Legal Risks in Sharing Geolocation Data with Government Agencies
According to published reports, federal, state and local government agencies are receiving anonymized geolocation data (geolocation data) from businesses to monitor the movements of individuals to address COVID-19. Similar measures have been adopted or are being explored in a number of other countries, such as Taiwan, Singapore, China, Canada, Israel and Germany. Specifically, geolocation data can be used both to better understand the spread of the disease within a community (through such measures as “contact-tracing”) as well as to monitor compliance with travel restrictions. Geolocation data are commonly defined as data that can be used to identify the location (latitude/longitude) of an object and/or an individual and are a subset of a larger category of data commonly known as geospatial information. Geospatial information is generally defined as data that can be linked to a point on the earth.
The methods by which geolocation data can be collected and shared to combat COVID-19 vary. For example, some governments are using geolocation data collected from mobile phones (i.e. via cell towers or Wi-Fi hotspots). Others use geolocation data collected through mobile apps, while some governments reportedly are also using electronic bracelets that notify the government if someone in quarantine has left his or her home. However, there are many other ways that companies collect geolocation data from customers, employees or third parties. For example, key fobs for entering office buildings and tracking devices on vehicles and other assets can be associated with an individual or group of individuals.
Often, geolocation data are then combined with other types of geospatial information linked to the same location, such as maps, demographic data, medical data, sensor data (e.g. electro-optical, thermal infrared images) from overhead platforms, such as satellites or aircraft or in situ (such as CCTV cameras). Aggregating such data is a powerful tool for a wide range of applications – including to monitor the spread of a virus such as COVID-19. Increasingly, these datasets also are being run through algorithms to more quickly and efficiently identify patterns or behaviors.
Government agencies have always been a significant source, and consumer, of all types of geospatial information. However, many government agencies have been reluctant to use geolocation data – as the power of aggregating datasets also can be used to identify an individual or his or her activities. In fact, research suggests that some “anonymized” datasets can be used to identify an individual with sufficient computing power and additional geospatial-enabled information. Though, given the medical, societal and economic risks associated with a global pandemic, governments are recalculating the potential privacy risks to individuals versus the societal benefits of using geolocation data.
Increased use of geolocation data by government agencies presents an opportunity both for businesses that wish to market their products and services to the government, as well as for those that simply want to be good corporate citizens. However, the legal framework with respect to collecting, using and sharing geolocation data is changing as lawmakers and regulators have come to understand its potential. Therefore, sharing geolocation data with government agencies comes with some legal risk.
These risks can take several forms. For example, the Federal Trade Commission (FTC) has brought several enforcement actions against companies that collected and used geolocation information without providing consumers adequate notices.[1] As a result, businesses that provide government agencies with geolocation data must ensure that the transfer complies with their stated privacy policies. Similarly, in 2019, the City of Los Angeles Attorney General filed a complaint against the Weather Channel for sharing geolocation data with third parties, including its sister companies, claiming that it did not provide consumers proper notice of how the data would be used.
Companies that are doing business in California must also be mindful of the recently enacted California Consumer Privacy Act (CCPA). The CCPA, following on the heels of the General Data Protection Regulation (GDPR) in Europe, regulates the collection and use of an individual’s “geolocation data.” Therefore, organizations that are subject to the CCPA must ensure that any such transfer to a government agency is in compliance with its strict requirements. Otherwise, they could be subject to both the CCPA’s private right of action and enforcement actions brought by the state’s Attorney General.
Businesses may believe that they are being good corporate citizens by providing a government agency with important data during a crisis. However, lawsuits against businesses for sharing of data with the government after a national emergency are not unprecedented. For example, there were reportedly over 40 lawsuits brought against telecommunications providers by civil liberty groups and class action lawyers for sharing telecommunication data with government after the September 11 attacks. Given the increased attention being paid to privacy in the United States, businesses should be prepared for similar lawsuits after this crisis ends.
Companies, therefore, should take several steps before transferring data. First, verify that such transfer is in compliance with all applicable laws, including state privacy laws. Second, ensure that transferring geolocation data, even anonymized data, is in compliance with stated privacy policies. For example, while many privacy policies have an exception for sharing data with a government agency, such sharing is often limited to requests made pursuant to a subpoena or other government order. Alternatively, if the geolocation data have been obtained (i.e. licensed) from a third party, it is incumbent on a company to make sure that the agreement permits such transfer to a government agency for that intended purpose.
It is also critical to make sure that the government agency agrees to (i) use the information only for purposes related to the COVID-19 pandemic and (ii) not to aggregate it with other geospatial information to identify an individual, unless such person has agreed to be identified. If the customer is a federal agency, the company should transfer the data subject to a commercial license that makes it clear that the agency has limited rights – not government purpose rights – in the data so that they are not shared with other government agencies. It is also good practice to require the agencies to return or delete the data upon completion of use or after a certain period.
There are a number of good reasons to help government agencies in their effort to address the spread and impact of COVID-19. Given the urgency of the situation, it is also important to move quickly, as time is of the essence. But businesses should also be mindful of the potential legal risks in doing so and take appropriate measures.
Please note: This alert contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes. It is not meant to be and should not be construed as legal advice. Readers with particular needs on specific issues should retain the services of competent counsel.
Please click here for additional legal updates from Williams Mullen regarding COVID-19.