On April, 17th, a class action was brought under the California Consumer Privacy Aact (CCPA) against the application “Houseparty” for unlawful disclosure of personal information to third parties, including Facebook.

What are the alleged facts?

Houseparty is a social networking app allowing multiple people to video chat at once in a virtual room. This application has been increasingly used by American consumers due to the coronavirus crisis and subsequent stay at home orders.

The company reported more than 50 million daily meeting participants during the month of March. Furthermore, the application stated on its website that no personal data were sold.

According to the lawsuit, the application would send consumer information and analytics to Facebook’s software development kits (“SDK”) upon downloading and opening the app without notifying or receiving consent from the users. Consumer information is allegedly also shared with third parties without consent to be used for targeted advertising.

The claim highlights that the application allows users to log into the application using a Facebook plugin, enabling Facebook to gather several information on all Houseparty users regardless if the user has a Facebook account, among which:

  • Personal identifiers,
  • IP addresses,
  • Timezone details,
  • Phone carrier details,
  • Device information,
  • Unique advertiser identifier.

A special attention is given to the collection of the unique advertiser identifier which is deemed particularly invasive. The claim argues that, insofar as these identifiers are unique alphanumeric strings used to identify an individual device, it enables the tracking and profiling of users. This identifier allows advertisers to learn about when and how users access the application, their location, their behaviours, demographics, and preferences to offer tailored and targeted advertising without the need to know users’ names or email address.

Finally, the claim alleges that this data-sharing activity was not visible to users. No notice or consent collection took place. Thereby, users were deprived of their right to opt out of disclosure or sale of their personal information to third parties.

Although the company claimed that there had been “no data breaches and no exposure of consumer data or third-party accounts”, the application offered no way to monitor nor any reasonable method of knowing whether their information was shared to third parties.

What are the breaches alleged by this class action?

The lawsuit alleges that this conduct has invaded the users’ reasonable expectations of privacy and amounts to a predatory business practice. It is argued that consumers would not have entrusted their data to this company had they known the application’s practices.

The lawsuit details seven causes for action:

  • Negligence,
  • Violation of the California Unfair Competition Law,
  • Breach of implied contract,
  • Unjust enrichment,
  • Invasion of privacy,
  • Violation of the California’s Consumer Privacy Act,
  • Violation of California Consumer Legal Remedies Act.

What is the alleged invasion of privacy?

The expectation of privacy test is a key component of the Fourth Amendment analysis and originated from Katz v. United State. If both the American and European fundamental regimes consider that privacy is not an absolute right and may suffer limitations, the American test relies on a subjective expectation of privacy, deemed reasonable in public norms. As a matter of comparison, the European privacy right is articulated on the necessity and proportionality test.

In this case, the plaintiff argues that users have a reasonable expectation of privacy in their devices and online behaviour, including their use of the application or any other behaviour that may be monitored by the application.

The claim highlights that the intrusion is “highly offensive to a reasonable person”, insofar as the company concealed its conduct and represented that they took privacy seriously while using “surreptitious, highly technical and non intuitive” modes of disclosure of users’ personal information.

On this ground, the lawsuit seeks damages, including compensatory, nominal, and punitive damages.

What are the alleged violations of the California’s Consumer Privacy Act?

The lawsuit argues that the company violated its obligations:

  • To notify consumers that it was collecting, using, and selling personal information to unauthorized third parties,
  • To provide notice to consumers of their right to opt-out of the disclosure of their personal information
  • To give consumers the opportunity to opt-out in a timely manner,
  • To provide a clear and conspicuous link on the business’s Internet homepage or mobile app titled “Do not Sell My Personal Information »,
  • To use any personal information collected from the consumer in connection with keeping their personal information private.

On these grounds, the lawsuit seeks injunctive relief in the form of an order enjoining the company from continuing to violate the CCPA and actual damages.

The European regime is not unfamiliar with transparency obligations of the controller (Articles 12, 13 and 14 of the GDPR) and the right to opt-out granted to individuals (Article 18 of the GDPR).

Nonetheless, the singularity of the CCPA lies in its focus on the sale of personal data and the specific right to opt-out of sale schemes (§1798.120). These rights are deemed to be the cornerstone of consumers’ control over their personal information.

What will happen next?

The lawsuit should cover California residents who accessed the application and had their personal information disclosed to third parties from January 1st, 2020 to April 17th, 2020. While this case only covers California residents, additional putative class actions might be filed to represent consumers, either at a state level or nationwide.

This case tests and stretches the limits of the CCPA’s private right of action by relying on an allegedly voluntary transfer of consumer data to a third party. The complaint alleges a violation of the CCPA’s core privacy provision which requires notice of disclosure of personal information and the right to opt-out of such disclosures.

However, this claim exceeds the CCPA’s statutory framework for private claims, which is limited to “unauthorized access and exfiltration, theft, or disclosure” resulting from the defendant’s “violation of the duty to implement and maintain reasonable security procedures and practices” (§1798.150).

Going back to the letter of the CCPA, such obligations are left to the exclusive enforcement competence of the Attorney general (§1798.155). As a reminder, the Attorney General cannot bring an enforcement action under the CCPA before July 1st 2020.

If this alleged CCPA claim succeeds, the scope of private litigation right under the CCPA may encompass a broader variety of individual claims than the statute’s language provides, including class actions.

Mathias Avocats will not fail to keep you updated on new forms of data protection litigation.