Insights
Publications

New CCPA Lawsuit Against Zoom: Issues to Watch

April 7, 2020 Blog

As large portions of society become subject to coronavirus-related quarantines, increasing numbers of people have turned to web-based communications platforms for classes, meetings, events, and socialization. One such platform, Zoom, has become, in some estimations, the most important app in the business world, and the single most downloaded mobile app in all of India.

With such rapid expansion in its user base, there was bound to be increased focus on the company. Over the last few weeks, Zoom has faced questions related to the legality of its privacy and information-gathering practices. In fact, in addition to addressing concerns on social media and national television programs, Zoom must also now defend itself in a new class action lawsuit involving the newly enacted California Consumer Privacy Act (“CCPA”), which we analyze below.

The CCPA provides a private right of action to individuals whose

nonencrypted and nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

Cal. Civ. C. § 1798.150 (a)(1).

On March 30, 2020, a class action complaint was filed in the U.S. District Court for the Northern District of California, raising claims against Zoom under the CCPA, as well as California’s Unfair Competition Law and Consumer Legal Remedies Act. Robert Cullen, et al v. Zoom Video Comms., Case No. 5:20-cv-02155-SVK (N.D. Cal. Mar. 30, 2020).

This complaint alleges that Zoom’s representations to users about its collection and use of their data are false, because the Zoom app includes “without any adequate disclosure to users, code that made undisclosed, unauthorized disclosures of users’ personal information to Facebook and possibly other third parties.” Regardless of whether the complaint’s factual allegations have any merit, there are a number of procedural concerns that may affect the viability of this lawsuit.

I. The private right of action under the CCPA is not limited to data breaches

This case serves as an important reminder that claims under the CCPA are not limited to data breaches and theft. The CCPA language also indicates that the statute allows actions based on unauthorized disclosure of personal information, as that term is defined in the CCPA. While “disclosure” is not defined in the statute, the plaintiffs allege that the Zoom app sends personal information (e.g., the user’s mobile operating system, and the device’s time zone, model, and unique advertising identifier) to Facebook each time a user opens the Zoom app. It is yet to be seen whether all of the information plaintiffs identify in their complaint will qualify as personal information under the CCPA.

II. The “Notice and Cure” Requirement

Before bringing an action for damages under the CCPA, a consumer must first “provide[] a business 30 days’ written notice,” identifying the purported violations, so that the business can take action to cure them. While the complaint indicates that Plaintiff served Zoom with notice and a demand for relief, it does not indicate when such notice was provided, or what curative relief was sought. This is particularly important given that many of the complaint’s substantive factual allegations are based on an Internet report, which explained that Zoom was sending certain analytics data to Facebook.[1] That report was published on March 26, 2020 – a mere four days before the complaint was filed.

The 30 day notice and opportunity to cure is particularly important here, because the statutory language indicates that where a cure has been effected, a class action claim cannot be sustained. Specifically, the CCPA states that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Cal. Civ. C. § 1798.150 (b).

The complaint acknowledges that on March 27, 2020, Zoom released a new version of its app, which appears to correct the purported violations. (Indeed, in a statement also released on March 27th, Zoom explained that it removed the Facebook SDK from its iOS client. Zoom subsequently issued another statement on April 2, 2020, detailing several additional measures it is taking to protect and reassure users.). However, the complaint alleges that Zoom’s update fails to cure the violation, because “the harm to Plaintiff and the Class members has been done,” and because “Zoom appears to have taken no action to block any of the prior versions of the Zoom app from operating.” Put another way, Plaintiff argues that Zoom users continue to be harmed because old versions of the app are still in use.

The complaint also appears to acknowledge that the 30-day requirement has not yet been met. Instead, it states that the plaintiffs will seek monetary damages under the CCPA “[i]f Defendant fails to properly respond to Plaintiff’s notice letter or agree to timely and adequately rectify the violations above.” In other words, the complaint appears to have been filed pre-emptively, in anticipation that any cure will fail.

Thus, it remains to be seen whether these allegations are enough to sustain the plaintiffs’ action, in light of the statutory notice and cure requirement.

III. Plaintiff’s Request for Attorneys’ Fees

The complaint also expressly seeks attorneys’ fees for Zoom’s purported CCPA violation. However, it is not yet clear whether attorneys’ fees are allowable under the CCPA. The statute indicates that, in addition to statutory financial damages and injunctive relief, a private litigant may be entitled to recover “other relief the court deems proper.” Cal. Civ. C. § 1798.150 (a)(1)(C).

The courts have not yet weighed in on whether such “other relief” includes attorneys’ fees under the CCPA. Perhaps wisely, therefore, the plaintiffs do not seek them under that statute. Instead, they cite to California’s private attorney general statute, California Code of Civil Procedure Section 1021.5. That statute allows a court to award attorneys’ fees to a successful party in an action that results in “the enforcement of an important right affecting the public interest.” However, it includes important caveats.

To justify such a fees award, a plaintiff must show that “a significant benefit, whether pecuniary or non-pecuniary, has been conferred on the general public or a large class of persons.” C. Civ. P. § 1021.5. While it seems likely that this criterion could be met in at least some cases that implicate the CCPA, it is yet to be seen. The “significant benefit” requirement may be more difficult to show where individual class members are limited to statutory damages, and the Defendant has already taken action to cure the defect.

It is not yet clear whether the CCPA claims against Zoom will survive. However, this case is one to watch, as the CCPA case law evolves.

[1] Notably, while the complaint purports to provide the URL for that article, the indicated URL actually references a different article, about unrelated issues. The article that the plaintiffs ostensibly intended to reference can be accessed here.

Firm Highlights

News

Prop. 24 Passes: What Companies Need To Know About the New Privacy Law

Nate Garhart spoke to the San Francisco Business Times on the steps companies can take to prepare for the California Privacy Rights Act (CPRA). He noted that if the CPRA applies to your business, then...

Read More
Publication

Top 10 Practical Business Implications Arising From the Passage of the CPRA

California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While...

Read More
Publication

Three Steps Licensees Can Take to Protect Their IP Rights in Bankruptcy

During periods of widespread economic disruption such as the present, operating businesses must be able to identify and respond to threats to the financial health of their contracting counterparts in order to protect key...

Read More
Publication

Privacy During Bankruptcy Proceedings: Why It Matters

During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to...

Read More
Publication

Electric Fence: Protecting Proprietary Rights in Collected Energy Data

Like companies in other industries, a growing number of modern energy-related companies are focusing their efforts on data collection and analysis. For example, Enphase – an energy technology company – regularly tracks data about how...

Read More
Publication

How Antitrust and Unfair Competition Laws Affect Platform Providers’ Relationships With ISVs, API Developers, and Scrapers

A wide variety of business and consumer platforms host mutually beneficial ecosystems. But these ecosystems are also fraught with antitrust risk that arises when platforms try to terminate or modify the terms of third-party...

Read More
Publication

Arbitration Agreements in Privacy Disputes: The Wyze Decision and the CCPA

Earlier this year, a number of individuals brought a lawsuit in the United States District Court for the Western District of Washington against Washington-based company Wyze Labs, Inc (Wyze), which manufactures “smart” home cameras...

Read More
Publication

Twists in the Plot: California AG Releases Final CCPA Regulations

With a little time to consider the  finalized California Consumer Privacy Act regulations  released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some...

Read More
Publication

Undergoing Bankruptcy Proceedings? Here’s How to Make Sure PII Maintains Its Value

Due to the COVID-19 pandemic, some businesses are considering potential liquidation or restructuring through bankruptcy. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings...

Read More
Publication

Proposition 24: California’s Ever-Evolving Privacy Landscape

Next Tuesday is election day, and this year, California voters are deciding whether to support another statewide privacy initiative – the California Privacy Rights Act (CPRA) (Proposition 24).  This measure would expand on the...

Read More