Post-Pandemic Class Action Alert: Potential Exposure When Sharing Geolocation Data
To help stem the tide of the coronavirus pandemic, multiple countries are currently using some form of digital tracking, including geolocation data, to identify the contacts of individuals infected with COVID-19.1
Indeed, South Korea and Singapore have asked their citizens to voluntarily consent to cellphone tracking of their movements through, among other things, downloadable apps.
On the more extreme side, Taiwan is using mandatory state-sanctioned cellphone tracking and location sharing in an attempt to stymie the spread of the disease.
Certainly, U.S. companies should be questioning the cost and potential attendant liability of using this data at home.
American companies are already discussing the sharing of anonymized geolocation data with the U.S. government to assist in tracking coronavirus transmission. At least one company has already begun analyzing location data and providing a scorecard that grades each state’s purported compliance with social distancing guidelines.
Given recent reported successes from China in curbing infections, there may be some promise as to the efficacy of digital tracking.
However, data privacy laws are much different in the U.S. than in the rest of the world, and companies in the U.S. should be careful not to expose themselves to a private cause of action for violation of these laws, which could potentially result in class actions.
Privacy of cellphone data, particularly geolocation data, has already been a contentious issue in the U.S. In 2016, following a terrorist attack in San Bernardino, California, a national debate took place over whether the federal government could compel Apple Inc. to decrypt the cellphones of the two terrorists.
In 2018, in Carpenter v. U.S. the U.S. Supreme Court held that “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through [cell-site location information],” and therefore a warrant is required for police to access cell-site location information from a cell phone company.2
Class actions have already emerged from the unauthorized sharing of customer data. In 2010, a major social media company was named in a class action for allegedly sharing customer data to advertisers without customers’ consent. And more recently in 2019, certain telecommunications companies were hit with class actions for sharing their customers’ geolocation data without the customers’ consent.3
The legal basis for most of these class actions arise from the representations made in a company’s privacy policy. A privacy policy is meant to disclose the ways in which a company collects, discloses, or otherwise uses or manages customers’ data. Most privacy policies generally state that a customer’s data will only be shared with third parties in order to fulfill a particular business purpose, as otherwise companies must get the customer’s consent to share.
When a company shares customer data without a customer’s consent or in a way that is inconsistent with the representations made in the privacy policy, customers may bring a lawsuit. And most of these lawsuits assert a deceptive trade practice claim under applicable state laws.
Unlike the Federal Trade Commission Act, which does not give a private right of action, the deceptive trade practice or consumer protection law in some states, such as Massachusetts, California and Ohio, allow private rights of action.4 Other common law claims of fraud or misrepresentation may also be asserted.
Although the disclosure of customers' data without their consent is generally prohibited, there are exceptions that may apply, particularly in order to comply with other laws or if there is a valid demand from a government entity. For example, the California Consumer Privacy Act permits disclosure in order to “[c]omply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities."5
The Health Insurance Portability and Accountability Act also permits disclosure of a patient’s protected health information (PHI) in limited circumstances. Under HIPAA, covered entities in the health care industry are permitted to disclose PHI, without authorization, to public health authorities:
authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, ... the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority.6
Despite the noble desire to aid in stopping the spread of COVID-19, given the history of prior data privacy class actions, companies in America should be careful not to expose themselves to a private cause of action for violation of data privacy laws, which could lead to class actions.
To avoid this potential exposure, companies should carefully review their privacy policy and only disclose customer data, including geolocation data, consistent with the privacy policy. If a company does get a demand from government officials to share a customer’s geolocation data, companies should make sure that the disclosure is consistent with the applicable statute permitting compliance with such demand, such as HIPAA or the CCPA.
If disclosure is made pursuant to a valid government demand, companies should only provide the minimum amount of information necessary to comply with the demand without compromising customer identities. Ultimately, if the privacy policy or statute permitting disclosure does not apply, then a company must get its customers’ consent to share their information.
Following these guidelines may ultimately help in thwarting the spread of COVID-19, while also protecting American companies from costly class actions.
For more cutting-edge perspectives on the legal and business implications of COVID-19, visit our COVID-19 resource center.
- Geolocation data is information used to identify a device’s physical location.
- Carpenter v. United States, 138 S. Ct. 2206 (2018).
- See Morrison v. AT&T Mobility, LLC, Civ. No. JICB-19-1257; Baron v. Sprint Corporation, Civ. No. JKB-19-1255; Ray, et al. v. T-Mobile US, Inc., Civ. No. JICB-19-1299; and Morrison v. Verizon Communications Inc. et al., Civ. No. JKB-19-1298. These lawsuits were ultimately compelled to arbitration. See Baron v. Sprint Corp., No. JKB-19-1255, 2019 BL 407530 (D. Md. Oct. 23, 2019) (granting defendants’ motion to compel arbitration).
- See Hiam v. HomeAway.com, Inc., 267 F. Supp. 3d 338 (D. Mass. 2017) (alleging HomeAway.com, among other things, violated its privacy policy by refusing to disclose user information and payment arrangements which was unfair and deceptive under Massachusetts law); and Carlsen v. GameStop, Inc., 833 F.3d 903 (8th Cir. 2016) (alleging GameStop shared customer information in violation of it privacy policy which was unlawful under Minnesota’s Consumer Fraud Act).
- Cal. Civ. Code § 1787.145(a)(2).
- 45 CFR § 164.512(b)(1)(i).