With the ongoing COVID-19 (commonly referred to as the Coronavirus) pandemic and orders to “stay at home” in place across the United States, most organizations have been and continue to utilize remote arrangements.  The software program known as “Zoom Meetings”, has become immensely popular as a means to facilitate meetings amongst employees, team members and other consultants rather than meeting in person.

Despite such status, Zoom Video Communications, Inc. (Zoom) has been named as a defendant in one of the first, and certainly the most high-profile, class action lawsuits to be filed in California alleging violations of the California Consumer Privacy Act of 2018 (CCPA).

The Class Action

The complaint filed alleges that Zoom did not protect the personal information of its users as it collected personal information and then shared such information to third parties, including Facebook, without adequate disclosures to users.  The allegations specifically refer to Zoom’s boasting about its maintenance of users’ privacy and that they can be trusted with user data.  Further, it is noted that there is no disclosure provided in the Zoom Privacy Policy that disclosed that personal information was being shared with Facebook and other third parties.

Upon opening of the Zoom software, a notification is sent to Facebook providing details about, amongst other things, a user’s device, phone carrier and a unique advertiser created by the device to provide targeted advertisements.  This information is sent for every user even if the user does not have an account with Facebook.

It is further alleged that Zoom may have been aware of this sharing of information when it added a feature to allow users to login with Facebook account information.  With such knowledge, Zoom released an updated software version that prevents personal information from being sent whenever the software is opened by users.  The complaint notes, however, that Zoom did not force users to upgrade to the newer version and that by continuing to allow use of the prior version, personal information is continuing to be provided to third parties.

The complaint seeks injunctive relief, damages, including statutory damages pursuant to the CCPA, punitive and treble damages and attorneys’ fees for alleged violations of the CCPA, Unfair Competition laws, the California Consumers Legal Remedies Act, Negligence, Invasion of Privacy and Unjust Enrichment.

CCPA Violations

Zoom is alleged to have violated various requirements of the CCPA.  First, it collected and used personal information without notice (in violation of Civil Code section 1798.100).  Second, it is alleged that Zoom violated its duty under 1798.150 to maintain reasonable security measures to protect personal information.  A notice of CCPA violations has also been sent to Zoom in accordance with this section.  Injunctive relief is requested to prevent Zoom from continuing to violate the CCPA.  Moreover, statutory damages in the amount of not less than $100 and not greater than $750 per consumer per incident are also being sought as a result of the personal information being breached.

With Zoom being in high demand for those working at home, these statutory penalties could be a staggering amount.  Using a very conservative estimate of 1 million users who may have been affected, those penalties for a breach of personal information range from to $100,000,000 to $750,000,000 for just one single incident, and do not include any of the other damages or relief being requested in the action.

Why Does This Matter

• The CCPA is in effect and here to stay.  Private right lawsuits can be filed for any data breach, in violation of the CCPA, after it took effect on January 1, 2020.
• The statutory penalties in the event of a breach are substantial depending on the number of users, personal information and incidents.
• Cyber liability insurance may provide coverage for some of these claims, however, statutory penalties may not be covered.
• From a risk management perspective, be careful as to not oversell the safety and protection of personal data unless you are certain it is protected.
• In the event of a technical issue, be proactive to make users aware of the situation and offer a solution, i.e. use of a new version, program, and so on.  Consider disabling use of any prior versions immediately that may be problematic.
• This further reiterates the critical importance of practicing cyber safety in light of remote working arrangements during the Coronavirus pandemic.

It is more important than ever in the new Coronavirus work-from-home reality that businesses have a current plan for CCPA compliance and that they provide periodic on site or virtual training to ensure all employees remain vigilant when it comes to cyber security and privacy and the safety of personal information.

Our Data Privacy & Security Task Force attorneys are available for consultation by emailing NDCovid19Response@ndlf.com or contacting our office at 949-854-7000.