15 May 2020
The California Consumer Privacy Act (CCPA) has transformed the state of privacy law in the United States. As the CCPA gradually takes effect, we're already seeing consumers bringing cases against businesses for alleged violations of the act.
One of the first significant CCPA cases is Cullen v Zoom Communications, Inc. The plaintiffs in this class action allege that the software firm Zoom has failed to provide proper notice of its personal information collection practices, and has failed to safeguard their personal information.
This case brings up some significant issues for any CCPA-compliant business. We're going to look at how the CCPA applies in this case, and how you can avoid similar legal trouble.
Let's briefly look at the two key players in this story: Zoom Inc., and the CCPA. If you already feel you know enough about these topics, you can skip ahead to information about the case.
Zoom Video Communications, Inc. (Zoom) is the company that operates the online video conferencing software known as "Zoom."
Zoom has seen a significant surge in users recently, as workers stay home to help stop the spread of COVID-19, the disease caused by the novel coronavirus, SARS-CoV-2.
The CCPA is a privacy law that dictates how certain types of companies collect, use, store, and share the personal information of California residents ("consumers").
The main obligations under on businesses under the CCPA include:
Allowing consumers to exercise certain rights over their personal information, including:
The CCPA applies to certain types of companies called "businesses." Businesses are defined in a very specific way.
First of all, a business is a company that operates for profit and collects the personal information of (California) consumers.
A business also decides why and how to use personal information. If a company merely collects or uses personal information on behalf of other businesses, it's a "service provider."
Finally, to qualify as a business, a company must also meet at least one of the following thresholds:
These thresholds might seem high, but the CCPA isn't all about large corporations, social media companies, and "data brokers."
Legal commentators are increasingly arguing that the "sale" of personal information includes the use of third-party tracking cookies.
There's still some debate over this interpretation, but a commonsense reading of the CCPA, and of the California Attorney-General's Proposed Regulations, suggests that it is correct.
This would bring thousands of companies within the scope of the CCPA, under threshold "B," above.
If you run a targeted ad campaign using Google, Facebook, or some other third-party provider, and your website or app receives over 50,000 unique hits or users originating in California per year, you may need to comply with the CCPA.
The Zoom class action, Cullen v Zoom Communications, Inc., could have big implications for Zoom, and every other business covered by the CCPA.
Let's take a detailed look at the allegations against Zoom.
As of April 2020, the Zoom class action case consists only of the plaintiff's complaint. The case has not yet proceeded to a court.
Here's an excerpt from the complaint, alleging that Zoom shares the personal information of its users with third parties, without providing proper notice.
The plaintiff then alleges that the Zoom iOS app makes certain disclosures of personal information to Facebook each time a user installs or uses the app:
The plaintiff also alleges that Zoom failed to properly safeguard its users' personal information:
These are serious allegations, as we'll see below.
We're now going to examine the allegations in this case as they relate to the CCPA, to help you understand how the CCPA can apply in "real life."
Firstly, the courts will need to consider whether the information allegedly disclosed to Facebook actually constitutes "personal information," as defined at Section 1798.140 (O) (1) of the CCPA.
Elements such as a consumer's mobile OS type and version, their device's timezone, model, and advertising ID could qualify as personal information under the CCPA's very broad definition:
"Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Relevant examples of personal information in the CCPA include:
- "Identifiers such as [...] unique personal identifier, online identifier [...] or other similar identifiers"
- "Information regarding a consumer's interaction with an Internet Web site, application, or advertisement"
It is likely that the types of information disclosed by Zoom to Facebook would qualify as personal information for the purposes of this part of the CCPA.
However, it is important to note that the CCPA's private right of action uses a much narrower definition of personal information, as we will examine below.
The Zoom app is alleged to have collected personal information from consumers before disclosing it to Facebook.
Under Section 1798.100 of the CCPA, businesses are required to provide "notice at collection" at or before the point at which they collect personal information:
Next, it's possible that, by allegedly failing to identify how its app collects personal information and discloses it to Facebook, Zoom has violated various parts of Section 1798.130 of the CCPA.
For example, businesses must disclose the categories of personal information they have collected over the past 12 months:
Businesses are also required to list the categories of personal information they have sold or disclosed for business purposes over the past 12 months.
It isn't clear whether Zoom's disclosure of personal information to Facebook will be deemed a "sale," "disclosure for business purposes," or neither (some interpretations of the CCPA hold that any disclosure of personal information must fall into one of these two categories).
The CCPA defines a "sale" as any communication of personal information to a third party for "monetary or other valuable consideration."
Therefore, it is conceivable that Zoom's disclosure of consumers' personal information to Facebook does constitute a sale, even though the plaintiff states that: "the amount of money Zoom receives from Facebook, and possibly other third parties, is unknown."
If the court determines that Zoom has "sold" personal information to Facebook, then, under Section 1798.135 of the CCPA, Zoom would also have needed to provide consumers with notice of the right to opt out.
Businesses can fulfill this obligation by creating a valid "Do Not Sell My Personal Information" page.
The plaintiff in the Zoom class action is seeking damages under the CCPA's private right of action.
The CCPA's private right of action allows consumers to bring claims against a business that has failed to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."
The allegation is that Zoom's disclosure of consumers' personal information to Facebook is a result of Zoom's failure to properly protect this personal information. Indeed, Zoom has stated that its disclosures to Facebook were unintentional.
However, the private right of action in the CCPA is quite narrow, and only applies to certain types of personal information; specifically, those defined in Section 1798.81.5 (D) (1) (A) of the California Civil Code: California's Data Breach Notification Law (available here).
This section defines personal information as "nonencrypted or nonredacted personal information" of the following types:
It is not clear that the categories of personal information disclosed by Zoom to Facebook would qualify as "personal information" according to the definition above.
How much money could Zoom lose over its alleged disclosures of personal information to Facebook and possibly other third parties? This depends on several factors.
Firstly, the plaintiff will need to successfully establish that Zoom failed to protect its users' personal information as defined in California's Data Breach Notification Law. In which case, Zoom could be liable for damages of between $100 and $750 per violation.
Given how many Zoom users reside in California, this could add up to hundreds of millions, if not billions, of dollars.
Businesses must rectify any violation of the CCPA within 30 days. If not, they may be liable for a civil penalty.
There is no suggestion that Zoom failed to rectify any alleged CCPA violation, and it appears that the business took immediate action to protect its users' personal information on becoming aware of the disclosure of personal information to Facebook.
However, it is suggested in the complaint that Zoom might also have disclosed personal information to other third parties in addition to Facebook.
If a business does not rectify a violation of the CCPA within 30 days, and it is found to be liable for a civil penalty under the CCPA, the amount will be:
These civil penalties can be even more financially crippling than the damages available to consumers under the CCPA's private right of action. However, to be clear, there is no suggestion that Zoom will face such civil penalties.
Whether or not the plaintiffs in the Zoom class action are successful in obtaining damages, the lawsuit will likely result in costs, inconvenience, and reputational damage for Zoom.
Here are some steps your business can take to ensure it doesn't fall foul of the CCPA's obligations.
One key allegation in the Zoom class action is that Zoom failed to provide CCPA-compliant notice to consumers.
The CCPA requires businesses to provide up to four types of notice, and two or possibly three of these are particularly relevant to the Zoom case.
For a detailed look at this topic, see our article The CCPA's Four Consumer Notices.
Businesses are required to provide notice at or before the point of collecting personal information from consumers.
A CCPA "notice at collection" should explain both:
Here's an example from Refinitiv:
Note that the types of personal information listed above correlate with the categories of personal information enumerated at Section 1798.140 (O) of the CCPA.
Refinitiv then explains the purposes for which it uses the personal information it collects.
Here's an excerpt from this part of the notice:
We are likely to see many cases against businesses that have failed to give proper notice to consumers of their right to opt out of the sale of their personal information.
It is not alleged that Zoom has "sold" personal information to Facebook, but given the broad nature of the concept of a "sale" in the CCPA, many businesses could be selling personal information without even realizing it.
Businesses that sell personal information are required to provide notice of the right to opt out. They must also ensure that they do not sell the personal information of minors under the age of 16 without prior opt-in consent.
For more information, see our article "Do Not Sell My Personal Information" Page.
As noted above, the CCPA's narrow private right of action relates to California's Data Breach Notification law.
We won't go into detail about how to implement reasonable safeguards in this article. However, in 2016, former California Attorney-General Kamala Harris stated that businesses should meet the following standard:
You can read about the 20 CIS Controls here. Ensure you implement these controls to help avoid a data breach.
The CCPA imposes many more obligations on businesses. It's crucial that you understand how your business collects, uses, and shares personal information.
For more information, see our article CCPA Compliance Requirements.
Whatever the outcome of the Zoom class action, it should be clear that compliance with the CCPA is crucially important for any covered business.
To avoid the sorts of legal issues Zoom is currently enduring, ensure that you:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.