full chapter before proceeding