What’s Next for the Experiential Privacy & Technology Course?

As I previously wrote in this post, I recently hit a pause on academia. I previously wrote about teaching my experiential Privacy Technology course at Santa Clara University School of Law’s leading privacy law program here, here, and here. In this post, I specifically reflect on my first teaching experience this past spring 2021 semester.

I first share about what went right, what went wrong, and what could be improved on. In addition to my reflections, I provide a link to updated course materials for others to iterate on.

What Went Right …

I worked closely with Professor Goldman on the course development and design. This meant I had the benefit of his years of law school teaching experience. I also took it upon myself to consult with other privacy professors, including Profs. Solove and Hartzog, for any pitfalls I should look out for in teaching law school. As a result, I credit them for helping me get a few things right:

1. We prepared for potential gender, age, and racial challenges that I would face in teaching law students. Having been a law student once, I was intimately familiar with law students’ nature to question rules and find loopholes, by default. My colleagues flagged how gender, age, and racial factors could potentially increase the students’ propensity to question authority. I set clear boundaries from the beginning. For example, I explicitly called out rules in the syllabus for many potential issues surrounding grading, group work, participation, attendance, and so on. In addition to clearly setting out rules in the syllabus, I also started the course detailing course goals and expectations. For example, the students met with their groups to draw up a “team contract” for how they would work together throughout the semester.
2. We specifically anticipated individual and group grading challenges. Perhaps the most common use case of law students challenging their professors involves grades. Knowing this, I set clear grading expectations and a grading rubric for each course deliverable. Having the predefined and previously communicated rules, I was able to point to them when a handful of students raised anticipated grading-related questions.
3. We also accounted for challenges in dealing with real-life technical and business leaders who have competing priorities. I wanted the students to learn early on that in order for them to get anywhere in pushing their privacy agenda, they must recognize and accept that others will not share the same priority. By accepting this reality, the law students can then address it a few ways. First, they can take initiative in chasing down the stakeholders and cross-functional groups that they need to get on board to accomplish their privacy agenda. This means following up and scheduling meetings, as necessary, instead of just waiting for a response that may never come. Second, they can put themselves in others’ shoes to better understand others’ priorities for the purpose of finding common ground. Good privacy practitioners are able to find ways to align their privacy agenda with other stakeholders and cross-functional groups’ agendas.
4. The experiential nature of the course lent itself to class participation. Having heard from other professors’ class participation challenges with “Zoom University,” I was particularly concerned about disinterested students. I addressed this by building in plenty of interaction into the course — it is an experiential course, after all. Students were exposed to group work, leading privacy practitioners as guest lecturers, hypothetical problems based on real situations, in addition to the traditional Socratic method we’ve come to expect from law school. I also think it helped that the course was only open to Santa Clara Law students who had previously demonstrated interest in privacy, either through Santa Clara Law’s privacy law certificate program or through completion of a privacy-related prerequisite. The students’ heightened interest in privacy meant that they were particularly keen to engage in the discussion and materials.
5. We had leading privacy practitioners as guest lecturers who shared invaluable expertise and insights with the students. I credit the leading privacy practitioners who were generous enough to share their time, expertise, and insights with the Privacy & Technology law students: Fatima Khan (on spotting legal & privacy pitfalls in privacy tech); Michelle Dennedy (on operationalizing privacy engineering); R. Jason Cronk (on privacy reviews, including privacy impact assessments and privacy risk assessments); Paola Zeni (on product privacy data sheets); and Ray Everrett (on a career in privacy and technology).

What Went Wrong & Their Resulting Takeaways

1. I gave students a ton of work within a short period of time. This was perhaps the most common feedback I received from the students’ course evaluations. Even after cutting out several other deliverables, the course still involved a ton of materials and projects. I’ve discussed this with Prof. Goldman and we agreed we could offer future versions of the course with additional credits or we could strip down the material and project deliverables for fewer credits.
2. I could’ve repeated or highlighted important takeaways more. Having been out of law school for years, I’d forgotten how much repetition is required to hammer in on a point or issue. I recently got a dose of my own medicine when I picked up surfing. As a surfing beginner, there was simply too much information to keep in mind: I needed to learn how to read the ocean, take note of landmarks and/or reefs, avoid the cliffs, learn proper footwork and practice balancing, and then, some day, maybe take on turns and tricks. Similarly, I’d thrown a ton of new material and concepts towards my students: the emerging privacy tech landscape, privacy engineering, product privacy data sheets, and privacy reviews, to name a few. And while I made sure to recap the previous class every time we met, I could’ve introduced less and let the limited material simmer more.
3. I did not account for some of the students’ limited professional experience. While I made sure to prepare my students to make the business case for privacy with different stakeholders and cross-functional groups, I failed to account for their limited professional experience. This came up in simple situations. For example, some students failed to properly follow up with their start-up client to schedule a fact-finding meeting or to send a meeting calendar invite. In professional life, we all know that whoever needs something from the other is the one who takes the initiative to make things happen — this includes sending the calendar invite when you asked for the meeting to push your agenda.
4. I could’ve been clearer in explaining each project output & provided more sample deliverables. From the evaluations, I discovered that some students didn’t quite fully grasp what was expected of them in each project output. (I say some because others flourished: one group stood out, in particular, and consistently excelled in each project deliverable.) While I incorporated time into class to go over each project deliverable — usually a week before they were due — I could’ve provided more tangible examples to guide the students. I initially didn’t want to provide such samples for fear that the students would treat them as “models.” I wanted them to tailor their deliverables to their specific context: their assigned privacy tech startup, their startup’s product, their startup’s values, their startup’s product development lifecycle, etc. In hindsight, I could’ve accomplished both and provided the sample project outputs and relayed the message of not treating them as models.
5. I could’ve requested more in-class time with the privacy tech startups. When I made the request to several privacy tech startups to participate in the experiential Privacy & Technology course, I wanted to make it easy for them to say yes. Knowing how hectic and fast-paced the startup world is, I only asked that the startup founders/executives show up for two classes: once in the beginning of the semester to meet their assigned group of students; and the second time time towards the end of the semester to receive their students’ final project outputs. Throughout the semester, the students were responsible for arranging meetings with their startup founders/executives to get the information that they need for their different project outputs, akin to how privacy practitioners get things done and accomplish their privacy deliverables in real life. A couple of students struggled with getting information from their busy privacy founders/executives. While this is part of reality — information is rarely handed over to privacy practitioners on a silver platter — the students who struggled delivered incomplete project outputs. When I teach this course again, I would probably incorporate one or two more in-class meetings with the privacy tech startups present.

What Versions 2.0, 3.0, and 4.0 of the Privacy & Technology Course Could Look Like

As previously promised, I’m sharing revised materials below for my Privacy & Technology course. I do this for a couple of reasons.

First, there is a shortage of privacy professionals, period. Among the limited number of privacy professionals, we sorely need more who can bridge the legal-technical gaps in privacy. Privacy lawyers need to understand technology enough to be able to issue spot, advise, and solve privacy problems.

Second, not enough law schools are teaching privacy, let alone an experiential course on privacy & technology. (Prof. Solove explains why law schools should teach privacy, and why many don’t in this post.) My hope is that these materials will make it easier for others who are inspired to take on the goal of educating the next generation of privacy practitioners in tech.

A few notes: These course materials are appropriate for version 2.0 of a Privacy & Technology course within a law school setting. That said, I can see versions 3.0 and 4.0 involve a cross-discipline course offering with business and engineering schools, especially given the cross-functional nature of privacy. A part of me would like to pick this up when I press back play on academia, but my hope is that others would’ve taken on these future versions by then … and that I and others can iterate on their work in offering a cross-discipline privacy offering.

Updated Course Materials for Privacy & Technology Course Version 2.0

If you want to borrow, copy, and iterate on the Privacy & Technology course, the revised course materials (with syllabus and slides) are available here.