A class action complaint was filed against BART, the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone identifiers.” In particular, the plaintiffs claim the “BART Watch APP”—a mobile application that provided users with transit information and the ability to contact the police—collected private data in violation of California’s privacy laws. Elerts Corporation, the software developer, was also named as a defendant for its development of the App.
The Plaintiffs claim that “a detailed review of the BART Watch App reveals that Defendants have been using it to secretly collect Californians’ unique mobile device identification numbers…and periodically track their location.” The Plaintiffs further allege that “by collecting the device identification numbers, locations, and other personal information…Defendants have amassed a trove of data through the App.” And, Plaintiffs claim that these actions by BART and BART Police are prohibited under California law.
- Privacy concerns over law enforcement tracking and collecting cell phone data
Some background is needed on “government surveillance technology” to fully understand the substance of Plaintiffs’ claims. The Complaint addresses news reports in March 2014 about California law enforcement agencies using “Stingray” devices to track and collect cell phone data in a given area. As the reporting on Stingray devices increased, the California legislature took steps to limit the use of Stingrays and similar data collecting technology in California. The Legislature sought to limit “the government’s use of communications interception technologies to ‘collect a variety of data about ‘caught’ cell phones, particularly the phone’s unique numeric identifier and its physical location.”
- Alleged privacy concerns with BART’s Watch App
The Complaint alleges that “[a] forensic review of the App and how it communicates with Defendants’ servers reveals the BART Watch App was programmed to operate just as the communications interception technologies the California Legislature has warned of.” That is, the Plaintiffs assert that the App improperly collects data from users’ cell phones including “the phone’s unique numeric identifier and its physical location.” The Plaintiffs further assert the App violates users’ privacy when contact information entered by a user is combined with the phones unique numeric identifier. In short, plaintiffs claim the App results in collecting “a host of identifying, tracking, and sensitive data” from users without their permission.
The Third Cause of Action, entitled Violation of Privacy Rights, claims the BART Watch App violates Article I of the California Constitution which “protects citizens against unwanted access to data by electronic and covert means…” This provisions of the California Constitution provides that “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” The Plaintiff’s theory against BART is that the California Legislature recognized that “governmental agencies’ unchecked power to track a ‘phone’s unique numeric identifier and its physical location’” posed a threat to the public. The Legislature attempted to address this threat by enacting such laws as the Cellular Communications Interception Act. That is, the Plaintiffs claim that BART has created this App which is “masquerading as a transit app that secretly collects” Californians’ private information in an effort to get around the Legislature’s attempt to safeguard this data.
- Impact of this litigation
The practical impact of this litigation may, admittedly, be limited in scope. Plaintiff’s first cause of action is based on allegations that BART violated the Cellular Communications Interception Act. This Act required BART to install proper procedures and practices to safeguard user data. Consequently, the outcome of this litigation may be limited to data collectors gathering information through cellular communications. Further, the Plaintiffs’ action is based on the concern over the collection of private data by governmental agencies.
However, while this litigation may offer the most insight for cellular data collection by governmental agencies, private data collectors should not ignore the substance of these allegations. A number of the allegations in the Complaint call into question whether users were properly informed how their data would be used by BART or other governmental agencies. That is, the Complaint alleges that privacy disclosures were not easily accessible for users to review before agreeing to download the App. Regardless of whether the allegations are true against BART, this litigation makes clear that data collectors have a fiduciary responsibility to use data for the exact purpose the data was provided and nothing more.