On April 17, a class action complaint was filed by plaintiff Heather Sweeney against Life on Air, Inc. – creator of the video chat app Houseparty – and Epic Games, Inc. in the United States District Court for the Southern District of California. Epic is the company behind the popular video game, Fortnite, and acquired Life on Air, Inc. in mid-2019. A copy of the complaint can be found here.
The crux of plaintiff’s complaint is that Houseparty allegedly failed to obtain consent from customers to disclose their personally identifiable information to third parties, including social media network Facebook, Inc. Sound familiar? It should. As we previously reported, Zoom Video Communications, Inc. also was hit with a proposed class complaint in late-March that accused Zoom of doing the same thing. Several other complaints setting forth similar allegations against Zoom have since been filed.
The mistaken reference to “Zoom,” rather than “Houseparty,” by plaintiff’s counsel in this lawsuit is an indicator of how similar the two complaints are to each other. Both complaints are based on almost identical causes of action, namely violations of California’s Unfair Competition Law, the California Consumers and Legal Remedies Act, the California Consumer Privacy Act (“CCPA”), and claims of common-law negligence, invasion of privacy, and unjust enrichment. Plaintiff, despite being a user likely bound to Houseparty’s Terms of Service, also asserts one additional claim for breach of implied contract.
It is obvious that plaintiff counsel’s citation to the CCPA is inappropriate given the lack of private right of action for CCPA violations. But a closer reading of the complaint reveals many more deficiencies. For example, as with the Zoom complaint, plaintiff’s counsel attempts to confuse concepts of privacy and data security. Likewise, and as we previously discussed in our article, “Revival of Facebook Internet Tracking Litigation Reveals Importance of CCPA Compliance and Highlights Ambiguities,” certain claims asserted in the complaint require plaintiff to adequately allege a reasonable expectation of privacy. Whether plaintiff will be able to do so here will turn on a number of factors including, for example, whether Houseparty’s privacy notices and disclosures accurately tracked its business practices and/or whether the actions of Houseparty users, such as voluntarily connecting the Houseparty app to their Facebook accounts, otherwise signaled consent to the alleged sharing of their personal information. For users who voluntarily linked their Houseparty accounts to Facebook, there may be an argument that they should have expected personal information to be shared.
While CCPA-related enforcement and litigation actions are at the forefront of everyone’s mind, CCPA compliance continues to reign supreme in the privacy world. As with the other cases on which we have been reporting, the Houseparty complaint is another indicator of how proper CCPA compliance can establish a defense to most privacy-based claims, even those unrelated to the CCPA. For example, the CCPA “Notice at Collection” provides businesses the opportunity to set users’ expectations of privacy before or at the time when personal information is collected. When implemented properly, businesses will have a better chance of defeating many privacy claims that may arise because the expectation of privacy will have been set at the onset. Thus, even for businesses that are not regulated by the CCPA, compliance with its requirements (at least those that are clear and unambiguous), may be worth considering.
Troutman Sanders’s Cybersecurity, Information Governance, and Privacy team will continue to monitor this case.