Zoom Video Communications, Inc. (“Zoom”) has seen substantial growth during the novel coronavirus (“COVID-19”) pandemic, with Zoom’s stock rising more than 112% this year. In fact, Zoom’s growth was so significant that the Securities and Exchange Commission temporarily suspended the trading of Zoom Technologies, Inc. (an entirely distinct company) due to concerns of investor confusion between the two companies.
Success attracts unwanted attention. On March 30, a proposed class complaint was filed against Zoom in the United States District Court for the Northern District of California. Alleging six distinct causes of action, the thrust of the complaint is that Zoom did not properly safeguard the personal information of its users and disclosed users’ personal information to third parties, like Facebook, without authorization.
In support of these claims, the complaint cites a March 26 report from Vice Media Group that documented Zoom’s app allegedly disclosing personal information to Facebook. The day after Vice’s report, March 27, Zoom allegedly acknowledged that users’ personal information was being shared to Facebook and released a “new version of the Zoom App which purports to no longer send unauthorized personal information of its users to Facebook.”
The suit defines the purported class as “[a]ll persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application.”
Plaintiff Robert Cullen’s first claim for relief is pursuant to the California Consumer Privacy Act (“CCPA”) which went into effect on January 1, 2020. Specifically, and despite the fact that the CCPA does not provide a private right of action for “CCPA violations,” Zoom allegedly violated Civil Code Section 1798.100(b) by not providing consumers with adequate notice that it was using their personal information. Cullen also alleges that Zoom violated Civil Code Section 1798.150(a) by failing to provide reasonable security measures to prevent unauthorized disclosure of consumers’ nonencrypted and nonredacted personal information. However, as we discussed in our previous article published by Bloomberg Law, “First CCPA-Related Case Foreshadows Five Issues,” citation to this section may not be appropriate as the CCPA imposes no obligation on businesses to maintain reasonable security procedures. Rather, the CCPA provides that, under certain circumstances, consumers may be entitled to statutory damages in the event of a data breach. It is also worth noting that the intent of Section 1798.150(b) is likely to address access to personal information by unauthorized individuals, i.e., a data breach. This is different from what Cullen seems to be alleging here, namely that Zoom intentionally disclosed personal information without informing users, which is a privacy issue.
Under the CCPA, Cullen seeks injunctive relief, enjoining Zoom from any further violations of the act, attorneys’ fees, and actual, punitive, and statutory damages of up to $750 per consumer per incident.
It is likely that we will continue to see plaintiffs rely on the CCPA to support their privacy-based claims, despite the fact that the CCPA does not provide a private right of action in this context. However, businesses may be able beat plaintiffs at their own game by relying on proper CCPA compliance as a defense. Businesses should continue to look out for the types of privacy claims asserted against Zoom and use the CCPA to guide their actions to create defenses now.
Cullen’s remaining claims are California’s Unfair Competition Law violations, California Consumers and Legal Remedies Act violations, common law negligence, invasion of privacy, and unjust enrichment.□