This report, published by the IAPP in collaboration with the Cordell Institute at Washington University in St. Louis, highlights key findings from a survey of privacy-related course offerings at U.S. law schools.


Published: August 2024


Contributors:


View Report (PDF)

The growing need for privacy professionals requires a detailed assessment of the curricula taught on this subject in U.S. law schools. Privacy law is a constantly expanding legal field with a wide range of potential topics suitable for inclusion in a privacy-focused course. This report, published by the IAPP in collaboration with the Cordell Institute at Washington University in St. Louis, aims to present an overview of privacy education in U.S. law schools over the past year to understand how privacy is currently taught and to help inform future curriculum development.

The following analysis highlights several key findings from a thorough survey of privacy-related course offerings at U.S. law schools. First, American law schools have privacy expertise among their faculty and are well-equipped to offer privacy courses and coverage. Second, the number of courses offered has not kept pace with the growing importance and scope of privacy law. Privacy is not consistently taught as a stand-alone course in U.S. law schools. Third, while self-contained privacy courses are not as prevalent as they should be, privacy is covered as a section in other technology law courses. While these courses may not provide the depth of coverage privacy law deserves on its own, they highlight the importance of privacy across various fields of legal study.


American law schools have expertise in privacy

An examination of the American Association of Law Schools found 169 of the 176 member schools, or 96%, have a faculty member who cited privacy as an area of academic focus.

Statistics based on law schools
that responded to the survey.

30 out of 43
law schools offer a dedicated privacy course.

96%
of law schools listed privacy as an area of academic focus.

4%
of law schools have a privacy-focused secondary or advanced course.

Of the 43 law schools that responded to the survey, 30 offer a dedicated privacy course. Over 77% of these courses are taught by full-time privacy scholars. The remaining are split between adjunct professors, at approximately 20%, and nonprivacy-focused law professors whose research is privacy adjacent, at approximately 3%.

Additionally, we received syllabi from 30 responding institutions for over 50 technology law courses that include privacy law as a module or component of the course, rather than as the primary focus.

Who is teaching
dedicated privacy courses?

Similar to the privacy-focused courses, approximately 73% of these technology law courses are taught by privacy-focused professors. For the remaining courses, adjunct professors taught approximately 20%, while nonprivacy-focused scholars taught the remaining 7%.

The creation of a larger privacy-focused curriculum within law schools remains in its early days. Only three responding law schools had a privacy-focused secondary or advanced course. Unsurprisingly, all of these courses are taught by privacy-focused law professors.

In summary, there is broad expertise in privacy across law school faculty in the U.S.


Privacy is not yet viewed as a standard subject at US law schools

An examination of the American Association of Law Schools found 169 of the 176 member schools, or 96%, have a faculty member who cited privacy as an area of academic focus.

Our findings indicate the typical curriculum of most U.S. law schools follows a standard pattern. There is a generally consistent first-year curriculum that focuses on fundamental topics present across most areas of law and covered in the bar examination, such as torts, constitutional law and property. Second- and third-year courses are more varied, although many, but not all, are still focused on subjects covered in the bar examination. Privacy law has not yet been broadly adopted as a stand-alone upper-level course in U.S. law schools. As noted, approximately 4% of respondents said their school offers an advanced upper-level privacy-focused course.

What types of courses are offered?

6%

Practica

16%

Seminars

78%

Privacy-related courses

Practica seek to give students insight into the issues privacy legal professionals face in practice. This includes data breach response, data governance, and U.S. and international privacy compliance. Seminars tend to focus on reading and responding to the latest academic research in privacy and related fields. The subjects covered by seminars include privacy, at 50%, cybercrime, at 12.5%, cybersecurity, at 25%, and international privacy, at 12.5%.

Advanced courses are spread across several subjects. Cybersecurity comprises 35% of courses offered, while dedicated advanced privacy comprises 27.5%. Artificial intelligence courses and comparative privacy each comprise 25% of courses offered. Finally, courses on consumer protection, health privacy and internet law together comprise 12.5% of courses offered.

Taken together, the landscape for advanced privacy courses is fractured. Seminars and privacy-related courses comprise the bulk of upper-level courses. However, a large plurality of advanced courses, such as those on cybersecurity, touch on privacy as a subset of the primary material. Courses beyond a basic privacy course lack a unified curriculum and focus.


Professors are incorporating privacy into existing technology law courses

A key finding is that privacy is often taught within an existing technology course. In this way, privacy is somewhat marginalized and shoehorned into other courses, rather than taught as a separate topic that allows for depth of coverage. These courses are varied in their topics but generally focus on adjacent subjects, such as cybersecurity or internet law.

Each cybersecurity course syllabus received included privacy as a subsidiary topic. However, the depth of privacy coverage varied.

No patterns readily emerge from privacy coverage in privacy-related courses. Privacy coverage is fractured but present, and it acts as a supplement to subject matter covered in the broader technology course. Beyond a dedicated basic privacy course, privacy curricula vary widely, although technology law courses across subfields consistently recognize privacy's importance.


A standard privacy curriculum has evolved for those offering a stand-alone course

Stand-alone privacy courses tend to have a similar structure. Privacy-focused courses generally cover a standard set of topics, likely reflecting the organization of the leading privacy law casebooks. These topics include the privacy torts, constitutional law, FTC consumer protection, European data protection law focused on the General Data Protection Regulation and coverage of specific federal and state laws in the U.S.

On examination of the basic privacy courses, five general categories comprise the current privacy law coverage cannon: tort privacy, constitutional privacy, consumer protection, European comparative privacy and U.S. sectoral privacy.


Advanced privacy courses remain uncommon

Only approximately 4% of respondents have a separate advanced upper-level privacy course that builds on the information covered in a basic privacy course. There is a considerable opportunity for additional law school coverage.

These advanced courses have a similar construction. Half of the class is dedicated to exploring academic privacy theory and the other half to doctrinal law. Laws covered in these courses round out the sectoral U.S. privacy laws not covered in basic courses, expand on the growing body of European data protection laws like the Digital Services Act and cover the growing issues with cross-border data transfers. However, these courses are new and are still subject to influence and change, should law schools decide to give advanced privacy courses a distinct identity.


Summary

The field of privacy law is growing in importance. However, U.S. law schools have not yet fully adapted to this reality. Instead of being treated as a separate subject with adequate depth of coverage, privacy law is often included as a small part of existing technology courses. We believe there is an opportunity to provide stronger and broader coverage across law schools.

Privacy law coverage has evolved over time and will continue to do so as new laws and new theories of how privacy should be understood and protected in our society are advanced. Privacy courses should continue to do the same.


Additional resources



Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 3

Submit for CPEs