Note: Since the writing of this blog, CCPA has been replaced with CPRA.
As many of us work from home, homeschool our children, and do more and more activities online as a result of the coronavirus pandemic, our society has increasingly relied on video conferencing platforms to maintain some sort of normalcy. Many entities, including churches, have turned to this technology to conduct services that are otherwise prohibited by local and state regulations.
Saint Paulus, known as one of the oldest churches in San Francisco, California, recently filed a class-action lawsuit against Zoom, alleging California Consumer Privacy Act (“CCPA”) violations. Otherwise known as “Zoombombing,” the complaint alleges that, during a bible study session on Zoom, the session was hijacked by a “known offender” and attendees were subsequently shown pornographic images during the incident. According to the class action complaint, this incident was a result of Zoom’s failure to implement adequate security measures and sufficiently protect user data.
The complaint has alleged that Zoom has committed the following offenses:
- Unlawful sharing of personal information to third parties without user authorization or notice
- Failure to safeguard confidential, sensitive personal information
- Failure to implement adequate security measures to prevent Zoombombing of video conferences
- Unfair and deceptive practices related to Zoom’s data security
In addition to Zoom, class action lawsuits have been filed under the CCPA against other video conferencing platforms, including the “Houseparty” platform. Because of the increase in the use of these video conferencing platforms as a result of the coronavirus pandemic, the privacy and security practices of these platforms have come under increased scrutiny, both in the form of class action lawsuits and law enforcement investigations. With respect to the class action under discussion here, the key issue to assess is whether security breaches such as Zoombombing rise to the level of a CCPA violation. As courts continue to hear these cases, as they undoubtedly will as we live through the current pandemic, similarly situated businesses would do well to keep track of how courts interpret alleged CCPA violations.
This article will examine the following three topics:
- The factual allegations made against Zoom
- The specific CCPA violations alleged by the complaint
- How the court is likely to rule
The factual allegations made against Zoom
The class action complaint alleges that Zoom has engaged in the following activities:
- Zoom engages in the “sale” of personal information under the CCPA via the collection and disclosure of cookie information to advertising services such as Google, despite Zoom’s general statement that it does not sell personal data.
- It is important to note that Zoom currently states within its Privacy Policy that it may engage in the sale of personal information as defined by the CCPA. The Privacy Policy specifies that these sales occur when personal data is sent to third-party advertisers.
- Zoom’s promise of end-to-end encryption of video conferences is allegedly false due in part to the frequent occurrence of Zoombombing.
- Zoom collected and disclosed personal information without notifying consumers in its Privacy Policy or obtaining consent. Specifically, companies such as Facebook would receive a “unique identifier” pertaining to the consumer that would allow Facebook to target advertisements to the individual.
- Zoom allegedly failed to implement adequate security measures to protect user security. In support of this claim, the complaint cites a news report detailing that approximately half a million Zoom accounts have been sold on the dark web.
The specific CCPA violations alleged by the complaint
The plaintiffs are seeking damages for the following two CCPA violations:
- Zoom allegedly violated the CCPA by using personal information without required notice. Moreover, Zoom allegedly failed to notify the plaintiffs that Zoom would disclose personal information to unauthorized third parties. The complaint referenced Section 1798.100(b) of the CCPA as grounds for the violation.
- Zoom allegedly violated the CCPA by failing to provide consumers with both notice and the opportunity to opt-out of the disclosure of their personal information to third parties. The complaint referenced 1798.120(b) of the CCPA as grounds for the violation.
How the court ruled
While the CCPA does permit consumers to file class-action lawsuits directly against businesses, they may only do so under certain circumstances. Provided that businesses fail to implement “reasonable security procedures” and subsequently allow an individual’s nonencrypted or nonredacted personal information to be accessed without authorization, a lawsuit may be filed against the business. The authority to file class actions is provided by Section 1798.150 of the CCPA.
As evident by the substantial increase in “Zoombombing” incidents, consumers could potentially make the case that Zoom failed to implement the reasonable security procedures required by the CCPA. However, for those consumers that actually suffer from a Zoombombing incident, as was the case with the bible study participants here, it is less clear how this would be grounds for a CCPA lawsuit if their own personal information was not compromised in any breach. Without alleging that the bible study participants’ own personal information was compromised, subsequently leading to the Zoombombing incident, it is unlikely that this incident alone justifies a CCPA cause of action.
With respect to the specific CCPA violations alleged by the complaint, no reference is made to Section 1798.150, the provision that grants consumers the right to file class actions against businesses. Instead, the complaint has alleged violations pertaining to Zoom’s failure to provide notice and an opportunity to opt-out of the sale of personal information. While these actions would constitute violations of the CCPA if proven true, they are not likely to be ruled as appropriate grounds for a CCPA class-action lawsuit. It is more likely that the California Attorney General would initiate enforcement proceedings in this context. Going forward, it is important to keep in mind that the CCPA will begin to be enforced on July 1st, 2020. Despite calls to delay enforcement of the law because of COVID-19, the California Attorney General has announced that the enforcement date will not be delayed.
Update:
Zoom ended up paying $86 million to settle this class action lawsuit.
As our reliance on technology continues to increase, whether in the context of work, education, or social events, both the cybersecurity and privacy practices of video conferencing platforms such as Zoom will continue to be scrutinized. This reality, in addition to the enforcement of both state and federal privacy laws, necessarily means Privacy Policies will need to be updated in order to ensure compliance. Consider using Termageddon’s Privacy Policy generator to help keep your business up-to-date with privacy laws.
