This article is part of CLM's publication Professional Times magazine, a production of CLM's Management & Professional Liability Community. Click to view previous digital editions of Professional Times.
The smartphone and related applications have changed society, yet evolving technology often finds the law and insurance playing catch-up. Apps and their behind-the-scenes use of GPS, Bluetooth, and audio beacons make the phones seem "smarter," but they have generated privacy issues regarding their collection of information. In response, a number of lawsuits have been filed seeking to address the apparent insufficient or total non-disclosure about apps and their data collection. The evolution of lawsuits against companies and their technology partners have not only led to potential liability, but also created questions pertaining to insurance coverage for such allegations. Lawsuits regarding privacy concerns about apps are not new, but the recent type of actions may be part of a growing trend. While the disruptive technology of apps is creating corporate liability for the apps’ owners and creators, sometimes such claims are not covered by insurance due to the evolution of liability.
Recent Litigation Involving Apps and Privacy
The inclusion of GPS access in an app is nothing new, but some claimants have alleged that not enough is being disclosed on how that information is being used or whether that collection is even permissible. One such pending action, Moreno v. San Francisco Bay Area Rapid Transit [BART] District et al., alleges that the BART Watch app collects unique cellular number identifiers and user physical location without consent. A second amended complaint, filed on January 16, 2018, continues to allege that BART is still collecting such data without consent for certain users, allegedly violating the California Cellular Communications Interception Act.
Another major area of concern in connection with apps is the collection of user preferences and personal information and what constitutes adequate consent. An example is the pending action of Zak v. Bose Corporation, which claims that Bose, through its Bose Connect app, “(i) collect[s] and record[s] the titles of the music and audio files consumers choose to play through their Bose wireless products, and (ii) transmit[s] such data along with other personal identifiers to a third-party data miner without consumers’ knowledge or consent." This information is collected via Bluetooth and provided to third parties, along with the users’ “personally identifiable serial number.”
A similar pending litigation, JD Rushing et al. v. The Walt Disney Company et al., claims that Disney is collecting children’s personal information from 42 of its apps, such as “persistent identifiers,” typically a unique number linked to a specific mobile device, and is sharing the data with advertisers without parental consent. In an action that recently settled, N.P. v. Standard Innovation (US), Corp., the plaintiffs claimed that the vibrator manufacturer “collect[s] and record[s] highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings,” and transmitted and stored that along with the user’s personal email address without consent.
A potentially growing concern on privacy involves those apps that use audio beacons, which would turn on the microphone of a user’s smartphone or other electronic device. One litigation, Satchell v. Sonic Notify Inc. et al., claims that the audio beacons for the Golden State Warriors app would constantly record all audio, including personal and private conversations. While the app does seek certain permissions, including a request to use a device’s microphone, the plaintiff alleges that the defendants do not ask consumers to “opt-in” to beacon technology and its recording capabilities. This litigation includes claims for alleged violation of the Federal Wiretap Act.
Potential Coverage Concerns
As the types of claims submitted for coverage involving apps have evolved, there are a number of possible policy exclusions, especially on cyber policies, that may preclude or limit coverage. Two of these are the "collection of private data without consent" and the "web scraping and data harvesting" exclusions. As presented by certain of the above-referenced cases and others, it is alleged that the collection of data through an app was not done with the full consent of the end users. As noted, certain lawsuits are alleging that apps are collecting information regarding the users’ location and preferences and how they interact with marketing and advertisements without the users’ consent. There will be debate between litigants as to what constitutes personal information and what data the users have consented to share, but such allegations alone may impact coverage.
Related to this are exclusions that preclude coverage for unlawful surveillance, in particular allegations of eavesdropping and audio recording, especially those apps that use audio beacons and the use of a phone's microphones to listen and temporarily record audio. Claims involving the distribution of the information gathered from these apps and later used to target the user via content suggestions or emails also may be excluded under an unsolicited communications endorsement. As the language in E&O and D&O policies often has not evolved to cover such risks, and wording in cyber policies lacks uniformity and can be ever-changing, specific language needs to be carefully considered, matching the insured’s area of specialty to the coverage sought.
Going Forward
Corporate innovations through smartphone apps are changing by the day, each looking for that competitive edge or the ability to monetize user data. Government regulation has been playing catch-up; as certain aspects of people’s lives have become more public, they seek to enforce their right to privacy and/or the right to be “forgotten.” With additional rules in the United States such as the new regulation on cybersecurity and the protection of data from New York State's Department of Financial Services, as well as the General Data Protection Regulation (GDPR) in Europe, future claims involving the collecting, storing, or sharing of personal information will engender a heightened concern. Noncompliance may lead not only to government investigations, but also potential private actions for a company’s failure to meet the standard of care in controlling such information. It is unlikely that litigation and government regulation will stunt the exponential growth of the apps. However, with the greater potential for future claims, companies should be aware of the potential limitations on insurance in responding to such claims.