The California Consumer Privacy Act (CCPA) permits the California Attorney General (AG) to recover a civil penalty of up to $2,500 per violation (or $7,500 per each intentional violation) of the CCPA in enforcement actions. Although many companies have been focused on ensuring their CCPA compliance programs can withstand scrutiny from the AG after the July 1, 2020 enforcement date, some companies may not have focused as closely on the private right of action provisions under the CCPA. The plaintiff's bar has not been so distracted.
The CCPA authorizes a private right of actions for certain data breaches and permits the recovery of damages of $100 to $750 per consumer per incident or actual damages, whichever is greater. The first class action complaint alleging some form of CCPA liability was filed in February 2020 and other complaints against companies in various industries have been filed since then.
A recent class action complaint, Heather Sweeney, et al. v. Life on Air Inc. and Epic Games Inc., Case No. 3:20-cv-00742-BAS-BLM, was filed in the U.S. District Court for the Southern District of California on April 17, 2020 and alleges that Houseparty, a social networking app operated by Life on Air, Inc., a subsidiary of Epic Games, violated the CCPA. The complaint also includes claims of negligence, breach of implied contract, unjust enrichment, public disclosure of private facts, and violations of other California laws. The plaintiffs are seeking restitution, plus damages and court costs. This case may sound familiar. Several complaints setting forth similar allegations have also been filed against Zoom Video Communications, Inc.
Although the plaintiffs in the Houseparty case have alleged a panoply of claims, the following discussion focuses on two of their CCPA-linked claims, certain representations made by Houseparty about their data security practices and allegations that Houseparty sold its users' personal information (PI) to others without providing users with an opportunity to opt-out of such sales.
The company's website notes that "Houseparty is a social networking app that allows up to eight people to video chat at once in a 'room.' Users receive a notification when friends open the app and can join chats with friends (and friends of friends)." Houseparty promotes that its app facilitates online communications so users can continue to practice social distancing during the current coronavirus pandemic. The complaint notes that Houseparty logged a record of more than 50 million "daily meeting participants" in March 2020.
Houseparty is secure.
When you're using Houseparty to have a face-to-face social connection with the ones you care about, you should not have to worry about the security of your data. We take this seriously and it's a core part of our values. We aim to be best-in-class in this area.
While we're on the topic of your data, we want to make a promise to you: Houseparty has not ever sold your data and will not ever sell your data. Ever.
The privacy notice posted at Houseparty's site provides as follows:
We only use the personal information we collect to help provide, support, and improve Houseparty as described in this policy, and we do not "sell" this information to third parties as that term is defined by applicable laws.
The Houseparty plaintiffs claim that their use of the app was predicated on the representations made by Houseparty that it protected the security of their PI as a "best-in-class" provider and that such security was not provided because their PI was allegedly shared with unauthorized third parties. There are two issues embedded in this claim, one focuses on what are generally considered to be reasonable measures to protect the security of PI and the other focuses on the company's representations about their data security practices.
The CCPA does not impose specific data security requirements. The CCPA, however, permits any consumer whose nonencrypted and nonredacted PI has been subject to "an unauthorized access and exfiltration, theft, or disclosure as a result of [a company's failure] to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information" to initiate a civil action for damages, injunctive or declaratory relief, and any other relief deemed appropriate by the court.
Companies should periodically review and update their security procedures, as needed, to ensure that reasonable measures are in place to protect all PI, including CCPA-covered PI, from breach incidents. Although such periodic reviews and updating should be part of any robust and agile data security compliance program, companies also need to be mindful of the representations they make to consumers about their data security practices.
In March 2016, Dwolla, Inc., an online payments platform, entered into a consent order with the Consumer Financial Protection Bureau (CFPB) to resolve allegations that Dwolla misrepresented its data security practices by falsely claiming to its customers that its practices "exceed[ed]" or "surpass[ed]" industry security standards. Although Dwolla had not experienced a data breach, the CFPB contended that Dwolla failed to employ reasonable and appropriate measures to protect the PI it obtained from consumers from unauthorized access. Dwolla agreed to pay a $100,000 penalty to the CFPB's Civil Penalty Fund to resolve the claims.
In April 2020, Tapplock, Inc., an IoT company selling Internet-connected fingerprint-enabled padlocks, entered into an agreement with the Federal Trade Commission (FTC) to resolve allegations that the company had engaged in deceptive acts or practices by falsely representing that its smart locks were secure and that it took reasonable precautions and followed industry best practices to protect the PI of consumers. Tapplock had advertised that its smart locks and were "Bold. Sturdy. Secure." with an "unbreakable design" and represented that it had taken "reasonable precautions" and followed "industry best practices" to protect PI.
Effusive claims that a company aims to provide "best-in-class" data security as "a core part of [its] values" may also raise the same concerns highlighted by the CFPB and the FTC in prior settlements. Although such representations should not serve as a basis for a private right of action under the CCPA, they may raise concerns under other laws.
As noted above, the plaintiffs have also alleged that Houseparty failed to provide reasonable data security, but their definition of what constitutes reasonable data security may be "unique-in-class." The CCPA requires companies that sell PI about consumers to provide those consumers with the right, at any time, to opt-out or direct that the company stop selling their PI. The term "sale" is broadly defined under the CCPA to include the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
Despite the representations made by Houseparty that they do not sell the PI of their customers, the plaintiffs claim that Houseparty violated the CCPA by, among other things, failing to provide a clear and conspicuous "Do Not Sell My Personal Information" link on their home page or mobile app to allow customers to opt-out of the sharing and sale of their PI. The plaintiffs claim that when they downloaded and opened the Houseparty app, they were prompted to connect the app to their Facebook account and that this connection enabled Facebook to collect their PI, such as their IP address, phone service carrier, and specific device being used to access the Houseparty app. The plaintiffs also claim that each time they opened the app, Houseparty notified Facebook and provided Facebook with details about their device.
The plaintiffs allege that these practices allowed Facebook and other third parties to target them with specific advertisements based on their location, behaviors, and preferences identified from a unique identifier pre-installed and assigned to their devices, a mobile advertising identifier for Apple devices known as an Identifier for Advertisers (IDFA). All device identifiers, including IDFAs, are considered personal data under the European Union's General Data Protection Regulation (GDPR) so any data stored with such identifiers in the same record should also be considered personal data. Although a "unique personal identifier" is a type of PI covered under the CCPA, this identifier must also relate to, describe, be reasonably capable of being associated with, or be reasonably linked, directly, or indirectly with a particular consumer or household. The plaintiffs did not explain how any IDFA assigned to their device specifically identified them, and not simply their device, to any party.
The plaintiffs argue that since Houseparty failed to warn them of these information sharing practices, Houseparty misrepresented that they did not sell the PI of their customers and effectively prohibited them from opting out of the sale of their PI with Facebook and other third-party marketing companies. The plaintiffs contend that they would not have downloaded the app had they known that Houseparty intended to share their PI with Facebook and others.
The Houseparty plaintiffs conflate the concepts of privacy and data security in their complaint by trying to tie a failure to provide the CCPA's opt-out right to a failure to maintain reasonable data security procedures and practices. The plaintiffs have not alleged that they were the victims of a data breach due to the failure of Houseparty to maintain any specific data security measures. In fact, the Houseparty site notes, as of May 12, 2020, that "[t]here have been no data breaches and no exposure of customer data or third-party accounts." Instead, the plaintiffs are attempting to extend the limited private right of action under the CCPA by trying to define the CCPA's opt-out notification and election right as a required form of data security. If this so-called security procedure is not provided, they assume that any exchange of their PI with others, even if pursuant to their own actions in linking the Houseparty app to their Facebook accounts, was done for pecuniary gain to Houseparty and an "unauthorized disclosure" of their PI by Houseparty.
Prior to the initiation of any individual or class action lawsuit for damages, the CCPA requires the consumer to provide a written notification to the target company identifying the specific provisions of the CCPA that the consumer alleges have been violated and afford the company with the opportunity to cure the alleged violations within 30 days. The complaint does not reveal whether such notice was provided to Houseparty and if the notice was provided, whether and how Houseparty responded to the notice.
Although the claims in the Houseparty case seem to stretch the CCPA's private right of action provision, the case highlights that companies should: