A closer look at the CCPA class-action lawsuit against Epic Games, Inc. and Life on Air, Inc.

Note: Since the writing of this blog, CCPA has been replaced the CPRA.

The California Consumer Privacy Act: CCPA went into effect on January 1st and has been enforced by the California Attorney General since July 1st. The CCPA provides a number of privacy rights to Californians, including the ability to opt-out of the sale of their collected personally identifiable information (PII), request the deletion of their collected PII, and obtain a variety of disclosures regarding what PII has been collected and the third parties who have accessed the PII. 

A class action lawsuit was recently filed in the Southern District of California alleging several CCPA violations. Filed on behalf of an individual named Heather Sweeney, the lawsuit named Life on Air, Inc. and Epic Games, Inc., who recently acquired Life on Air, Inc, as defendants. Life on Air, Inc. created an application called “Houseparty,” which allows users to video chat with friends. The application is similar to the famous (or infamous) “Zoom” platform (in one instance the complaint mistakenly referred to “Houseparty” as “Zoom”). 

The complaint noted that, during the coronavirus pandemic, Houseparty has “praise[d] themselves on its application [for facilitating] social distancing . . . .” According to the complaint, Houseparty reported a record number of users in March, totaling more than 50 million people. 

The complaint states that Houseparty failed to make required disclosures to users, specifically that Houseparty failed to notify users that it discloses personally identifiable information to third parties such as Facebook without “customer consent.” In total, the complaint specifies seven causes of action:

• Negligence 
• Violation of California Unfair Competition Law 
• Breach of implied contract 
• Unjust enrichment 
• Public disclosure of private facts 
• Violation of the CCPA 
• Violation of California Consumer Legal Remedies Act 

This article will discuss the cause of action pertaining to Houseparty’s alleged violation of the CCPA. To that end, the following four topics will be discussed: 

• Houseparty’s Privacy Policy 
• The factual allegations within the CCPA complaint against Houseparty
• An analysis of Houseparty’s alleged violations of the CCPA 
• The need for a compliant Privacy Policy 

Because of the progression of the coronavirus pandemic, along with the subsequent increase in the use of video chat platforms such as Houseparty, Zoom, and others, the privacy and security practices of these platforms will come under increased scrutiny from regulators. Moreover, as exemplified by the following discussion, these platforms will become increasingly exposed to class action lawsuits resulting in potentially significant damages. 

Houseparty’s Privacy Policy

According to the complaint against Houseparty, the application’s Privacy Policy contained a number of disclosures regarding its information sharing practices. The issue alleged by the complaint is that Houseparty failed to disclose its information sharing practices with respect to Facebook. 

Houseparty’s Privacy Policy, according to the complaint, contains the following: 

• Disclosures of the categories of user PII collected by Houseparty 
• Notice that Houseparty accesses user activity on Houseparty, including how long users chat with friends and purchase items 
• Notice that Houseparty collects social media account information of users 
• Notice that Houseparty collects unique identifiers such as IP addresses, location information, and other information identifying a user’s device 

The factual allegations within the CCPA complaint

The complaint makes the following factual allegations against Houseparty:

• Houseparty violated its claim that it never engages in the sale of PII by disclosing (disclosures are included in the CCPA’s definition of a “sale”) user PII to companies such as Facebook without obtaining user consent 
• Houseparty failed to disclose that third parties may access information collected via cookie technology 
• Houseparty enabled the assignment of unique advertiser identifiers (IDFA) to users, which allowed companies to target Houseparty users with targeted advertisements 
• Houseparty users were allegedly prevented from opting out of the sale of their PII

The complaint asserts that, had the plaintiffs been aware of Houseparty’s information sharing conduct, the plaintiffs would not have permitted Houseparty to use their PII nor would they have been willing to use the application. 

With respect to the allegations against Houseparty, a comparison can be made with the current investigations pertaining to Zoom. Similar to Houseparty, Zoom states that it does not engage in any sale of PII. However, if one were to scroll down Zoom’s Privacy Policy, Zoom makes clear that it does indeed engage in “sales” of PII as the CCPA defines the term. 

An analysis of Houseparty’s alleged violations of the CCPA 

The following claims were made pursuant to the plaintiff’s CCPA cause of action: 

• That plaintiffs are protected “consumers” under the CCPA and the defendants – Life on Air, Inc. and Epic Games, Inc. – are both “businesses” under the CCPA and are thus required to comply with the law;
• Houseparty allegedly violated the CCPA when it failed to provide the notice required by Section 1798.100(b) pertaining to Houseparty’s collection, use, and sale of PII to “unauthorized third parties” such as Facebook 
• Houseparty allegedly violated Section 1798.120(b) of the CCPA because Houseparty failed to disclose that users had the right to opt-out of the sale of their PII 
• Houseparty allegedly failed to provide a link to a “Do Not Sell My Personal Information” page on its website or mobile application 
• Houseparty allegedly violated Section 1798.135(a)(B)(6) by failing to “use any personal information collected from the consumer in connection with keeping their personal information private” 

Due to the alleged violations of the CCPA , the plaintiffs are seeking actual damages as well as a court order preventing the defendants from continuing to violate the law. 

With respect to the alleged CCPA violations cited in the Houseparty complaint, it is important to recall when a CCPA private rights of actions may be initiated against businesses. Section 1798.150 provides the necessary criteria for bringing a private right of action following a data breach. The following three requirements must be met:  

1. The private right of action must involve a consumer’s nonencrypted or nonredacted personal information, defined as an individual’s name in combination with the following:
   • Social security number, a driver’s license, or state identification number;
   • Credit or debit card number, along with the individual’s password to access the financial account; or 
   • Health information

2. That is subject to unauthorized access and exfiltration, theft, or disclosure; and 
3. As a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information 

But meeting these three requirements alone does not end the inquiry. Prior to initiating an action against a business, the plaintiffs must provide the business 30 days’ written notice identifying the specific CCPA provisions the business has allegedly violated. If the business is able to “cure” the violation, no class action lawsuit may be initiated against it. 

Turning to the complaint under discussion here, the class action complaint against Houseparty omits any mention of Section 1798.150. Specifically, the complaint does not allege any failure on the part of Houseparty to protect user’s nonenrypted or nonredacted personal information nor whether Houseparty failed to maintain reasonable security procedures and practices. In short, the CCPA violations alleged – namely Houseparty’s alleged failure to allow users to opt-out of sale of PII and failure to provide disclosures – cannot be remedied via a CCPA civil suit. Instead, any alleged noncompliance by Houseparty or any other covered entity under the CCPA would be investigated by the state Attorney General beginning July 1st. 

As such, the court is likely to dismiss the plaintiff’s CCPA cause of action for a lack of standing to sue. As the case progresses, it will be interesting to see if the court nevertheless assesses Houseparty’s CCPA compliance when resolving the other six causes of action. That is, provided that Houseparty implemented a compliant CCPA Privacy Policy, the court may conclude that Houseparty users were put on adequate notice regarding the collection of their PII, who would receive the PII, and the purpose of the collection. Thus, the other causes of action, such as the claims regarding unjust enrichment, breach of an implied contract, and public disclosure of private facts, may very well fail due to Houseparty’s possible compliance with the CCPA. 

The need for a compliant Privacy Policy

As indicated by the preceding discussion, businesses have a significant incentive to ensure they implement a compliant CCPA Privacy Policy in order avoid potential class action lawsuits and large fines. But the benefits of a compliant Privacy Policy do not end there. Businesses may have the added incentive of avoiding the various other claims cited in the discussed class action complaint. Recall that the complaint alleged a total of seven causes of action – negligence, violation of California Unfair Competition Law, breach of implied contract, unjust enrichment, public disclosure of private facts, and violation of the California Consumer Legal Remedies Act. 

By ensuring your Privacy Policy is compliant and up-to-date, you increase your businesses chances of avoiding potentially large fines under several causes of action for violations of privacy. Check out Termageddon’s Privacy Policy generator to create your CCPA-ready Privacy Policy and prepare your business or the enforcement of this privacy law.