To help stem the tide of the coronavirus pandemic, multiple countries are currently using some form of digital tracking, including geolocation data, to identify the contacts of individuals infected with COVID-19.1
Indeed, South Korea and Singapore have asked their citizens to voluntarily consent to cellphone tracking of their movements through, among other things, downloadable apps.
On the more extreme side, Taiwan is using mandatory state-sanctioned cellphone tracking and location sharing in an attempt to stymie the spread of the disease.
Certainly, U.S. companies should be questioning the cost and potential attendant liability of using this data at home.
American companies are already discussing the sharing of anonymized geolocation data with the U.S. government to assist in tracking coronavirus transmission. At least one company has already begun analyzing location data and providing a scorecard that grades each state’s purported compliance with social distancing guidelines.
Given recent reported successes from China in curbing infections, there may be some promise as to the efficacy of digital tracking.
However, data privacy laws are much different in the U.S. than in the rest of the world, and companies in the U.S. should be careful not to expose themselves to a private cause of action for violation of these laws, which could potentially result in class actions.
Privacy of cellphone data, particularly geolocation data, has already been a contentious issue in the U.S. In 2016, following a terrorist attack in San Bernardino, California, a national debate took place over whether the federal government could compel Apple Inc. to decrypt the cellphones of the two terrorists.
In 2018, in Carpenter v. U.S. the U.S. Supreme Court held that “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through [cell-site location information],” and therefore a warrant is required for police to access cell-site location information from a cell phone company.2
Class actions have already emerged from the unauthorized sharing of customer data. In 2010, a major social media company was named in a class action for allegedly sharing customer data to advertisers without customers’ consent. And more recently in 2019, certain telecommunications companies were hit with class actions for sharing their customers’ geolocation data without the customers’ consent.3
Unlike the Federal Trade Commission Act, which does not give a private right of action, the deceptive trade practice or consumer protection law in some states, such as Massachusetts, California and Ohio, allow private rights of action.4 Other common law claims of fraud or misrepresentation may also be asserted.
Although the disclosure of customers' data without their consent is generally prohibited, there are exceptions that may apply, particularly in order to comply with other laws or if there is a valid demand from a government entity. For example, the California Consumer Privacy Act permits disclosure in order to “[c]omply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities."5
The Health Insurance Portability and Accountability Act also permits disclosure of a patient’s protected health information (PHI) in limited circumstances. Under HIPAA, covered entities in the health care industry are permitted to disclose PHI, without authorization, to public health authorities:
authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, ... the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority.6
Despite the noble desire to aid in stopping the spread of COVID-19, given the history of prior data privacy class actions, companies in America should be careful not to expose themselves to a private cause of action for violation of data privacy laws, which could lead to class actions.
Following these guidelines may ultimately help in thwarting the spread of COVID-19, while also protecting American companies from costly class actions.
For more cutting-edge perspectives on the legal and business implications of COVID-19, visit our COVID-19 resource center.
- Geolocation data is information used to identify a device’s physical location.
- Carpenter v. United States, 138 S. Ct. 2206 (2018).
- See Morrison v. AT&T Mobility, LLC, Civ. No. JICB-19-1257; Baron v. Sprint Corporation, Civ. No. JKB-19-1255; Ray, et al. v. T-Mobile US, Inc., Civ. No. JICB-19-1299; and Morrison v. Verizon Communications Inc. et al., Civ. No. JKB-19-1298. These lawsuits were ultimately compelled to arbitration. See Baron v. Sprint Corp., No. JKB-19-1255, 2019 BL 407530 (D. Md. Oct. 23, 2019) (granting defendants’ motion to compel arbitration).
- Cal. Civ. Code § 1787.145(a)(2).
- 45 CFR § 164.512(b)(1)(i).