By Allison Grande

Law360 (April 3, 2020, 6:20 PM EDT) -- The privacy backlash that has accompanied Zoom's meteoric rise since the onset of the COVID-19 pandemic has sparked challenges that are poised to test the strength of California's new privacy law and fuel calls for other states to embrace robust data safeguards.

As the global coronavirus outbreak prompts people to flock to Zoom to conduct business and connect with friends and family, the suddenly ubiquitous video conferencing service is facing heightened scrutiny from consumer advocates, regulators and the plaintiffs' bar over the way it shares and secures personal data.

"For Zoom, where it's run into the biggest issues is in giving consumers notice at the time of collection about how it's using and disclosing their data," said Jason Johnson, a partner at Moses & Singer LLP.

Zoom Video Communications Inc. is facing at least two putative class actions centered on these alleged shortcomings. The complaints, filed in federal court during the past week by California residents Robert Cullen and Samuel Taylor, accuse Zoom of violating several Golden State laws, including the state's new Consumer Privacy Act, by quietly gathering and sharing personal information with third parties like Facebook.

Under the CCPA, which took effect on Jan. 1, companies are required to clearly inform consumers at or before the point of collection about what categories of personal information will be collected and for what purposes this data will be used.

The new filings claim Zoom — which has tapped prominent privacy attorneys from Cooley LLP to lead its defense — disregarded this obligation by disclosing users' information to Facebook and potentially other unauthorized third parties without providing consumers with adequate notice of this practice or their right to opt out of this sharing.

However, the CCPA establishes only a limited private right of action for claims arising from certain data security failings, raising doubts over how the allegations related to Zoom's conduct will fair in federal court.

"It seems like these kind of claims should only be for the attorney general to pursue," said Baker Botts LLP special counsel Cynthia Cole. "But we haven't really seen this tested yet, and it appears that the plaintiffs' bar is just going for it and trying to make these claims stick."

While consumers aren't permitted to bring private claims related to the law's notice and transparency requirements, the CCPA does open the door for suits in situations where personal information has been "subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices."

The cause of action is generally believed to apply to situations where there's been a data breach, which Zoom is not accused of experiencing, attorneys noted. But the plaintiffs suing Zoom have alleged they have legs to recoup statutory damages of between $100 and $750 per impacted consumer under this provision due to Zoom's purported failure to protect its users' personal data from unauthorized disclosure to Facebook.

"Defendant knew or should have known that the Zoom App security practices were inadequate to safeguard the class members' personal information and that the risk of unauthorized disclosure to at least Facebook was highly likely," Cullen said in his complaint, which also accused Zoom of failing to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" it holds.

Cozen O'Connor member Matthew J. Siegel, who co-chairs the firm's privacy, data and cybersecurity industry team and advises businesses on these issues, said he understood the private right of action to apply only if personal information landed in the hands of an unauthorized third party, not in situations where a company has shared information with a known business partner without consumers' authorization.

"It just seems that plaintiffs are making a little bit too much of the CCPA's private cause of action," Siegel said.

Tracy Gray, a partner at Holland & Hart LLP, said that she's "skeptical" the plaintiffs will be able to maintain their claims under the CCPA's narrow private right of action.

While the CCPA covers a broad range of personal information, including IP addresses and geolocation information, the private right of action provision encompasses only the types of sensitive data covered by the state's breach notification law, which include elements such as Social Security numbers, payment card information and health data.

Citing a March 20 Vice article that revealed how the Zoom app exposes users to targeted advertising regardless of whether they have a Facebook account, the plaintiffs behind the new complaints claim that whenever a user downloads or opens the app, Zoom sends Facebook details such as the model of the device being used, the time zone and city from which a user is connecting, the phone carrier being used, and a unique identifier that can be used to serve targeted ads.

"Based on what I've read and the allegations in the complaint, it doesn't appear that the information that Facebook is getting directly rises to the level of personal information that is actionable under the CCPA's private right of action," Gray said.

The CCPA also requires consumers prior to initiating any lawsuit for statutory damages to notify businesses in writing of the allegations they intend to bring and give the company 30 days to cure the deficiencies.

Zoom appears to have taken steps to address the plaintiffs' privacy concerns, with the company announcing in a March 27 blog post that it was rolling out a new version of the app that would no longer transmit personal data to Facebook and would allow consumers to opt out of this type of sharing.

"If Zoom has already fixed this problem, then no class action for statutory damages can be initiated," Gray said.

The plaintiffs acknowledged the redesigned app in their complaints, but asserted that, even if the updated version works as Zoom describes, "the harm to plaintiff and the class members has been done and continues."

They specifically faulted Zoom for failing to require users to replace older versions of the app immediately, for providing no assurances that Facebook has deleted the data it received, and for making no move to compensate users for its failure to properly safeguard their data.

These untested arguments may end up winning traction in federal court, given that the law has only been in force since the beginning of the year and courts have yet to weigh in on the scope and application of the nascent cause of action.

"We're all waiting with baited breath to see how it's going to shake out," Siegel said. "Given that everyone and their mother, literally, is now using Zoom, this case is probably going to be the most high-profile class action on the books."

The plaintiffs may also be able to forge a path forward based on their other causes of action, which include claims for alleged violations of California's Unfair Competition Law and Consumers Legal Remedies Act, as well as invasion of privacy and negligence, attorneys noted.

"One argument that we've been hearing that the plaintiffs' bar is considering using is if a company violates one of the provisions of the CCPA that consumers can't sue under, then that would support a claim that the company acted negligently or committed unfair practices," Siegel said.

The plaintiffs in the Zoom cases appear to be following this thread, using the company's alleged failure to appropriately disclose what it's doing with consumers' data to prop up not only the CCPA claims, but also allegations that Zoom deceived consumers and was negligent.

Even if the class actions ultimately falter, Zoom and other video-conferencing platforms that have gained notoriety in the wake of the coronavirus outbreak still face the risk of enforcement from California's attorney general, which is empowered to enforce the entire statute, attorneys say.

The attorney general can begin bringing enforcement actions on July 1, and has held firm to that deadline despite growing industry calls for a delay.

"It will be interesting to see how the attorney general responds to these claims, and whether it takes action right away or if it has other investigations and matters waiting in the wings," Siegel said.

New York's attorney general has already signaled her interest in the matter, sending an open letter to the company on March 30 asking whether it had put any new security measures in place to handle increased traffic on its network and to detect hackers.

Connecticut Attorney General William Tong confirmed Friday that his office had also "been in contact with representatives from Zoom to address ... issues relating to online security and privacy." Tong added that he had recently attended a Zoom conference that was "bombed" by hundreds of profane and racist comments.

Aside from the privacy issues flagged in private litigation, Zoom — which last month reached a highwater mark of more than 200 million daily meeting participants — is also facing security concerns over hackers breaking into virtual meetings, a practice known as "Zoom bombing." Businesses ranging from major law firms to Elon Musk's rocket company SpaceX have banned employees from using Zoom due to these risks.

"At this point, there is no evidence that personally identifiable information has been stolen or compromised," said Phillips Nizer LLP technology practice chair Thomas Jackson. "But that is certainly a concern going forward."

Zoom's popularity surge is also likely to bring renewed attention to efforts to put more privacy and security protections in place at both the state and federal levels, attorneys say.

"As word starts getting out to the average person that these protections only apply in California, consumers who might have been reticent to share their personal information but have been thrust into this digital world may start pushing their state legislatures for the same rights as Californians have, and that could create a groundswell across the country for more laws like the CCPA," Siegel said.

New York, New Jersey, Hawaii and several other state legislatures had been seriously considering legislation that would put limits on how companies can use and share data, and the heads of the U.S. Senate Commerce Committee have advanced dueling proposals for crafting uniform federal privacy standards.  

These discussions — which have been put on hold as attention shifts to fighting the spread and dealing with the fallout of COVID-19 — have been stymied in large part by disagreements over whether consumers should be allowed to sue over alleged privacy violations. How the new Zoom litigation plays out could provide ammunition to both sides of the debate once it resumes, attorneys say.

"These privacy issues are top of mind among legislators in most every state, and when life goes back to whatever normal is going to be, these proposals will be picked back up and some of what's going on now on the privacy front will be used to support moving these laws forward," Gray said.

Cullen is represented by Mark J. Tamblyn and Kenneth A. Wexler of Wexler Wallace LLP and Daniel E. Gustafson, David A. Goodwin and Ling S. Wang of Gustafson Gluek PLLC. Taylor is represented by Hassan A. Zavareei, Katherine M. Aizpuru and Annick M. Persinger of Tycko & Zavareei LLP.

Zoom is represented by Michael Rhodes, Danielle C. Pierre, Evan Slovak, Joseph Mornin, Kathleen R. Hartnett and Travis LeBlanc of Cooley LLP.

The cases are Cullen v. Zoom Video Communications Inc., case number 5:20-cv-02155, and Taylor v. Zoom Video Communications Inc., case number 5:20-cv-02170, both in the U.S. District Court for the Northern District of California. 

--Editing by Emily Kokoll and Philip Shea.

For a reprint of this article, please contact reprints@law360.com.