By: Miguel E. Serrano

How does the sudden prevalence of “Wrapped” compilations fit into U.S. privacy law? On January 17, 2024, the D.C. Metro (Washington Metropolitan Area Transit Authority or “WMATA”) followed companies like Spotify, Duolingo, and the Washington Post in posting a 2023 “year-end review.”^[1] When Spotify launched its Wrapped feature in 2015, the project soon reached fame for releasing detailed data on users’ most listened to tracks and albums from the year.^[2] Nearly a decade later, year-end compilations have become an annual staple among popular companies seeking the virality of yearly recaps.^[3] This year D.C. Metro joined the fray, showing individual “riders the frequency and total distance of their Metro trips, how many stations they visited, their most-used bus route, [and] carbon dioxide emissions.”[4]

In general, courts reason that when individuals voluntarily disclose private information, there is no expectation of privacy over that material.[5] Thus, under third-party doctrine, an individual who voluntarily shares information with a third party loses Fourth Amendment protections, and the government is ordinarily free to obtain such information without a warrant.^[6] In the pre-digital age, the Supreme Court laid the foundation for the third-party doctrine: records acquired through the ordinary course of business, such as banking information or a record of numbers dialed from a telephone, did not have search and seizure protections.^[7] Decades later, courts have applied the third-party doctrine to the duration of calls,^[8] the booking of a hotel room,^[9] and even the key card associated with a rented apartment.^[10] But in the modern era, courts have extended the third-party doctrine to electronic data disclosed on the internet and to cell phone applications.^[11]

An issue with end-of-year recaps under popular monikers – such as Apple Music’s “Replay” or PlayStation’s “Wrap-Up” – is that their popularity discretely annuls expectations of privacy for online data. The D.C. Metro’s “Wrapped” is no exception. In 2022, the District of Columbia Court of Appeals ruled police do not need a search warrant to search and track a rider’s location using data gathered from the Metro SmarTrip card.^[12] The court reasoned that access to information recorded by the SmartTrip card was a business record that did not constitute a search under the Fourth Amendment.^[13]

D.C. Metro collects a variety of geolocation data, financial information, and personally identifiable data from riders.[14] Moreover, D.C. Metro’s privacy policy states that it collects riders’ personal information upon registration, and that it can be disclosed to third parties like law enforcement.^[15] The Kelly court noted that the SmartTrip card contains data about “the time and location of entry and exit from [all] stations.”^[16] While not providing a comprehensive list of what data is collected, the 2023 Wrapped revealed that D.C. Metro collects information about every station riders visit, how many times a station is visited, what bus route is most used, and the frequency and length of specific trips, which maps a rider’s total mileage across an entire year.^[17]

            There is a consequence to allowing – and celebrating – companies’ ability to aggregate personal data in mass.^[18] The market for user data has grown into a multi-billion dollar industry seeking fresher and more comprehensive information every year.^[19] Users now are inclined to disclose personal information when companies create an organized, colorful slideshow that displays a unique online persona.^[20] Previously, companies have faced backlash – including fines – for tracking users and collecting data without their permission; but “Wrapped” playlists seem to be an exception.[21]Ultimately, there is a risk that “Wrapped” announcements desensitize the public’s subjective expectation of privacy for data collection practices.[22]

While the public does not need Spotify to listen to music, it does need public transportation. Yet enthusiasm for data collection under “Wrapped” announcements undercut expectations of privacy, not only for “intel that spans users’ moods, tastes, and habits,”^[23] but also for information linked to important public services.^[24] Since 2023, Washington, D.C. has increased law enforcement presence to tackle fair evasion and crime within trains, buses, and stations.[25]Combine D.C. Metro’s privacy policy and case law under the third-party doctrine, and it is likely that law enforcement will rely on rider information to conduct warrantless surveillance and investigations.[26] If these ventures expand, they encroach on privacy expectations for transport that is “indispensable to participation in modern society.”[27]

^[1] Danny Nguyen, Forget Spotify Wrapped. Welcome to WMATA’s Metro Wrapped., Washington Post (Jan. 18, 2024), https://www.washingtonpost.com/dc-md-va/2024/01/18/wmata-metro-2023-report/

^[2] Kelly Pau, Spotify Wrapped, unwrapped, Vox (Dec. 2, 2021) (“The tool included statistics like the listener’s most played songs and how many hours of music they listened to in total.”), https://www.vox.com/culture/22814121/spotify-wrapped-2021-algorithm-data-privacy.

^[3] Emily Peck, Why there are so many Spotify Wrapped knockoffs, Axios (Dec. 8, 2023) https://www.axios.com/2023/12/08/spotify-wrapped-apps-marketing-copy; see also Connor Murray, Spotify Wrapped 2023 Comes Soon: Here’s How It Became A Viral And Widely Copied Marketing Tactic, Forbes (Nov. 28, 2023) https://www.axios.com/2023/12/08/spotify-wrapped-apps-marketing-copy.

[4] Nguyen, supra note 1.

[5] See Richard M. Thompson II, Cong. Research Serv., The Fourth Amendment Third-Party Doctrine (2014).

^[6] See generally Orin Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561, 601 (2009).

^[7] United States v. Miller, 425 U.S. 435, 442 (1976) (stating that “financial statements and deposit slips[] contain only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business”);  Smith v. Maryland, 442 U.S. 735, 742 (1979) (reasoning that “[a]ll telephone users realize that they must “convey” phone numbers to the telephone company”).

^[8] United States v. Gomez, 575 F. App’x 84, 86 (3d Cir. 2014).

^[9] Patel v. City of Montclair, 798 F.3d 895, 900 (9th Cir. 2015).

^[10] United States v. Rigmaiden, 2013 WL 1932800, at *5–6 (D. Ariz. May 8, 2013).

^[11] See United States v. Guerrero, 768 F.3d 351, 361 (5th Cir. 2014) (historical cell-site location); United States v. Caira, 833 F.3d 803, 806–07 (7th Cir. 2016) (I.P. addresses and I.P. login history); Sanchez v. Los Angeles Dep’t of Transportation, 39 F.4th 548, 559 (9th Cir. 2022) (location data from e-scooter app); United States v. Bledsoe, 630 F. Supp. 3d 1, 13–14 (D.D.C. 2022) (non-content related to social media page).

^[12] Kelly v. United States, 281 A.3d 610, 613–15 (D.C. 2022).

^[13] Id. at 614 (“[T]he police used information generated and maintained by Metro for business purposes[.] . . . Decisions of the Supreme Court and other courts indicate that such conduct does not amount to a search, because such conduct does not invade a reasonable expectation of privacy.”); see also 1 Search and Seizure § 5.02 (2023).

[14] See Ridership Data Porta, Washington Metropolitan Area Transit Authority,

https://www.wmata.com/initiatives/ridership-portal/ (last visited Feb. 9, 2024); Metro Digital Services Privacy Policy, Washington Metropolitan Area Transit Authority, https://www.wmata.com/about/records/privacy.cfm (last visited Feb. 9, 2024).

^[15] See WMATA, Privacy Policy, https://www.wmata.com/about/records/upload/9-2-4-Privacy-Policy_FINAL_04-21-2022.pdf (last revised Feb. 4, 2024).

^[16] Kelly v. United States, 281 A.3d at 613.

^[17] Andrew Beaujon, Metro Launches a Spotify Wrapped–Like Feature, Washingtonian (Jan. 17, 2024), https://www.washingtonian.com/2024/01/17/metro-launches-a-spotify-wrapped-like-feature/.

^[18] Travis M. Andrews, No, I don’t want to know how many burritos I ate this year, Washington Post (Dec. 29, 2023) (“You are no longer a human being. You are a series of data points, a compilation of consumer choices . . . . [And] []it’s incredibly easy for these firms to generate this data. They do it anyway.”), https://www.washingtonpost.com/style/of-interest/2023/12/29/spotify-wrapped-year-end-review/.

^[19] See Wailin Wong and Darian Woods, The hidden market for your location data, NPR (Nov. 1, 2022), https://www.npr.org/2022/11/01/1133397471/the-hidden-market-for-your-location-data; see also Precedence Research, Data Analytics Market – Global Industry Analysis, Size, Share, Growth, Trends, Regional Outlook, and Forecast 2022-2030, (Nov. 2022) (finding that data analytics market accounted for $41.39 billion in 2022 and are projected to grow to $346.33 billion by 2030), https://www.grandviewresearch.com/industry-analysis/data-analytics-marketreport#:~:text=The%20global%20Data%20Analytics%20market%20is%20expected%20to%20grow%20at,share%20of%2034.67%25%20in%202022.

^[20] Claire Murashima, Why your brain finds Spotify Wrapped so irresistible, NPR (Dec. 8, 2023), https://www.npr.org/2023/12/08/1218100638/love-sharing-your-favorite-music-with-friends-people-are-into-spotify-wrapped.

[21] Pau, supra note 2.  For fines, see GDPR at Art. 83 (4) (discussing fines for specific data protection violations); Press Release, Fed. Trade Comm’n, FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (July 24, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook.

[22] See Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring) (“[T]here is a twofold requirement [in the Fourth Amendment], first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”).

^[23] Amanda Hoover, The Big Problem With Spotify Wrapped, Wired (Dec. 1, 2022), https://www.wired.com/story/spotify-wrapped-user-data/.

^[24] Andrews, supra note 16 (“Maybe there’s something lost when we all turn ourselves into an algorithm[.]”).

[25] See Alanea Cremen and Rafael Sanchez-Cruz, Metro and DC Police partner up to improve safety after mechanic killed in station shooting, WUSA9 (Feb. 8, 2023), https://www.wusa9.com/article/traffic/mission-metro/metro-partners-dc-police-increase-safety/65-9b5316f4-825c-4a32-8961-759cb724a790; Colleen Grablick, Proposed Metro Fare Evasion Bill Faces Skepticism From Residents, Councilmembers, DCist (Oct. 11, 2023), https://dcist.com/story/23/10/11/dc-council-hearing-fare-evasion-bill/.

[26] Kelly v. United States, 281 A.3d at 613 (“Metro Transit Police detective used video surveillance footage to determine when and where Mr. Kelly entered the Metro system before the incident and left the system after the incident. Based on that information, the detective determined the serial number of the SmarTrip card Mr. Kelly used to pay his fare. The detective set up an email alert so that the police would be notified each time that SmarTrip card was used.”).

[27] Carpenter v. United States, 138 S. Ct. 2206, 2210 (2018) (citing Riley v. California, 573 U.S. 373, 385 (2014)).