Insights
Publications

New CCPA Lawsuit Against Zoom: Issues to Watch

April 7, 2020 Blog

As large portions of society become subject to coronavirus-related quarantines, increasing numbers of people have turned to web-based communications platforms for classes, meetings, events, and socialization. One such platform, Zoom, has become, in some estimations, the most important app in the business world, and the single most downloaded mobile app in all of India.

With such rapid expansion in its user base, there was bound to be increased focus on the company. Over the last few weeks, Zoom has faced questions related to the legality of its privacy and information-gathering practices. In fact, in addition to addressing concerns on social media and national television programs, Zoom must also now defend itself in a new class action lawsuit involving the newly enacted California Consumer Privacy Act (“CCPA”), which we analyze below.

The CCPA provides a private right of action to individuals whose

nonencrypted and nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

Cal. Civ. C. § 1798.150 (a)(1).

On March 30, 2020, a class action complaint was filed in the U.S. District Court for the Northern District of California, raising claims against Zoom under the CCPA, as well as California’s Unfair Competition Law and Consumer Legal Remedies Act. Robert Cullen, et al v. Zoom Video Comms., Case No. 5:20-cv-02155-SVK (N.D. Cal. Mar. 30, 2020).

This complaint alleges that Zoom’s representations to users about its collection and use of their data are false, because the Zoom app includes “without any adequate disclosure to users, code that made undisclosed, unauthorized disclosures of users’ personal information to Facebook and possibly other third parties.” Regardless of whether the complaint’s factual allegations have any merit, there are a number of procedural concerns that may affect the viability of this lawsuit.

I. The private right of action under the CCPA is not limited to data breaches

This case serves as an important reminder that claims under the CCPA are not limited to data breaches and theft. The CCPA language also indicates that the statute allows actions based on unauthorized disclosure of personal information, as that term is defined in the CCPA. While “disclosure” is not defined in the statute, the plaintiffs allege that the Zoom app sends personal information (e.g., the user’s mobile operating system, and the device’s time zone, model, and unique advertising identifier) to Facebook each time a user opens the Zoom app. It is yet to be seen whether all of the information plaintiffs identify in their complaint will qualify as personal information under the CCPA.

II. The “Notice and Cure” Requirement

Before bringing an action for damages under the CCPA, a consumer must first “provide[] a business 30 days’ written notice,” identifying the purported violations, so that the business can take action to cure them. While the complaint indicates that Plaintiff served Zoom with notice and a demand for relief, it does not indicate when such notice was provided, or what curative relief was sought. This is particularly important given that many of the complaint’s substantive factual allegations are based on an Internet report, which explained that Zoom was sending certain analytics data to Facebook.[1] That report was published on March 26, 2020 – a mere four days before the complaint was filed.

The 30 day notice and opportunity to cure is particularly important here, because the statutory language indicates that where a cure has been effected, a class action claim cannot be sustained. Specifically, the CCPA states that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Cal. Civ. C. § 1798.150 (b).

The complaint acknowledges that on March 27, 2020, Zoom released a new version of its app, which appears to correct the purported violations. (Indeed, in a statement also released on March 27th, Zoom explained that it removed the Facebook SDK from its iOS client. Zoom subsequently issued another statement on April 2, 2020, detailing several additional measures it is taking to protect and reassure users.). However, the complaint alleges that Zoom’s update fails to cure the violation, because “the harm to Plaintiff and the Class members has been done,” and because “Zoom appears to have taken no action to block any of the prior versions of the Zoom app from operating.” Put another way, Plaintiff argues that Zoom users continue to be harmed because old versions of the app are still in use.

The complaint also appears to acknowledge that the 30-day requirement has not yet been met. Instead, it states that the plaintiffs will seek monetary damages under the CCPA “[i]f Defendant fails to properly respond to Plaintiff’s notice letter or agree to timely and adequately rectify the violations above.” In other words, the complaint appears to have been filed pre-emptively, in anticipation that any cure will fail.

Thus, it remains to be seen whether these allegations are enough to sustain the plaintiffs’ action, in light of the statutory notice and cure requirement.

III. Plaintiff’s Request for Attorneys’ Fees

The complaint also expressly seeks attorneys’ fees for Zoom’s purported CCPA violation. However, it is not yet clear whether attorneys’ fees are allowable under the CCPA. The statute indicates that, in addition to statutory financial damages and injunctive relief, a private litigant may be entitled to recover “other relief the court deems proper.” Cal. Civ. C. § 1798.150 (a)(1)(C).

The courts have not yet weighed in on whether such “other relief” includes attorneys’ fees under the CCPA. Perhaps wisely, therefore, the plaintiffs do not seek them under that statute. Instead, they cite to California’s private attorney general statute, California Code of Civil Procedure Section 1021.5. That statute allows a court to award attorneys’ fees to a successful party in an action that results in “the enforcement of an important right affecting the public interest.” However, it includes important caveats.

To justify such a fees award, a plaintiff must show that “a significant benefit, whether pecuniary or non-pecuniary, has been conferred on the general public or a large class of persons.” C. Civ. P. § 1021.5. While it seems likely that this criterion could be met in at least some cases that implicate the CCPA, it is yet to be seen. The “significant benefit” requirement may be more difficult to show where individual class members are limited to statutory damages, and the Defendant has already taken action to cure the defect.

It is not yet clear whether the CCPA claims against Zoom will survive. However, this case is one to watch, as the CCPA case law evolves.

[1] Notably, while the complaint purports to provide the URL for that article, the indicated URL actually references a different article, about unrelated issues. The article that the plaintiffs ostensibly intended to reference can be accessed here.

Firm Highlights

Publication

Reopening Plans and Recommended Protocols Beg New Privacy Issues

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With...

Read More
Publication

A Roadmap to Litigating Privacy Claims? A Look at a Recent Order From the Google Assistant Privacy Litigation

As privacy-related litigation continues to heat up, Judge Beth Freeman (ND Cal.) recently laid out in In re Google Assistant Privacy Litigation (Case No. 19-cv-04286) [1] a potential roadmap for surviving or winning a...

Read More
News

GDPR in 2020: What You Need to Know

In the article "GDPR in 2020: What You Need to Know," Nate Garhart discussed the newly clarified guidelines for extraterritorial application of GDPR. Read the full article on Toolbox , here .

Read More
Publication

Senate Democrats Release Competing COVID-19 Privacy Bill

Democratic Senators Richard Blumenthal and Mark Warner have introduced the  Public Health Emergency Privacy Act  in response to  the bill of the same subject released by Senate Republicans  (the  COVID-19 Consumer Data Protection Act...

Read More
Publication

Federal “COVID-19 Consumer Data Protection Act” Proposed

A group of Republican senators has proposed a new privacy law to govern the collection and use of certain personal information thought to be both important and at risk during the current coronavirus crisis...

Read More
Publication

Reopening Businesses Must Consider Employee and Consumer Privacy

While we’re far from returning to the “normal” that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously “nonessential” businesses are returning to operations. Along with these openings, governmental...

Read More
Publication

Zoom Successfully Addresses New York’s Privacy and Security Concerns

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom , as it becomes a significant part of American daily life during the COVID-19 pandemic. ...

Read More
Publication

Signatures Submitted for Inclusion of New California Privacy Law on November Ballot

Californians for Consumer Privacy has announced that it has secured and submitted enough signatures to qualify its California Privacy Rights Act (“CPRA”) for inclusion on California’s November 2020 ballot. Alistair Mactaggart, the architect behind...

Read More
Publication

Trademark Office Deadlines and Coronavirus-Related Delays (Updated)

With all of the business interruption caused by the COVID-19 pandemic, many worldwide trademark offices have taken steps to recognize the issues caused by the crisis. The offices in which applicants from the U.S...

Read More
News

In Novel Case, Insurer Sues Own Law Firm After Data Breach

Tyler Gerking was quoted in the Law360 article "In Novel Case, Insurer Sues Own Law Firm After Data Breach." In the article Tyler said, "This case shows some of the hazards that all companies face...

Read More