Law360 (April 6, 2020, 4:41 PM EDT) --
Indeed, South Korea and Singapore have asked their citizens to voluntarily consent to cellphone tracking of their movements through, among other things, downloadable apps.
On the more extreme side, Taiwan is using mandatory state-sanctioned cellphone tracking and location sharing in an attempt to stymie the spread of the disease.
Certainly, U.S. companies should be questioning the cost and potential attendant liability of using this data at home.
American companies are already discussing the sharing of anonymized geolocation data with the U.S. government to assist in tracking coronavirus transmission. At least one company has already begun analyzing location data and providing a scorecard that grades each state's purported compliance with social distancing guidelines.
Given recent reported successes from China in curbing infections, there may be some promise as to the efficacy of digital tracking.
However, data privacy laws are much different in the U.S. than in the rest of the world, and companies in the U.S. should be careful not to expose themselves to a private cause of action for violation of these laws, which could potentially result in class actions.
Privacy of cellphone data, particularly geolocation data, has already been a contentious issue in the U.S. In 2016, following a terrorist attack in San Bernardino, California, a national debate took place over whether the federal government could compel Apple Inc. to decrypt the cellphones of the two terrorists.
In 2018, in Carpenter v. U.S. the U.S. Supreme Court held that "an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through [cell-site location information]," and therefore a warrant is required for police to access cell-site location information from a cell phone company.
Class actions have already emerged from the unauthorized sharing of customer data. In 2010, a major social media company was named in a class action for allegedly sharing customer data to advertisers without customers' consent. And more recently in 2019, certain telecommunications companies were hit with class actions for sharing their customers' geolocation data without the customers' consent.
Unlike the Federal Trade Commission Act, which does not give a private right of action, the deceptive trade practice or consumer protection law in some states, such as Massachusetts, California and Ohio, allow private rights of action. Other common law claims of fraud or misrepresentation may also be asserted.
Although the disclosure of customers' data without their consent is generally prohibited, there are exceptions that may apply, particularly in order to comply with other laws or if there is a valid demand from a government entity. For example, the California Consumer Privacy Act permits disclosure in order to "[c]omply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities."
The Health Insurance Portability and Accountability Act also permits disclosure of a patient's protected health information in limited circumstances. Under HIPAA, covered entities in the health care industry are permitted to disclose PHI, without authorization, to public health authorities:
Despite the noble desire to aid in stopping the spread of COVID-19, given the history of prior data privacy class actions, companies in America should be careful not to expose themselves to a private cause of action for violation of data privacy laws, which could lead to class actions.
Following these guidelines may ultimately help in thwarting the spread of COVID-19, while also protecting American companies from costly class actions.
Correction: A previous version of this article did not include author Jacqueline Weyand. The error has been corrected.
Jacqueline M. Weyand, Ashley Bruce Trehan and Adam M. Saltzman are counsel at Buchanan Ingersoll & Rooney PC.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 Geolocation data is information used to identify a device's physical location.
 See https://www.washingtonpost.com/technology/2020/03/19/privacy-coronavirus-phone-data/.
 See Id.
 See https://www.unacast.com/covid19/social-distancing-scoreboard.
 See https://time.com/4262480/tim-cook-apple-fbi-2/.
 Carpenter v. United States , 138 S. Ct. 2206 (2018).
 See Morrison v. AT&T Mobility, LLC, Civ. No. JICB-19-1257; Baron v. Sprint Corporation, Civ. No. JKB-19-1255; Ray, et al. v. T-Mobile US, Inc., Civ. No. JICB-19-1299; and Morrison v. Verizon Communications Inc. et al., Civ. No. JKB-19-1298. These lawsuits were ultimately compelled to arbitration. See Baron v. Sprint Corp. , No. JKB-19-1255, 2019 BL 407530 (D. Md. Oct. 23, 2019) (granting defendants' motion to compel arbitration).
 Cal. Civ. Code § 1787.145(a)(2).
 45 CFR § 164.512(b)(1)(i).
For a reprint of this article, please contact firstname.lastname@example.org.