Avoiding Class Claims For Sharing COVID-19 Location Data

By Jacqueline Weyand, Ashley Trehan and Adam Saltzman
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our California newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (April 6, 2020, 4:41 PM EDT) --
Jacqueline Weyand
Jacqueline Weyand
Ashley Trehan
Ashley Trehan
Adam Saltzman
Adam Saltzman
To help stem the tide of the coronavirus pandemic, multiple countries are currently using some form of digital tracking, including geolocation data, to identify the contacts of individuals infected with COVID-19.[1]

Indeed, South Korea and Singapore have asked their citizens to voluntarily consent to cellphone tracking of their movements through, among other things, downloadable apps.[2]

On the more extreme side, Taiwan is using mandatory state-sanctioned cellphone tracking and location sharing in an attempt to stymie the spread of the disease.[3]

Certainly, U.S. companies should be questioning the cost and potential attendant liability of using this data at home.

American companies are already discussing the sharing of anonymized geolocation data with the U.S. government to assist in tracking coronavirus transmission. At least one company has already begun analyzing location data and providing a scorecard that grades each state's purported compliance with social distancing guidelines.[4]

Given recent reported successes from China in curbing infections, there may be some promise as to the efficacy of digital tracking.

However, data privacy laws are much different in the U.S. than in the rest of the world, and companies in the U.S. should be careful not to expose themselves to a private cause of action for violation of these laws, which could potentially result in class actions.

Privacy of cellphone data, particularly geolocation data, has already been a contentious issue in the U.S. In 2016, following a terrorist attack in San Bernardino, California, a national debate took place over whether the federal government could compel Apple Inc. to decrypt the cellphones of the two terrorists.[5]

In 2018, in Carpenter v. U.S. the U.S. Supreme Court held that "an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through [cell-site location information]," and therefore a warrant is required for police to access cell-site location information from a cell phone company.[6]

Class actions have already emerged from the unauthorized sharing of customer data. In 2010, a major social media company was named in a class action for allegedly sharing customer data to advertisers without customers' consent. And more recently in 2019, certain telecommunications companies were hit with class actions for sharing their customers' geolocation data without the customers' consent.[7]

The legal basis for most of these class actions arise from the representations made in a company's privacy policy. A privacy policy is meant to disclose the ways in which a company collects, discloses, or otherwise uses or manages customers' data. Most privacy policies generally state that a customer's data will only be shared with third parties in order to fulfill a particular business purpose, as otherwise companies must get the customer's consent to share.

When a company shares customer data without a customer's consent or in a way that is inconsistent with the representations made in the privacy policy, customers may bring a lawsuit. And most of these lawsuits assert a deceptive trade practice claim under applicable state laws.

Unlike the Federal Trade Commission Act, which does not give a private right of action, the deceptive trade practice or consumer protection law in some states, such as Massachusetts, California and Ohio, allow private rights of action.[8] Other common law claims of fraud or misrepresentation may also be asserted.

Although the disclosure of customers' data without their consent is generally prohibited, there are exceptions that may apply, particularly in order to comply with other laws or if there is a valid demand from a government entity. For example, the California Consumer Privacy Act permits disclosure in order to "[c]omply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities."[9]

The Health Insurance Portability and Accountability Act also permits disclosure of a patient's protected health information in limited circumstances. Under HIPAA, covered entities in the health care industry are permitted to disclose PHI, without authorization, to public health authorities:

authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, ... the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority.[10]

Despite the noble desire to aid in stopping the spread of COVID-19, given the history of prior data privacy class actions, companies in America should be careful not to expose themselves to a private cause of action for violation of data privacy laws, which could lead to class actions.

To avoid this potential exposure, companies should carefully review their privacy policy and only disclose customer data, including geolocation data, consistent with the privacy policy. If a company does get a demand from government officials to share a customer's geolocation data, companies should make sure that the disclosure is consistent with the applicable statute permitting compliance with such demand, such as HIPAA or the CCPA.

If disclosure is made pursuant to a valid government demand, companies should only provide the minimum amount of information necessary to comply with the demand without compromising customer identities. Ultimately, if the privacy policy or statute permitting disclosure does not apply, then a company must get its customers' consent to share their information.

Following these guidelines may ultimately help in thwarting the spread of COVID-19, while also protecting American companies from costly class actions.

Correction: A previous version of this article did not include author Jacqueline Weyand. The error has been corrected.

Jacqueline M. WeyandAshley Bruce Trehan and Adam M. Saltzman are counsel at Buchanan Ingersoll & Rooney PC.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Geolocation data is information used to identify a device's physical location.

[2] See https://www.washingtonpost.com/technology/2020/03/19/privacy-coronavirus-phone-data/.

[3] See Id.

[4] See https://www.unacast.com/covid19/social-distancing-scoreboard.

[5] See https://time.com/4262480/tim-cook-apple-fbi-2/.

[6] Carpenter v. United States , 138 S. Ct. 2206 (2018).

[7] See Morrison v. AT&T Mobility, LLC, Civ. No. JICB-19-1257; Baron v. Sprint Corporation, Civ. No. JKB-19-1255; Ray, et al. v. T-Mobile US, Inc., Civ. No. JICB-19-1299; and Morrison v. Verizon Communications Inc. et al., Civ. No. JKB-19-1298. These lawsuits were ultimately compelled to arbitration. See Baron v. Sprint Corp. , No. JKB-19-1255, 2019 BL 407530 (D. Md. Oct. 23, 2019) (granting defendants' motion to compel arbitration).

[8] See Hiam v. HomeAway.com, Inc. , 267 F. Supp. 3d 338 (D. Mass. 2017) (alleging HomeAway.com, among other things, violated its privacy policy by refusing to disclose user information and payment arrangements which was unfair and deceptive under Massachusetts law); and Carlsen v. GameStop, Inc. , 833 F.3d 903 (8th Cir. 2016) (alleging GameStop shared customer information in violation of it privacy policy which was unlawful under Minnesota's Consumer Fraud Act).

[9] Cal. Civ. Code § 1787.145(a)(2).

[10] 45 CFR § 164.512(b)(1)(i).

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!