New CCPA Lawsuit Against Zoom: Issues to Watch

April 7, 2020 Blog

As large portions of society become subject to coronavirus-related quarantines, increasing numbers of people have turned to web-based communications platforms for classes, meetings, events, and socialization. One such platform, Zoom, has become, in some estimations, the most important app in the business world, and the single most downloaded mobile app in all of India.

With such rapid expansion in its user base, there was bound to be increased focus on the company. Over the last few weeks, Zoom has faced questions related to the legality of its privacy and information-gathering practices. In fact, in addition to addressing concerns on social media and national television programs, Zoom must also now defend itself in a new class action lawsuit involving the newly enacted California Consumer Privacy Act (“CCPA”), which we analyze below.

The CCPA provides a private right of action to individuals whose

nonencrypted and nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

Cal. Civ. C. § 1798.150 (a)(1).

On March 30, 2020, a class action complaint was filed in the U.S. District Court for the Northern District of California, raising claims against Zoom under the CCPA, as well as California’s Unfair Competition Law and Consumer Legal Remedies Act. Robert Cullen, et al v. Zoom Video Comms., Case No. 5:20-cv-02155-SVK (N.D. Cal. Mar. 30, 2020).

This complaint alleges that Zoom’s representations to users about its collection and use of their data are false, because the Zoom app includes “without any adequate disclosure to users, code that made undisclosed, unauthorized disclosures of users’ personal information to Facebook and possibly other third parties.” Regardless of whether the complaint’s factual allegations have any merit, there are a number of procedural concerns that may affect the viability of this lawsuit.

I. The private right of action under the CCPA is not limited to data breaches

This case serves as an important reminder that claims under the CCPA are not limited to data breaches and theft. The CCPA language also indicates that the statute allows actions based on unauthorized disclosure of personal information, as that term is defined in the CCPA. While “disclosure” is not defined in the statute, the plaintiffs allege that the Zoom app sends personal information (e.g., the user’s mobile operating system, and the device’s time zone, model, and unique advertising identifier) to Facebook each time a user opens the Zoom app. It is yet to be seen whether all of the information plaintiffs identify in their complaint will qualify as personal information under the CCPA.

II. The “Notice and Cure” Requirement

Before bringing an action for damages under the CCPA, a consumer must first “provide[] a business 30 days’ written notice,” identifying the purported violations, so that the business can take action to cure them. While the complaint indicates that Plaintiff served Zoom with notice and a demand for relief, it does not indicate when such notice was provided, or what curative relief was sought. This is particularly important given that many of the complaint’s substantive factual allegations are based on an Internet report, which explained that Zoom was sending certain analytics data to Facebook.[1] That report was published on March 26, 2020 – a mere four days before the complaint was filed.

The 30 day notice and opportunity to cure is particularly important here, because the statutory language indicates that where a cure has been effected, a class action claim cannot be sustained. Specifically, the CCPA states that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Cal. Civ. C. § 1798.150 (b).

The complaint acknowledges that on March 27, 2020, Zoom released a new version of its app, which appears to correct the purported violations. (Indeed, in a statement also released on March 27th, Zoom explained that it removed the Facebook SDK from its iOS client. Zoom subsequently issued another statement on April 2, 2020, detailing several additional measures it is taking to protect and reassure users.). However, the complaint alleges that Zoom’s update fails to cure the violation, because “the harm to Plaintiff and the Class members has been done,” and because “Zoom appears to have taken no action to block any of the prior versions of the Zoom app from operating.” Put another way, Plaintiff argues that Zoom users continue to be harmed because old versions of the app are still in use.

The complaint also appears to acknowledge that the 30-day requirement has not yet been met. Instead, it states that the plaintiffs will seek monetary damages under the CCPA “[i]f Defendant fails to properly respond to Plaintiff’s notice letter or agree to timely and adequately rectify the violations above.” In other words, the complaint appears to have been filed pre-emptively, in anticipation that any cure will fail.

Thus, it remains to be seen whether these allegations are enough to sustain the plaintiffs’ action, in light of the statutory notice and cure requirement.

III. Plaintiff’s Request for Attorneys’ Fees

The complaint also expressly seeks attorneys’ fees for Zoom’s purported CCPA violation. However, it is not yet clear whether attorneys’ fees are allowable under the CCPA. The statute indicates that, in addition to statutory financial damages and injunctive relief, a private litigant may be entitled to recover “other relief the court deems proper.” Cal. Civ. C. § 1798.150 (a)(1)(C).

The courts have not yet weighed in on whether such “other relief” includes attorneys’ fees under the CCPA. Perhaps wisely, therefore, the plaintiffs do not seek them under that statute. Instead, they cite to California’s private attorney general statute, California Code of Civil Procedure Section 1021.5. That statute allows a court to award attorneys’ fees to a successful party in an action that results in “the enforcement of an important right affecting the public interest.” However, it includes important caveats.

To justify such a fees award, a plaintiff must show that “a significant benefit, whether pecuniary or non-pecuniary, has been conferred on the general public or a large class of persons.” C. Civ. P. § 1021.5. While it seems likely that this criterion could be met in at least some cases that implicate the CCPA, it is yet to be seen. The “significant benefit” requirement may be more difficult to show where individual class members are limited to statutory damages, and the Defendant has already taken action to cure the defect.

It is not yet clear whether the CCPA claims against Zoom will survive. However, this case is one to watch, as the CCPA case law evolves.

[1] Notably, while the complaint purports to provide the URL for that article, the indicated URL actually references a different article, about unrelated issues. The article that the plaintiffs ostensibly intended to reference can be accessed here.

Firm Highlights


Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More

AI and Privacy: What Every Company Needs to Do Today

Sushila Chanana and Benjamin Buchwalter will discuss "AI and Privacy: What Every Company Needs to Do Today' at the ACC 2024 Privacy Summit.  This session will introduce basics of AI governance, such as ownership...

Read More

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More