Recent class action complaints against Zoom Video Communications, Inc. (“Zoom”) are interesting examples of the new risks posed by the California Consumer Privacy Act (“CCPA”) which took effect on January 1. While formal enforcement by the California Attorney General will not begin until July 1, the CCPA’s private right of action allows individuals to bring suits before July. Although the text of the CCPA’s private right of action would lead a reader to believe that the private right of action is limited to suits alleging a breach of personal information, apparently some plaintiffs are not shying away from attempting to use the CCPA to support other litigation. How the California courts handle such lawsuits will be instructive to businesses who collect personal information from California residents.
The facts of the cases have been well known during this work-from-home period. Zoom, a remote conferencing service company headquartered in California, began offering services like video conferencing in 2013. In its early years, Zoom focused on B2B services but also gained popularity among individual users and, after a number of successful rounds of financing and partnerships, the company went public in March 2019. The platform’s popularity exploded in early 2020, largely due to public officials closing schools and businesses to try to curb the rapid spread of COVID-19, forcing students and professionals to study and work from home.
By March 2020, critics began scrutinizing the platform’s privacy and security measures, alleging that Zoom’s privacy policy did not disclose the full scope of third-party sharing.
On March 30 and 31, plaintiffs filed two separate class action complaints against the company in federal court. See Cullen v. Zoom Video Communications, Inc., 20 Civ. 2155 (N.D. Cal. March 30, 2020); Taylor v. Zoom Video Communications, Inc., 20 Civ. 2170 (N.D. Cal. March 31, 2020). The complaints allege that Zoom had failed to provide “adequate notice” that it was sharing personal information, did not have “reasonable security procedures,” and misrepresented its privacy capabilities, in violation of the CCPA, as well as California’s Unfair Competition Law and Consumers Legal Remedies Act. The CCPA broadly requires businesses to provide adequate notice about their collection, use, and sharing of personal information, which both complaints allege Zoom failed to do, but the CCPA has text that most would read to preclude a private right of action for claims not related to data breaches.
The CCPA’s more narrow private right of action for individuals to sue businesses is limited to circumstances related to stolen or disclosed personal information, as defined by California’s breach law. It applies only to the exposure of more sensitive information, such as medical data, government ID information, social security numbers, financial account numbers, or biometric data. None of this data is at issue in either complaint against Zoom. Nevertheless, it will be informative to watch how the court addresses the attempt to leverage California’s Unfair Competition Law and Consumers Legal Remedies Act to bring claims that Zoom did not follow the CCPA’s notice requirements.