Zoom Hit With Class Actions Under The California Consumer Privacy Act: Will The Claims Take Off?
Zoom Video Communications, the remote conferencing service whose usage has surged during the COVID-19 pandemic, has been sued in California federal court in two putative class action cases alleging, among other claims, violations of users’ privacy rights under the California Consumer Privacy Act (CCPA).
Zoom was already facing intense public scrutiny from lawmakers, consumer advocacy groups, and state attorneys general over reported security vulnerabilities and misuse of customer data.
The claims asserted under the CCPA, which just took effect in January 2020, will serve as a critical early test of consumers’ ability to enforce the law through private lawsuits, including on a class-wide basis.
Background
Zoom, a publicly-traded company founded in 2011, is a cloud-based remote communications platform, providing video and audio conferencing, online meetings, chats, and webinars across mobile devices, computers, and telephones. With states closing schools and non-essential businesses and ordering people to stay at home to slow the spread of COVID-19, Zoom has recently become the de facto mode of communication for many companies, schools, and families. Meanwhile, with the unexpected surge in popularity and media coverage, Zoom’s privacy and security practices have also become a central focus given the amount of information currently crossing its platform. Zoom’s rise also happens to coincide with the CCPA taking effect.
Overview of the CCPA
Enacted in 2018 and effective January 1, 2020, the CCPA protects California consumers’ personal information from collection and use by businesses without notice. It applies to businesses operating in California that either (i) have annual gross revenues exceeding $25 million, (ii) sell consumer data of at least 50,000 households or consumers, or (iii) derive 50% or more of their revenue from the sale of consumer data.
The law provides a list of new rights for California consumers. Namely, businesses must disclose the categories of information they collect and the third parties with whom the information is shared. Consumers have the right to opt-out of sales or disclosure of their data, the right to access their personal data, and the right to request that a business delete their information. The law also includes a private right of action, permitting consumers to file suit where a business has utilized inadequate security practices to protect personal information and such practices result in unauthorized access to that information.
Violations of the CCPA are subject to public enforcement by the California Attorney General, starting in July 2020, with the ability to levy a civil penalty of up to $2,500 per violation or $7,500 per intentional violation. Additionally, as noted above, the private right of action allows private litigants to recover statutory damages ranging from $100 to $750 per violation depending upon the severity of the misconduct and the company’s net worth. However, unlike other state privacy laws, such as the heavily-litigated Illinois Biometric Information Privacy Act, attorneys’ fees are not recoverable.
Class Action Allegations
In filings on back-to-back days in the Northern District of California, two sets of consumer plaintiffs allege that Zoom collected and shared their data in violation of the CCPA, as well as California’s Unfair Competition Law (UCL) and Consumers Legal Remedies Act (CLRA) which pre-date the CCPA and have long been used as a basis for complaint where a consumer’s rights have been impacted by a company’s business practices. According to the allegations, when a user installs or opens the Zoom app on their device, Zoom sends third parties, without notice to the user, the device model, software, storage information, time zone, IP address and other unique identifiers for the purpose of targeted advertising. The complaint alleges that this information provides these third parties with information regarding the efficacy of ad placement. This type of sharing is being heavily debated as potentially qualifying as a “sale” under the CCPA, which many view as any sharing of personal information where both parties receive a benefit and/or have control of the information. The complaints highlight the lack of notice and consent regarding these practices, as well as the potential impact on consumers’ privacy rights.
Days before the suits were filed, Zoom publicly admitted to the data-sharing practice in a blog entry on its website while simultaneously releasing a new version of the app that allegedly dispensed with the practice.
Obstacles Raised by the CCPA Claims
The plaintiffs will face three major hurdles under the CCPA’s private right of action provisions. The presence of the claims also presents challenges for class certification.
First, the CCPA does not allow consumers to sue over a violation of the law’s notice requirement. Consumers may only file suit where their personal information is “subject to unauthorized access and exfiltration, theft, or disclosure” as a result of the business’s violation of “the duty to implement and maintain reasonable security procedures and practices.” This language is widely understood to apply only in the event of a data breach in which consumer data is illegally accessed without authorization from the business holding the data. It is doubtful that Zoom’s practice of volunteering customer information to third parties, without notice to the customer, meets the standard. Even if the access is “unauthorized” it does not result from a “security” failure.
Second, the CCPA’s private right of action only covers a subset of “personal information” that is much narrower than the universe of information regulated by the CCPA generally. This subset is defined as an individual’s name in combination with (i) a social security number, (ii) a driver’s license or other government identification number, or (iii) a credit or debit card number. Here, the information allegedly disclosed by Zoom – device-related information – does not fall within the defined categories.
Third, private claims are subject to pre-suit notice and a cure period. A consumer must provide a business 30 days written notice identifying the specific provisions of the CCPA that have been violated. If the business cures the violations within 30 days, no private action may be brought. Zoom arguably cured the violations before suit was filed by releasing a new version of the app and discontinuing the practice of sharing customer data without notice. However, the plaintiffs claim Zoom failed to block prior versions of the app from operating or take action to ensure the deletion of previously disclosed data. This argument may allow the plaintiffs to withstand a potential motion to dismiss by Zoom.
Finally, the scope of the proposed classes raises possible class certification issues. The named plaintiffs seek to certify a class of “all persons and businesses in the United States” whose information was collected and disclosed to a third party without notice. While a nationwide class may be appropriate for resolving some of the issues in the case, it is not appropriate as to the CCPA issues. The CCPA only protects California residents. Therefore, questions arising for California class members under the CCPA are likely not common to the class at large because they do not apply to members outside of California.
Similarly, in one case, where the named plaintiff is from Florida, the class representative’s claims are likely not typical or similar to the class. The potential lack of commonality and typicality may preclude certification of the proposed classes.
Viability of Other Class Claims
Even if the CCPA claims fail, the class allegations may still be actionable under California’s UCL and CLRA which prohibit unfair and deceptive business practices. Although the California legislature has instructed that the CCPA may not be used as the basis for a private action under any other law, California courts have yet to rule on the relationship between the CCPA and other consumer protection laws. The case for a consumer protection claim may be greater, for example, where a business misrepresented its privacy practices to the public. Unlike the CCPA, however, the UCL requires an affirmative showing of monetary loss. Statutory damages are not available. However, under the UCL, civil penalties up to $2,500 per day per violation are available historically, making this type of claim very popular amongst the plaintiff’s bar.
What’s Next?
Following the surge in popularity of Zoom and other software technologies arising out of the COVID-19 crisis, we are likely to see additional privacy class actions, particularly in California, the home of the CCPA and many leading tech companies. We may also see more states follow California’s lead by prioritizing and acting on privacy legislation as our dependence on online activity increases.
The class actions brought against Zoom will serve as the first of potentially many upcoming tests of the CCPA’s private right of action. The cases also serve as a reminder that businesses operating within this space must remain vigilant about protecting customer information with appropriate security measures. Instead of playing catch up like Zoom after security and privacy flaws are exposed, companies should be proactively mitigating risk by reviewing and aligning their privacy policies and practices consistent with the CCPA and other data protection laws. Particular attention should be given to the use and disclosure of third party cookies. As always, careful review and compliance will provide the greatest protection against unwanted litigation.