The California Consumer Privacy Act: CCPA went into effect on January 1st and will be enforced by the California Attorney General on July 1st. The CCPA provides a number of privacy rights to Californians, including the ability to opt-out of the sale of their collected personally identifiable information (PII), request the deletion of their collected PII, and obtain a variety of disclosures regarding what PII has been collected and the third parties who have accessed the PII.
A class action lawsuit was recently filed in the Southern District of California alleging several CCPA violations. Filed on behalf of an individual named Heather Sweeney, the lawsuit named Life on Air, Inc. and Epic Games, Inc., who recently acquired Life on Air, Inc, as defendants. Life on Air, Inc. created an application called “Houseparty,” which allows users to video chat with friends. The application is similar to the famous (or infamous) “Zoom” platform (in one instance the complaint mistakenly referred to “Houseparty” as “Zoom”).
The complaint noted that, during the coronavirus pandemic, Houseparty has “praise[d] themselves on its application [for facilitating] social distancing . . . .” According to the complaint, Houseparty reported a record number of users in March, totaling more than 50 million people.
The complaint states that Houseparty failed to make required disclosures to users, specifically that Houseparty failed to notify users that it discloses personally identifiable information to third parties such as Facebook without “customer consent.” In total, the complaint specifies seven causes of action:
- Violation of California Unfair Competition Law
- Breach of implied contract
- Unjust enrichment
- Public disclosure of private facts
- Violation of the CCPA
- Violation of California Consumer Legal Remedies Act
This article will discuss the cause of action pertaining to Houseparty’s alleged violation of the CCPA. To that end, the following four topics will be discussed:
- The factual allegations within the CCPA complaint against Houseparty
- An analysis of Houseparty’s alleged violations of the CCPA
Because of the progression of the coronavirus pandemic, along with the subsequent increase in the use of video chat platforms such as Houseparty, Zoom, and others, the privacy and security practices of these platforms will come under increased scrutiny from regulators. Moreover, as exemplified by the following discussion, these platforms will become increasingly exposed to class action lawsuits resulting in potentially significant damages.
- Disclosures of the categories of user PII collected by Houseparty
- Notice that Houseparty accesses user activity on Houseparty, including how long users chat with friends and purchase items
- Notice that Houseparty collects social media account information of users
- Notice that Houseparty collects unique identifiers such as IP addresses, location information, and other information identifying a user’s device
The factual allegations within the CCPA complaint
The complaint makes the following factual allegations against Houseparty:
- Houseparty violated its claim that it never engages in the sale of PII by disclosing (disclosures are included in the CCPA’s definition of a “sale”) user PII to companies such as Facebook without obtaining user consent
- Houseparty failed to disclose that third parties may access information collected via cookie technology
- Houseparty enabled the assignment of unique advertiser identifiers (IDFA) to users, which allowed companies to target Houseparty users with targeted advertisements
- Houseparty users were allegedly prevented from opting out of the sale of their PII
The complaint asserts that, had the plaintiffs been aware of Houseparty’s information sharing conduct, the plaintiffs would not have permitted Houseparty to use their PII nor would they have been willing to use the application.
An analysis of Houseparty’s alleged violations of the CCPA
The following claims were made pursuant to the plaintiff’s CCPA cause of action:
- That plaintiffs are protected “consumers” under the CCPA and the defendants – Life on Air, Inc. and Epic Games, Inc. – are both “businesses” under the CCPA and are thus required to comply with the law;
- Houseparty allegedly violated the CCPA when it failed to provide the notice required by Section 1798.100(b) pertaining to Houseparty’s collection, use, and sale of PII to “unauthorized third parties” such as Facebook
- Houseparty allegedly violated Section 1798.120(b) of the CCPA because Houseparty failed to disclose that users had the right to opt-out of the sale of their PII
- House party allegedly failed to provide a link to a “Do Not Sell My Personal Information” page on its website or mobile application
- Houseparty allegedly violated Section 1798.135(a)(B)(6) by failing to “use any personal information collected from the consumer in connection with keeping their personal information private”
Due to the alleged violations of the CCPA , the plaintiffs are seeking actual damages as well as a court order preventing the defendants from continuing to violate the law.
With respect to the alleged CCPA violations cited in the Houseparty complaint, it is important to recall when CCPA private rights of actions may be initiated against businesses. Section 1798.150 provides the necessary criteria for bringing a private right of action following a data breach. The following three requirements must be met:
- The private right of action must involve a consumer’s nonencrypted or nonredacted personal information, defined as an individual’s name in combination with the following:
- Social security number, a driver’s license, or state identification number;
- Credit or debit card number, along with the individual’s password to access the financial account; or
- Health information
- That is subject to unauthorized access and exfiltration, theft, or disclosure; and
- As a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information
But meeting these three requirements alone does not end the inquiry. Prior to initiating an action against a business, the plaintiffs must provide the business 30 days’ written notice identifying the specific CCPA provisions the business has allegedly violated. If the business is able to “cure” the violation, no class action lawsuit may be initiated against it.
Turning to the complaint under discussion here, the class action complaint against Houseparty omits any mention of Section 1798.150. Specifically, the complaint does not allege any failure on the part of Houseparty to protect user’s nonenrypted or nonredacted personal information nor whether Houseparty failed to maintain reasonable security procedures and practices. In short, the CCPA violations alleged – namely Houseparty’s alleged failure to allow users to opt-out of sale of PII and failure to provide disclosures – cannot be remedied via a CCPA civil suit. Instead, any alleged noncompliance by Houseparty or any other covered entity under the CCPA would be investigated by the state Attorney General beginning July 1st.
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.