As large portions of society become subject to coronavirus-related quarantines, increasing numbers of people have turned to web-based communications platforms for classes, meetings, events, and socialization. One such platform, Zoom, has become, in some estimations, the most important app in the business world, and the single most downloaded mobile app in all of India.
With such rapid expansion in its user base, there was bound to be increased focus on the company. Over the last few weeks, Zoom has faced questions related to the legality of its privacy and information-gathering practices. In fact, in addition to addressing concerns on social media and national television programs, Zoom must also now defend itself in a new class action lawsuit involving the newly enacted California Consumer Privacy Act (“CCPA”), which we analyze below.
The CCPA provides a private right of action to individuals whose
nonencrypted and nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
Cal. Civ. C. § 1798.150 (a)(1).
On March 30, 2020, a class action complaint was filed in the U.S. District Court for the Northern District of California, raising claims against Zoom under the CCPA, as well as California’s Unfair Competition Law and Consumer Legal Remedies Act. Robert Cullen, et al v. Zoom Video Comms., Case No. 5:20-cv-02155-SVK (N.D. Cal. Mar. 30, 2020).
This complaint alleges that Zoom’s representations to users about its collection and use of their data are false, because the Zoom app includes “without any adequate disclosure to users, code that made undisclosed, unauthorized disclosures of users’ personal information to Facebook and possibly other third parties.” Regardless of whether the complaint’s factual allegations have any merit, there are a number of procedural concerns that may affect the viability of this lawsuit.
I. The private right of action under the CCPA is not limited to data breaches
This case serves as an important reminder that claims under the CCPA are not limited to data breaches and theft. The CCPA language also indicates that the statute allows actions based on unauthorized disclosure of personal information, as that term is defined in the CCPA. While “disclosure” is not defined in the statute, the plaintiffs allege that the Zoom app sends personal information (e.g., the user’s mobile operating system, and the device’s time zone, model, and unique advertising identifier) to Facebook each time a user opens the Zoom app. It is yet to be seen whether all of the information plaintiffs identify in their complaint will qualify as personal information under the CCPA.
II. The “Notice and Cure” Requirement
Before bringing an action for damages under the CCPA, a consumer must first “provide a business 30 days’ written notice,” identifying the purported violations, so that the business can take action to cure them. While the complaint indicates that Plaintiff served Zoom with notice and a demand for relief, it does not indicate when such notice was provided, or what curative relief was sought. This is particularly important given that many of the complaint’s substantive factual allegations are based on an Internet report, which explained that Zoom was sending certain analytics data to Facebook. That report was published on March 26, 2020 – a mere four days before the complaint was filed.
The 30 day notice and opportunity to cure is particularly important here, because the statutory language indicates that where a cure has been effected, a class action claim cannot be sustained. Specifically, the CCPA states that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Cal. Civ. C. § 1798.150 (b).
The complaint acknowledges that on March 27, 2020, Zoom released a new version of its app, which appears to correct the purported violations. (Indeed, in a statement also released on March 27th, Zoom explained that it removed the Facebook SDK from its iOS client. Zoom subsequently issued another statement on April 2, 2020, detailing several additional measures it is taking to protect and reassure users.). However, the complaint alleges that Zoom’s update fails to cure the violation, because “the harm to Plaintiff and the Class members has been done,” and because “Zoom appears to have taken no action to block any of the prior versions of the Zoom app from operating.” Put another way, Plaintiff argues that Zoom users continue to be harmed because old versions of the app are still in use.
The complaint also appears to acknowledge that the 30-day requirement has not yet been met. Instead, it states that the plaintiffs will seek monetary damages under the CCPA “[i]f Defendant fails to properly respond to Plaintiff’s notice letter or agree to timely and adequately rectify the violations above.” In other words, the complaint appears to have been filed pre-emptively, in anticipation that any cure will fail.
Thus, it remains to be seen whether these allegations are enough to sustain the plaintiffs’ action, in light of the statutory notice and cure requirement.
III. Plaintiff’s Request for Attorneys’ Fees
The complaint also expressly seeks attorneys’ fees for Zoom’s purported CCPA violation. However, it is not yet clear whether attorneys’ fees are allowable under the CCPA. The statute indicates that, in addition to statutory financial damages and injunctive relief, a private litigant may be entitled to recover “other relief the court deems proper.” Cal. Civ. C. § 1798.150 (a)(1)(C).
The courts have not yet weighed in on whether such “other relief” includes attorneys’ fees under the CCPA. Perhaps wisely, therefore, the plaintiffs do not seek them under that statute. Instead, they cite to California’s private attorney general statute, California Code of Civil Procedure Section 1021.5. That statute allows a court to award attorneys’ fees to a successful party in an action that results in “the enforcement of an important right affecting the public interest.” However, it includes important caveats.
To justify such a fees award, a plaintiff must show that “a significant benefit, whether pecuniary or non-pecuniary, has been conferred on the general public or a large class of persons.” C. Civ. P. § 1021.5. While it seems likely that this criterion could be met in at least some cases that implicate the CCPA, it is yet to be seen. The “significant benefit” requirement may be more difficult to show where individual class members are limited to statutory damages, and the Defendant has already taken action to cure the defect.
It is not yet clear whether the CCPA claims against Zoom will survive. However, this case is one to watch, as the CCPA case law evolves.
 Notably, while the complaint purports to provide the URL for that article, the indicated URL actually references a different article, about unrelated issues. The article that the plaintiffs ostensibly intended to reference can be accessed here.