Now that new cases of COVID-19 appear to be waning in the United States, those of us stuck in our homes are asking the same question: How long before things get back to normal? The answer from epidemiologists appears to be no time soon, as any actions to completely lift the severe social distancing restrictions currently in place will lead to another spike in infections, at least until we can find a vaccine. At the same time, the economy is in jeopardy and jobless claims are already in the tens of millions, and rising. It is a brutal dilemma. Either let millions die or condemn tens of millions to economic hardship.

A solution in some parts of the world has been to combine rigorous testing with tracking and surveillance. This approach has apparently worked with varying levels of success in parts of Asia and elsewhere. In the United States, technology companies have taken note and are developing capabilities to enable a similar approach. These efforts include, notably, a joint effort by Apple and Google to develop a cellphone application programming interface designed to operate independently of any central health authority. In addition, numerous developers are rushing to make tracking and surveillance tools that work via the acquisition and storage of a user’s health status, biometrics, geolocation, and proximity to others.

In order to be successful, these new technologies will need to navigate the patchwork of U.S. privacy laws, just as have other consumer data collection technologies before them—such as those that have long collected data regarding web browsing history, social media use, geolocation, biometrics, and other information—in order to enable personalized web experiences, targeted advertising, traffic mapping, law enforcement, and other activities. Just like these existing technologies, the risk of litigation over COVID-19-tracking technologies is high.

Litigation Over Existing Consumer Data Collection Technologies

Since the dawn of the internet boom, various waves of consumer data-collection and surveillance technologies have proliferated to the benefit of society while at the same time contending with class actions alleging that the technologies have overstepped laws protecting individuals’ personal privacy. For example:

• Internet Cookies. One of the first such technologies was internet cookies, which are pieces of data stored on a user’s computer by the user’s web browser in order to enhance the user’s experience, such as by keeping the user logged in to websites, remembering items in shopping carts, allowing rapid filling of common fields, and suggesting products or websites similar to those selected. Sharing of one’s cookies allows the recipient to know the user’s browsing history and other personal information, however, prompting numerous class action lawsuits alleging cookie tracking and sharing to be illegal under a variety of privacy-related legal theories. One recent example is a class action lawsuit against Google alleging improper use of cookies for Safari or Internet Explorer users, even if the users configured privacy settings to prevent their browsers from tracking data.
• Pixels, Like Buttons, and Social Media. When a user is browsing a webpage, the user may be directed to click on something on that page that has a hidden, pixel-size image or a like button provided by a user’s social networking provider, either of which is a more recent and advanced way of generating cookies to allow banner ads to follow a user to different sites or provide a user with targeted advertising. Both technologies are often used by social media firms, along with a user’s use of social media sites themselves, to also generate, use, and sell analytics about users. These technologies have prompted many privacy lawsuits against not only social media companies (for example, this recent case against Facebook), but also many other companies that allow the embedding of pixels and like buttons within their websites and the sharing of the information thus generated (for example, this case against a nationwide retailer).
• Geolocation. People carrying cellphones, driving cars, and using other devices with GPS technology generate data about their physical location that can be used for beneficial purposes such as generating real-time traffic maps. The potential for misuse, however, has generated lawsuits against the technology companies involved under a number of legal theories. An example is a $4 million settlement by a mobile advertising company of allegations that it tracked locations of consumers even when the consumer denied permission for location tracking.
• Biometrics. Biometrics are a way to measure a person’s physical characteristics to verify their identity, including face recognition, voice recognition, fingerprint scanning, and iris scanning. These technologies enable secure logins to personal devices and accounts, automatic timekeeping by employers, law enforcement activities, and training of artificial intelligence algorithms. At the same time, companies’ recording and aggregation of biometrics in pursuit of such activities have prompted many lawsuits in recent years under the Illinois Biometric Information Privacy Act (BIPA), which guards against the unlawful collection and storing of biometric information. Earlier this year, for example, Facebook agreed to pay $550 million to settle a case relating to its “Tag Suggestions Feature.”

These technologies have brought significant quality of life improvements and other benefits to society. However, their potential for misuse is highlighted by the privacy-related litigation noted above and by laws enacted in recent years to protect against privacy violations, such as the newly enacted California Consumer Privacy Act, BIPA, and a number of other statutes.

Historically, with some notable exceptions, class actions alleging privacy violations arising out of consumer data collection technologies have not been limited to situations in which defendants have actually used the technologies to embarrass, harass, surveil, or cause financial harm to consumers. Instead, most privacy claims arising out of customer data collection technologies are based on the proposition of what the defendant or a third party could or might do with the information, not what it actually does with the information. These lawsuits are typically premised on the assumption that the mere act of collecting information without fully disclosing its use should give rise to liability in and of itself, even if the collection is not actually used to harm anybody.

Plaintiffs in these cases usually cannot articulate any concrete harm or misuse of the data, only the potential for misuse. And while many courts are quick to dismiss these claims for lack of any real harm or injury, others have been persuaded to allow them to continue at least past the pleadings stage, leading to large settlements in some cases, which perpetuates the incentive for plaintiffs’ lawyers to file them. In some cases, there are state laws that provide for recovery of statutory damages for specified privacy violations, arguably without any need to prove harm at all. In other cases, plaintiffs have come up with a range of theories of alleged harm to make up for the lack of any actual misuse of data, including the theory that plaintiffs should be given a partial refund for a product or service they purchased because they were not given the level of privacy they paid for, notwithstanding that most consumers don’t pay, for example, for a subscription to a service “with a side of privacy.” Another typical theory is that plaintiffs own the value of their personal information and, therefore, should be allowed to recover some sum of money for the misappropriation and any monetization of their data in an amount to be determined by an expert witness. Other theories of relief include requests for injunctions, credit monitoring for life, and other forms of compensation. Few courts have made definitive rulings on these damages theories since cases typically are resolved long before an order on class certification or trial. But the lack of any definitive law makes this a fertile battleground for enterprising plaintiffs’ firms, and a few privacy true believers, to pursue litigation based on novel arguments in the hopes of a quick buck or judicial recognition of new privacy rights.

As a result, even where financial losses are nonexistent, privacy litigation can be lucrative. Defendants have an inherent incentive to settle privacy class actions because the alternative of preparing an adequate defense may require expensive expert analysis and testimony just to explain to a court what is really at issue. The highly publicized $5 billion settlement between the Federal Trade Commission and Facebook over the events surrounding Cambridge Analytica is one example, but parties in cases involving more minor allegations have also agreed to settle for significant amounts.

Prospects for Litigation Over COVID-19 Tracking Technologies

One could hope that in the interest of banding together to fight a common enemy, plaintiffs’ attorneys would shy away from filing privacy lawsuits against companies that develop tracking technologies intended to aid in the fight against COVID-19. However, history suggests that absent legislative immunity in some form, plaintiffs’ attorneys will be watching closely for any company that develops customer data tracking technologies. At least one U.S. senator has warned that the legal landscape is unlikely to change anytime soon, while lawmakers are busy tackling other issues during the pandemic.

This means that any company that pursues technological solutions to trace and isolate the virus (and allow us to get back to some semblance of life as we knew it) is on its own in protecting itself from the privacy and other legal implications flowing from the technology. The best defense against liability is to give clear notice of what data is being captured and how it is being or will be used as well as requiring informed consent to such data capture and use. Clear notice is the best defense in privacy cases involving consumer data collection technologies. However, time is of the essence in developing the technologies that can truly help in this crisis, and companies will no doubt let some notice issues fall through the cracks due to the urgency to innovate.

That means that despite the most careful precautions for limiting the use of any data collected to aid in the current health crisis, there will almost certainly be situations in which consumers have not been adequately informed about the implications arising from collection and use of the data. This, in turn, means that there will be class actions. The outcome of those class actions will depend on a variety of factors, including:

• The level of restraint used by the more conscientious plaintiffs’ lawyers, who have the power not to bring a case based on conduct that might violate the letter, but not the spirit, of some legal doctrine.
• The creativity of the defense bar in developing defense theories arising from the exigency of a national health crisis as a justification for any lapses in disclosure or consent requirements.
• The ability of corporations to resist profit-based incentives to abuse the collection of information that can help combat the crisis.
• The willingness of legislative bodies to protect companies willing to risk liability to aid in the fight against the COVID-19 health crisis.
• The discretion of the courts in distinguishing litigation that is motivated by private greed and opportunism from those situations in which there has truly been an abuse of consumer privacy.

Tracking technology can be a vital tool in mitigating the physical, emotional, and financial pain we are now enduring as a result of the pandemic, even though it also raises privacy implications. Its use in the United States will require concessions and ethical action from all of us, whether we are consumer advocates, big business, government actors, or members of either side of the bar.