Zoom and Gloom: Early CCPA Lawsuits Against Zoom Seek to Expand Private Right of Action

Although we are still a little less than two months away from CCPA enforcement by the California Attorney General, the CCPA’s private right of action has been in effect for three months, and the number of suits brought by consumers seeking to cash in on the promise of statutory damages is starting to grow.

The latest examples are two federal lawsuits filed in California against Zoom Video Communications, the provider of the popular online video conferencing service. Those lawsuits arise out of Zoom’s reported sharing of its users’ information with Facebook without notice to those users.

The lawsuits, called Cullen v. Zoom and Taylor v. Zoom, claim that Zoom violated the CCPA by sending users’ personal information to Facebook without providing the CCPA-required notice. The complaints allege that when a user installs and uses the Zoom app, Zoom shares personal information with Facebook including the device’s unique advertising identifier, which allows companies to target the user with advertisements, whether or not the user has a Facebook account.

Zooming toward a CCPA violation?

Those facts do not appear to be in dispute: days before the lawsuits were filed, Zoom admitted that its app sent certain information to Facebook that was “unnecessary for [Zoom] to provide [its] services.” That information includes the user’s mobile operating system type and version, device type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.

Although Zoom’s data sharing practices may well violate the CCPA’s notice requirements, the CCPA only permits consumers to bring a private right of action under certain limited circumstances that—at least at first blush—don’t appear to exist here.

As a reminder, the CCPA provides for two types of enforcement: (1) enforcement by the California Attorney General for any violation of the statute, and (2) enforcement directly by consumers under the statute’s limited private right of action. As to the latter, a consumer must establish three elements for a claim to succeed:

1. unauthorized access and exfiltration, theft, or disclosure;
2. of nonencrypted and nonredacted “personal information” that falls within California’s existing data breach law (a category that is significantly narrower than the CCPA’s own definition of the term);
3. that results from the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

The consumer must also provide the business 30 days’ written notice that identifies “the specific provisions” of the CCPA that the consumer alleges “have been or are being violated.” The business can then eliminate the consumer’s right to sue by curing the alleged violation(s) within 30 days after it receives the notice.   

Here, neither lawsuit contains any clear allegation that Zoom shared “personal information” that falls into any category covered by the CCPA’s private right of action. But even if the plaintiffs made such an allegation, the statute also requires the plaintiffs to establish that their personal information  was subject to an “unauthorized access and exfiltration, theft, or disclosure” because the business failed to implement reasonable security measures. Based on that language, the private right of action has generally been interpreted to apply only when a consumer’s personal information is compromised in a data breach. 

Neither of these lawsuits, however, directly allege that a data breach occurred. Instead, the Cullen suit alleges that Zoom’s “wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users’ personal information to third parties, including Facebook.” Similarly, the Taylor suit alleges that Zoom “has not taken sufficient actions to prevent the unauthorized disclosure of PII.”

The beginnings of a trend?

These Zoom lawsuits are not the first to be brought under the CCPA’s private right of action despite no allegation of an underlying data breach. One of the first cases to do so, Sheth v. Ring (filed in February) also did not allege a breach of the plaintiff’s personal information. Rather, the plaintiff alleged that the security and smart home company Ring’s “wholly inadequate security measures” put him at an increased risk for unauthorized third party access to his personal information.

The Zoom and Ring lawsuits thus follow the same general strategy:

• First, talk about the company’s security and data-handling promises;  
• Second, talk about the company’s actual practices;  
• Third, construe the broken promises as a CCPA violation; 
• Finally, characterize the company’s actual practices as leading to current (or potential future) “unauthorized access” (Ring) or “unauthorized disclosure” (Zoom) of personal information.

These lawsuits thus reveal great optimism by the plaintiffs’ bar that California courts will broadly interpret the CCPA’s private right of action to apply to any “disclosure of,” or “access to,” a consumer’s personal information that a plaintiff believes is unauthorized, based on a business’s representations—or lack thereof—about its data handling practices.

The road ahead

That interpretation of the CCPA is unlikely to succeed, for at least two reasons:

• It conflicts with the language of the statute. The CCPA expressly states that the private right of action “shall apply only” to violations described in Cal. Civ. Code 1798.150, “and shall not be based on violations of any other section” of the CCPA. That language would seem to foreclose attempts by plaintiffs to paint violations of other CCPA requirements—such as the provisions relating to notices at collection and privacy policies—as “unauthorized disclosures” of personal information. 

• California legislators tried and failed to expand the private right of action. California Senate Bill 561 sought to “expand a consumer’s rights to bring a civil action for damages to apply to other violations of the act.” That bill was defeated in committee, suggesting that the legislature considered and rejected attempts to give plaintiffs a right to sue for CCPA violations that don’t involve data breaches.

As the Zoom and Ring lawsuits show, however, businesses subject to CCPA should not assume they are safe from a CCPA lawsuit unless they experience a data breach. And given the delays inherent in litigation, especially with courts closed because of the COVID-19 pandemic, it could be awhile before we receive clarity on the scope of the private right of action.

In the meantime, check out our three-part series here, here, and here, to learn more about the practical impacts of the California Attorney General’s CCPA Regulations, and contact us if you have questions about putting your company’s CCPA compliance program in place.